A Q&A with Cisco’s CISO about Addressing Enterprise-wide Security

Steve Martino, the CISO for Cisco, talks about the need for alignment between business and security goals.

istock 1163243617 qa
Blue Planet Studio

CISOs roles have significantly expanded. They’re now tasked with securing complex IT infrastructures that expand the attack surface, assessing and mitigating risks, addressing the business’ and board’s concerns about security — as well as managing people, processes, and technologies on limited budgets.

And in light of the recent coronavirus pandemic, all these challenges are further heightened. There has been a 26% increase in cyberattacks, with CISOs expecting COVID-19 to affect their risk-based decisions for years to come, according to a recent survey conducted by CSO.

To get a bird’s eye view into some of these issues, we chatted with Steve Martino, CISO of Cisco.

Q: In addition to having the right security technologies in place, what is your advice in terms of protecting the remote workforce today?  

Martino:  We need to help individuals own, protect and secure IT. For example, at Cisco, every employee gets basic cybersecurity training and increasingly advanced training based on their roles. We also share educational materials on applying best practices at home. Having an informed workforce that is actively involved in keeping the physical and, especially now, the extended virtual workplace as safe as possible can reduce risks that may be due to human error.

Q: Outside of concerns around the pandemic, what are the most challenging aspects of the CISO role today?

Martino: It’s difficult to keep pace with the changes in business and technology innovation, and find ways of weaving a secure approach through both. Digital transformation efforts, cloud and mobile implementations, and DevOps adoption have all led to increasingly complex IT environments. These same trends have also expanded the attack surface.

Q: What lessons have you learned about ways to deal with these challenges?

Martino: What I’ve learned is the need to ensure that I am reinventing myself, the team, and generating new ideas — because as the world keeps changing, we need to reinvent to keep pace with it.

Another lesson is that relationships matter. Promoting collaboration and connections with people in your organization helps resolve conflict. It is especially important to build that strong sense of teamwork and encourage new ideas and perspectives.

  1. Speaking of communication and relationships, how can CISOs talk to their boards about securing the budget they need and protecting the enterprise, while also supporting business objectives without sounding like the ‘Department of No’?

Martino: It varies for every CISO and organization, but when I talk with the board, the discussion is centered around two things: 1) how are we trending in a small set of key metrics or indicators, which helps us to know if we’re improving and what we need to improve; and 2) what new business or technology risks we are dealing with and how we are balancing those risks against the business opportunities. What I try to communicate is how we are managing those risks in a quantifiable way.

Within the company, it’s important to speak to the leadership team frequently. My role is to translate and align risks to business priorities and help create solutions that securely and cost-effectively enable the business. This means clearly outlining the funding needed to achieve those goals. It also allows all parts of the organization to understand how we are aligned to the business priorities, and that enables us to manage those risks together as one team.

Discover how other CISOs are thinking about their security posture and the issues they’re facing. Download the Cisco 2020 CISO Benchmark Report: https://www.cisco.com/c/en/us/products/security/ciso-benchmark-report-2020.html

Related:

Copyright © 2020 IDG Communications, Inc.