CSO Spotlight: Niall Browne, Domo

Browne has more than two decades of experience in managing global security, compliance and risk management programs for financial institutions, cloud providers and technology services companies. He pioneered the first Bring Your Own Key technology for the business management industry and has led numerous industry security, risk and vendor management committees composed of Fortune 50 companies. Prior to Domo he served as Workday’s chief trust officer, and CSO, where he created and managed their enterprise trust program. Browne has also spoken at numerous industry conferences on enterprise cloud. Here he discusses his beginnings as a webmaster and how that inspired him to become a CSO.

What was your first job? My first job was as the webmaster of a leading bank that was just beginning their transition to the internet. Apart from having the really interesting title of “webmaster,” it was also a great opportunity to learn about web services, as they were just evolving in the industry.

How did you get involved in cybersecurity? In my first job as webmaster, I learned very quickly that there are a lot of people that will spend a lot of time and resources to try to break into your systems.

Tell us about your career path. I started out as a security architect helping build secure networks and systems. After this, I grew my skill-set by branching into information security, risk, privacy, fraud and compliance. I have spent the last thirteen years as the CSO of major cloud companies/providers.

Was there anyone who has inspired or mentored you in your career? Inspiration comes from team members and peers who are intellectually curious and are always challenging themselves.

What do you feel is the most important aspect of your job? Understanding the two most important people in information security: your customer and the hacker.

What metrics or KPIs do you use to measure security effectiveness? The most important metric that every CSO should know is their level of residual risk. Residual risk is the level of remaining risk in your business after implementing key security controls. It can change daily and it is difficult to build a risk program to help quantify it, but it is critical to know as it provides a barometer of your risk as your business changes.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Virtually every area of security is struggling from a people shortage, and effective CSOs have realized that this will not be solved anytime soon. Instead security teams are having to focus more on embedding security into their teams and increasing the level of automation. This agile security model is particularly important in SDLC, as software may be deployed every day and it is only through automated security processes, and not people, that security can keep up with this level of change.

Cybersecurity is constantly changing – how do you keep learning? By being connected with industry groups and peers and well as talking to customers on an ongoing basis.

What is the best current trend in cybersecurity? The worst? The focus on continuous monitoring rather than a point-in-time security assessment is definitely the best. The worst is people assuming that blockchain will solve all security problems.

What’s the best career advice you ever received? Understand the business, then apply security. Trying to secure a business when you don’t fully understand it is a recipe for disaster.

What advice would you give to aspiring security leaders? Ensure that every security control you consider adding is evaluated against these three criteria: 1) does it really make the business more secure; 2) will it continue to allow the business to be agile; and 3) will this control scale with future business growth. Otherwise, you will be quickly left with a set of ineffectual security controls that hinder the business. 

What has been your greatest career achievement? The challenge of embedding agile security into a model where the code was deployed every hour.

Looking back with 20:20 hindsight, what would you have done differently? Understood the power of agile security earlier.

This interview is part of CSO’s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact kate_hoy@idg.com.