Cybersecurity challenges companies, countries, and individuals to continually improve protections against an enemy that wants our secrets, money, and identify. Over the last few decades, the industry has moved from an explorative infancy to an integral and vital corporate function.
I had the opportunity earlier this month to discuss the evolution of cybersecurity with Dr. Alissa Johnson, CISO at Xerox. Her perspective on this journey was interesting to me because Alissa Johnson, also known as “Dr. J”, has served in both the public and private sectors. She has been involved in the protection of the nation and now the protection of Xerox. Xerox, on the other hand, has been an instrumental force in technological innovations from the early days of computers until today.
It was important that we both talk about the same thing, so we first had to define what cybersecurity means. Johnson views cybersecurity as the protection of our digital infrastructure, consisting of the data and critical assets that form the foundation of our businesses, brands, and personal lives. It is a broad discipline, but one that is data-driven. This makes it complicated because data no longer has any boundaries and yet, its utility is so great that it is counted by many as a basic necessity.
Now, with a definition firmly established, we discussed how cybersecurity has progressed and matured over the years.
Events that shaped the journey
Our cybersecurity journey has been shaped somewhat by significant events that went on to spur innovation and modernization in the industry. As Johnson and I talked, I wondered if there were any cybersecurity incidents that she felt were particularly effective in bringing about positive change in cybersecurity practices. Johnson was quick to cite the OPM, Target, and Yahoo data breaches. These breaches were devastating to companies and their customers, but they also increased organizational awareness of the criticality of cybersecurity. In a similar vein, the actions of hacktivist groups like Anonymous have also called attention to how our technology can be abused.
Boards have become more concerned with cybersecurity following breaches and hacktivism. The business impact is much better understood, and executives are being held accountable for cybersecurity incidents. With that accountability comes responsibility and authority. For example, Johnson has discussions with Xerox’s CEO regularly on the company’s risk level and how changes in risk are addressed.
The role of the CISO
I was interested in Johnson’s view of the role of the CISO since she is one herself. Johnson described how the CISO role is more important now than it would have been five or ten years ago. In fact, many companies did not even have a CISO five or ten years ago. I inquired about the value an executive security perspective such as a CISO or CSO brings to the C-suite. Johnson explained how this role enhances the business by protecting it. However, it does not do that by rejecting ideas on the grounds of security. When an idea is presented, the CISO says, we can do that, here are the risks, and this is how we mitigate that risk to an acceptable level.
Johnson went on to say that the successful CISO must be able to speak in business terms. Those sitting at the executive table are concerned with profit, loss, and company growth so the CISO must acknowledge that by speaking in terms of the business impact such as organizational risk or product differentiation. The events that shaped this journey have made consumers more demanding of effective cybersecurity in the goods and services they purchase. In this way, the right security can help generate profits and growth, whereas the wrong security will result in a loss.
Cybersecurity is dependent upon the technology it protects, and some significant innovations have resulted in disruptive cybersecurity transformation. I wanted to peek under the hood at Xerox to better understand how this process is managed.
Any discussion on disruptive technologies must include the Internet of Things (IoT), and this was seen as both a challenge and opportunity. However, I became intrigued when Johnson described how technology and cyber changes are managed at Xerox. Big corporations lack, by their nature, the agility of smaller companies, but they can bring an impressive set of resources to the innovative process. This process, including its potentially disruptive outcomes, have to be managed in such a way that they do not bring about resistance.
Much as a machine requires oil to reduce friction, Xerox’s culture of continuous improvement and the high bar executives have set for security have resulted in a shared expectation of change in cybersecurity. Johnson says what might be disruptive in other organizations, is the norm at Xerox.
Xerox has made numerous innovations in-house, but Johnson described how that is not enough to support the kind of change Xerox’s culture has adapted to expect. Effective cybersecurity, Johnson explained, requires collaboration and one way Xerox has embraced that is through partnerships with security companies to combine best of breed technologies into next generation solutions.
In a free market society founded on competition, collaboration can seem like a foreign concept. However, collaboration is vital and integral to cybersecurity success. If we step back and look at the journey of cybersecurity, a pattern quickly emerges in the development of standard cybersecurity practices, and it is one of collaboration.
Just as the body requires a proper diet and exercise to be healthy, Johnson says cybersecurity requires best practices based on collaboration to be healthy.
In cybersecurity’s early days, less mature companies would benchmark themselves against companies taking the lead in the cybersecurity industry to identify process improvements, technological competencies, and efficiencies. Industry groups, in an effort to make the process simpler, defined sets of standards or baseline security requirements; and best practices, ideal security requirements. These standards and best practices were then disseminated to members and the public so that, rather than wasting effort reinventing the same processes, companies could continue to forge ahead, building on the successes of others.
Johnson sees this as a vital component for effective cybersecurity programs. She sees cybersecurity as a product of all technology disciplines. All of these disciplines share the basics, she says. Those basics must be well understood and practiced regularly. For example, in software development, there are basic things that must be done to have a secure program. Companies may compete on the services they offer, but each one that handles customer data will perform discrete operations that are common across the board. These basics must be refined and shared rather than hoarded. This collaboration, Johnson says, requires a level of trust, transparency, and information sharing between companies, their customers, and public entities.
As we came to the end of our interview, I asked Johnson what advice she would give to aspiring CISOs. Her advice is to assume that your company is not ok and continually evaluate your security to identify gaps. Your company will be targeted no matter what. Take a look at what is working and then identify what you can work on next. Prioritization is key because you cannot work on everything at once. One period you might look at the supply chain and the risk dashboard during the next. Keep at it and keep improving.