“Where they directly report is less of an issue than where they indirectly report. The CISO should always have the opportunity to and be encouraged to meet with the executive team and have their voice heard by the board.”
Tim Brown is the CISO at SolarWinds in the USA, responsible for overseeing internal IT security, product security, and security strategy. Tim led the remediation efforts after the December 2020 sunburst attack. Tim has over 25 years of experience and holds trusted advisor status which has led to him taking meetings with members of Congress and the Senate to the Situation Room in the White House. In addition, he is an inventor and holds 18 issued patents on security-related topics.
Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Tim Brown. In this interview, Samir has been discussing with Tim about the visibility of a CISO and how it often boils down to how much a business values security. Among many questions, Samir asks how important is it for a CISO to have a seat on the board and does it matter who a CISO reports to.
Many organizations have experienced cyberattacks on their software supply chains leading to the CISO being fired as someone must be held accountable. You’re still VP and CISO at SolarWinds, so that didn’t happen to you?
Correct. I have been with SolarWinds for six years and have led security pre and post the sunburst incident. When our CEO was asked why they did not fire me, he said if he needed to hire a CISO he would have hired me. The skills necessary to manage a global incident are very different from managing internal security. I happened to have global experience and was prepared to help in our response and recovery. If I did not have these skills, it may have been necessary to replace me.
Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?
The balance between technology and business is critical. There are always trade-offs on prioritization and managing risk. The CISO must evolve to be a Risk Executive, they need to understand business, regulations and the adapting threat landscape to help the company make appropriate decisions.
Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?
The CISO organization should attempt to add value across the organization. They should support the business while protecting it. They should help drive business in a secure fashion while limiting risk.
The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?
It is important that the CISOs voice is heard by the executive team and the board. Where they directly report is less of an issue than where they indirectly report. The CISO should always have the opportunity to and be encouraged to meet with the executive team and have their voice heard by the board.
What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?
Really two different questions. How to prepare for a potential cyber-attack? Put your plans in place, have appropriate documentation, test the approach, insure everyone that is involved knows their role.
Maintaining an effective state of cyber resilience is dependent on the business and its risk appetite. Understanding the risk that the business faces will help define what is effective.
In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?
The security industry is constantly evolving with new threats and new solutions. We have shiny new toys and then we have basics that are boring and have been around for many years. It is very important to have a foundation of the basics (Identity, limiting attack aperture, Endpoint, Network, Data protection) and then utilize the new technologies to fill gaps and make us more efficient
The nature of recent cyberthreats has tended to focus on business disruption and reputational damage. Is this what you have experienced and if so, how does this impact your organisation?
One of the reasons cyberthreats have tended to focus on ransomware with business disruption is because it is a simpler model for the threat actors to monetize. The world continues to see this model growing with larger targets for business disruption and larger monetary gains for the threat actors
Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?
Think about diversity in the team. Not everyone needs to be a red team expert or a threat hunter. We need great organizers, great program managers, great trainers. There are many jobs in the security area that can be trained for or hired from different parts of an organization.
What do you look forward to most at this year’s Global Cyber Conference?
I’m looking forward to meeting people with a diverse background and regional challenges. Discussing innovative solutions and learning from others.