Tech Journal CXO Corner: The Evolution of Cybersecurity and the Role of the CISO

The large-scale migration to remote work redefined the threatscape for cybersecurity leaders everywhere. Now, more than a year later, many are still trying to identify and close potential security gaps, while staying one step ahead of cybercriminals. We wanted to know, what role does the Chief Information Security Officer (CISO) play in this constantly evolving, cat-and-mouse game of threat detection and prevention? We sat down with Arun DeSouza, CISO and CPO for Nexteer Automotive, to find out.

What’s your role today? How has it evolved and where do you see it going?

I’m the Chief Information Security and Privacy Officer (CISO & CPO). I pioneered an integrated global InfoSec and Privacy program, developed a long-range strategic roadmap linked to business objectives and built a strong team from the ground up. I’m responsible for the delivery of multiple services, including but not limited to:

• Strategic planning
• Identity and access management
• Incident management
• Privacy management
• Risk management
• Governance and standards
• Security operations
• Training and awareness

The CISO role has evolved significantly in this decade. Depending on the risk appetite and scale of digital transformation in organisations, the CISO role now spans across some or all of the following personas:

1. Technical
2. Business aligned
3. Risk focused
4. Transformational

When I started my career as a CISO in 2003, I was spending most of my time in persona one above. Currently, my role spans personas two through four. The convergence of security, privacy and enterprise risk also offers potential for CISOs to become Chief Risk Officers (CROs) of organisations going forward.

Cybersecurity is top of mind for IT and security professionals today. Why is cybersecurity so challenging right now?

The winds of change are blowing through today’s workplaces. Macro trends such as Industry 4.0 and distributed work require companies to enact and accelerate digital transformation powered by the cloud. Technologies such as Artificial Intelligence (AI), blockchain, edge computing, the Internet of Things (IoT), autonomous vehicles, robotic process automation, etc., are helping to foster innovation and competitive advantage.

The security and privacy risk nexus of the IoT brings a unique set of challenges. Nation-state hacking and supply chain threats are also major factors in the evolution of cyber risk.

Cybersecurity Ventures projected there would be 3.5 million open positions by the end of 2021. Thus, companies are not able to staff up appropriately with the highly skilled resources needed to protect the enterprise. Ultimately, the exponential rise in security threats and the acute shortage of InfoSec resources makes these very challenging times in cybersecurity.

Some IT leaders have argued that IT spending is being wasted on cybersecurity that supports remote work. Yet, the workforce is demanding “anywhere work” flexibility. What are your thoughts on this?

Remote or distributed work is here to stay. There’s a paradigm shift underway due to:

• Flexibility and work-life balance: Many employees enjoy this feature, especially if their daily commute is significant.
• Talent acquisition: Companies can leverage distributed talent and hire the best people. In many instances, this allows both parties to make a win-win arrangement.
• Executive buy-in: Companies like Twitter have embraced this trend and are enabling their employees to work remotely indefinitely.

As a CISO, I believe I should help enable the business. Given the above trends, it’s now par for the course. Further, the trifecta of identity, Zero Trust and software defined perimeter power seamless access to “anytime, anywhere, authorised” access to digital applications and services.

How do you think security will evolve in response to trends such as anywhere operations and edge computing?

I believe that adoption of Zero Trust will accelerate. Dynamic threat protection will be further propagated by security providers banding together in alliances and tightly integrating their platforms to strengthen Zero Trust. One such example is the Spectra alliance between Okta, Proofpoint, Crowdstrike and Netskope. Another example is the Zero Trust alliance between ZScaler, Cloudflare and Sentinel One. This trend benefits enterprises and providers. I expect that this trend will grow. InfoSec professionals will also band together to share best practices via organisations like the Cloud Security Alliance. 

Nexteer Automotive received the 2021 CSO50 Award from IDG. The award recognises security initiatives that demonstrate “outstanding business value and thought leadership.” Your project was NEXTINTRUST. Can you tell us about it?

This is the second CSO50 award for Nexteer during my tenure — our first was for identity lifecycle management. Our 2020 award was for the thought leadership and deployment of an IoT security platform in our manufacturing plants. This platform enables:

• Device visibility
• Policy definition
• Behaviour and risk analysis
• Enforcement of policies and standards

As Nexteer embraces digital manufacturing to increase efficiency and optimise operating costs, there’s been an explosion of IoT devices on the plant floor. Further, more and more of our home devices are becoming internet connected. The exponential proliferation of IoT devices and immature security practices make them targets for attack.

Key CISO guiding principles for Nexteer’s IoT security deployment are as follows:

1. Characterise – Identify and classify assets and stratify them by business value and risk.
2. Demarcate – Implement network zones with a clear demarcation between IT and OT networks.
3. Understand – Visualise and identify threats and vulnerabilities across networks inclusive of devices, traffic, etc.
4. Unify – Control access by users and devices across both secure wireless and wired access.
5. Adapt – Leverage Zero Trust to enact adaptive control schemes in real time.
6. Converge – Develop explicit, third-party access and risk management protocols, including Privileged Remote Access. These are particularly relevant to OT networks to strengthen the security architecture.
7. Beware – The following root causes have led to IoT device security issues in the past:
   • Static credentials embedded in the device
   • Lack of encryption
   • No software updates
   • API security gaps

The IoT security platform enables visibility to all devices on the manufacturing network. It allows us to identify device posture in real time, detect embedded threats and drive proactive control strategies. This enables enterprise risk management and strengthens cybersecurity.

IT talent, particularly for cybersecurity, is in high demand and short supply. How is your team designed for success?

My first step was to build a detailed services and competency framework with the skills needed for each role as well as a strategic hiring plan. We periodically review and update this framework. It can also be used for career pathing and succession planning.

Further, I employ the following steps and strategies to manage and develop talent:

• Define an appropriate mix of in-house and outsourced services.
• Conduct cross training across service tiers.
• Utilise managed services.
• Leverage training and development and succession plans.
• Negotiate cost savings to “self-fund” key roles.
• Develop a “grassroots” talent pipeline (students and co-ops).
• Identify talent early and strengthen the pipeline.
• Build affiliations with industry groups and universities to identify interested talent.

I’m also pleased to say that my team is diverse, with 50% men and 50% women. This has also helped drive synergies and creativity. 

What’s been the most profound executive decision you’ve made as a CISO?

Early in my CISO career, I was on the cusp of enacting a global network and security transformation. I worked hard to build a strong business case and payback to illustrate the value. However, times were tough. The board cut, so my budget was reduced, and I was still asked to lead and complete the transformation.

I embraced what I now call “the power of federation.” I reached out to all the key partners for help and found win-win strategies. I obtained significant discounts for professional services. For software, I consolidated contracts in the U.S., since our budget was euro-based, allowing us to benefit from the exchange rate. Ultimately, we finished the project under budget.

We saved significantly on operating costs, strengthened enterprise security, enhanced network quality of service and consolidated servers. The project inspired multiple case studies and resulted in a Network World All Star award.

Essentially, the most profound executive decision I made was to ask for help and not quit. I learned early on that building strategic, trusted partnerships and strong business relationships can be a great asset to all parties.

Want to learn more from IT leaders like Arun DeSouza? Browse our full CXO Corner collection, featuring thought leaders from Google, VMware and more.

About the contributor: