Four CISOs Walk Into a Room: The Latest Kvetchings of Security Executives and What Vendors Can Do About It

Andy Ellis (Operating Partner at YL Ventures) picks the brains of cybersecurity heavyweights Spencer Mott (CISO at Booking), Gary Hayslip (CISO at SoftBank) and Philip Martin (CSO at Coinbase) to discuss shifting technological needs in enterprise security. 

Though cybersecurity continues to develop as a C-Suite priority, the market’s current downturn requires budget cuts and freezes. Security executives now face mounting threats with fewer resources than they would like. This requires them to be more strategic about the solutions they deploy to keep attacks at bay–with more consideration than before placed on the total cost of ownership of said technology, especially in the face of any loss of talent.

Cybersecurity startups feel these changes just as acutely. Though the aim of achieving category leadership remains the same, many have shifted their strategies from outpacing competition by growing quickly at any cost to spending extra focus on sustainably addressing enterprise security needs of the here and now. What better way to understand such needs than to listen to the challenges of the very decision-makers they are working so hard to support?

In my position to bridge communication between my CISO peers and early-stage cybersecurity entrepreneurs for YL Ventures, I had the distinct pleasure of unpacking the latest industry developments with Spencer Mott (CISO at Booking), Gary Hayslip (CISO at SoftBank) and Philip Martin (CSO at Coinbase). 

Secure IaC

Jumping straight into the trend du jour, Hayslip begins by discussing challenges with cybersecurity’s growing importance in company-building and development into a core business goal. This is well documented in the adoption of Shift Left, enabling CISOs to embed security into the very source code of their organizations and distribute the responsibility of maintaining security across company personnel. In accordance with Hayslip, Mott insists that we must think of cybersecurity as a “vital strand of a company’s DNA”. He adds that while distributed security models are hardly novel, executing such a strategy still carries enormous challenges without the support of the right tools. It is even more difficult when implemented into already-developed products. 

Given the complexity of the skills and mechanics involved in traditional cybersecurity, as well as budgetary constraints, a healthy number of CISOs and company employees remain dubious of the efforts and spending involved. Martin, however, insists that today’s market downturn demands building security now more than ever. He considers it an investment, warning that security teams risk “burning more money” to battle incoming problems instead of preventing them with a solid foundation of technology and strategy. Efficiency, Martin warns, is more important than ever in times like these, stressing that such investments are especially important in today’s data security–specifically in the ability for it to be shared safely and securely as needed to support overall business growth and innovation. 

Data Protection

As enterprises grow more dynamic, the free movement of data, despite all of its risks, has become their life source. “Data is the present and future of revenue streams,” explains Eldad Chai, CEO and Co-Founder of Satori Cyber, “the key is to drive data adoption and use”. This means that CISOs are now tasked with the tough mission of guarding expanding troves of flighty information, a task even more serious after acquiring another company that brings its own enormous datasets with them. The role of CISOs in keeping all of these assets safe makes them essential to business proceedings and more connected to enterprise goals than before.

It also makes CISOs wary of human error inherent in the widening flow of information than they have had to be in the past. However, even if their final actions lead to wider risk, no one within our circle of discussion is ready to point fingers. “Humans really aren’t stupid users,” insists Gary, who believes that blame games only violate trust and run counterproductive to a CISOs mission to help company employees execute their tasks safely. Herein lies another pain point for CISOs–to demonstrate that they are trying to avoid hindrances to productivity as much as anyone else and find ways to meaningfully do that. Expounding on this, Chai explains how customer calls now focus on making it “really, really easy for everyone to do the right thing”. 

Balancing Security with Productivity 

According to Spencer, “doing the right thing” has left most CISOs and vendors focusing on the cloud, a natural progression of how most enterprises are chasing after productivity and outperforming others. Nonetheless, he still believes in the importance of providing support for all tool sets, including more traditional ones still in use. Roy Erlich, CEO and Co-Founder of Enso Security, agrees, but adds that the trend towards cloud dominance is ultimately for the best, given that it offers more standardization and “keeps the security bar higher”. 

The bar cannot afford to be lowered in any case. Between risking customer trust and violating various policies and regulations related to their field, CISOs have other forces outside of their own organizations to heed. This is where they can use more help with good tooling, especially around material incident reporting, as they still do not have the clear sort of guidance and uniformity of implementation to assure full compliance. Alert fatigue certainly does not help, either. Vendors must take special note, believes Lior Levy, CEO and Co-Founder of Cycode, by offering more automated and remediation services. For his part, Chai argues that a constant, monitoring presence is also required–especially around data in use. Erlich is quick to point out that applications require the same level of scrutiny. 

Hayslip believes that human eyes will always be needed to inject business context into the final execution of security responses. “I’ve got several platforms that save my team so much time. But the final decision of yes or no, the final decision of whether or not to make a change that could possibly impact a business service must always come from those who will ultimately feel the impact most. Security teams and tools cannot be in the position of creating more risks in the process of trying to close them down.

Navigating Cybersecurity in this “Recession”

First, we must align security programs and goals to business goals and strategies. This is especially poignant in today’s economic downturn, when it is most important to ensure that cybersecurity efforts are focused on protecting the most critical assets and functions of the business. Security leaders and business leaders must work together to understand each other’s priorities and challenges for the most effective (and tailored) approach. Aligning cybersecurity programs to business goals and strategy is the best way to ensure that cybersecurity resources are used most effectively and with the best return on investment.

Next, this is the time to focus on sustainable security strategies to avoid burn out by chasing the latest problems. It is crucial to ensure that security teams don’t feel the brunt of the recession too harshly, especially where staff reductions may be involved and morale may already be low. Building out sustainable security strategies can help avoid overwhelming security teams with constant streams of new vulnerabilities and threats. These strategies will require tools that are straightforward and do more than simply generate “blinking red lights” for people to fix. Which brings us to our last point… 

Finally, it is critical to introduce automation to streamline security–however, in order to keep up with the rest of the plan outlined above, human knowledge and oversight is still necessary to maximize its effectiveness. Though we know well how powerful a tool automation can be for streamlining cybersecurity, we are hardly at a place where we can rely on it alone. Yes, automation can help carry out routine tasks that enable security teams to focus on more complex issues. At the same time, the human knowledge and oversight gleaned from steps one and two are necessary for ensuring that security programs are aligned with organizational goals and strategy. Human oversight is also still necessary for identifying the gaps and weaknesses that automation may miss.

In the coming weeks, YL Ventures will publish our latest edition of the CISO Circuit–a report based on data we collect from the 120+ CISOs in our network of cybersecurity decision makers. We’ll dive deep into how CISO budgets have been affected by the market and how they’re adjusting their approaches accordingly. Stay tuned!