Meet Ray Espinoza, Chief Information Security Officer at Cobalt. With over 20 years of technology experience and 14+ years in information security, Espinoza's collaborative leadership style has enabled him to build information security and risk management programs that support business objectives and build customer trust. 

In his role, Espinoza is responsible for driving strategic security and risk initiatives to fortify Cobalt’s security posture and optimize security services for customers. Prior to Cobalt, he  drove third-party cloud security across Amazon’s retail business. Additionally, he has held VP and CISO roles with Atmosera and Proofpoint, as well as security leadership positions at Workday, Cisco Systems, and eBay. 

Here, we talk to Espinoza about common cybersecurity hurdles leadership teams may encounter when restructuring. 

Security: What are the top cybersecurity tips to consider when your team is restructuring? 

Espinoza: Restructuring a team effectively is an important skill to master for any security leader, whether you’re growing or downsizing. Luckily, there are some best practices to keep top of mind so you’re not caught off guard when this happens to you. 

When your team is reduced, it’s important to use resources strategically. Find a way to get better and more efficient with the tasks you’re juggling. Is there anything you can outsource or automate? This will free up time spent on mundane tasks so you can put it toward tasks that will drive the company forward. Consider the same approach not only for headcount reductions, but also for drops in opex and capex. Invest continually in automation to maximize the efficiency of a small team. 

On the flip side of the coin, when your company is growing, focus on scaling up to meet the pace of the business. Align with the business strategy. Think about details like what the business is trying to accomplish, how much risk the business is willing to tolerate, and what your lag/lead time is to be able to make sure you can support that. Similar to the downsizing scenario, you can be strategic with hiring consultants, more tools, etc., without necessarily growing headcount. 

Another tip I recommend is to focus on making sure your training and secure development programs are built to scale. You often only start to think about automated solutions and more structure for continuous training when you have a ton of new people that have missed the 1.5 years of training you’ve been doing. You can get ahead of the curve by keeping this top of mind from the beginning. That way, no matter how fast your organization grows, your programs are ready to scale with it. 

Security: What are the common cybersecurity hurdles leadership teams may encounter when restructuring?

Espinoza: Change is inevitable in any fast-paced organization. Unfortunately though, with growth, downsizing, or any big organizational switch-up actually comes increased security risk, even despite seemingly careful preparation. During any periods of transition, there are opportunities for detection and response gaps. 

Many organizations invest in security monitoring and incident response programs. There can be a lot of overhead in managing these programs to keep them working effectively. 

In a high-growth situation, the team may not be able to keep up with the business, and gaps may appear that will take time and resources to cover. If a company is growing through an acquisition and the security organization is responsible for the acquired security posture, it will take time to onboard assets and people into the existing security programs. 

The same can be said for a downsizing event if it affects the security organization. There may be operational and compliance impacts if a team doesn’t maintain a requisite level of staffing to handle all of the responsibilities they have to meet to support the business, or ensure processes are run that are required by compliance frameworks.

Security: What are the biggest misconceptions when it comes to cybersecurity during company reorgs?

Espinoza: Many organizations view their cybersecurity capabilities and programs as non-strategic; something they need to have to do business but not necessary to include when charting the path for future company direction. Many times, a well-informed security organization can assist in business decisions that enable the company to plan for potential issues during a reorganization and put mitigating controls and improved visibility plans into place. 

Change is difficult. Some handle change better than others. I’ve seen companies fail to account for reactions that could have been foreseen and the impact of those reactions had a material impact. Cybersecurity can be a strategic advantage for executives and companies who recognize its value. It’s imperative we give security leaders a seat at the table to help navigate company changes for continued success.

Security: What are some examples of how to scale training and secure development programs during company reorgs?

Espinoza: Most organizations tend not to have enough cybersecurity resources, regardless of company size. With that, security teams can improve their reach and drive further buy-in to cybersecurity programs by investing in partnerships with teams all across the company. 

One way to do this is to build a Security Champions program. A Security Champions program enlists security-minded employees of all different disciplines from across a company for additional training and guidance, leveraging them to identify systemic security problems and finding ways to support one another to solve them. 

These Security Champions become advocates for cybersecurity within their teams and can identify better insertion points than what may be natively available to security teams to drive the business outcomes the cybersecurity programs are looking for. Training is just one aspect of fostering more secure development programming during company reorganizations, and it can be delivered effectively by Security Champions to their teams.