Security magazine sits down with Greg Notch, Chief Information Security Officer (CISO) at Expel, to discuss some of the biggest challenges CISOs/cybersecurity leaders face today.
Security: What is your background?
Notch: I’ve served as Expel’s CISO for almost a year now, and have been in the security and technology world for more than two decades. I’ve worked for a long list of tech companies, including Apple and Yahoo—but most recently, I spent 15 years with the National Hockey League (NHL) as its CISO and Senior Vice President IT & Security. During that time, I led the league’s information security program, as well as its technology strategy, digital transformation and cloud initiatives. It was very gratifying to help shape the future of a large organization like the NHL, but I’ve always enjoyed the unique atmosphere that comes with a tech startup environment.
Security: What are some of the biggest challenges CISOs and other cyber leaders face today?
Notch: It’s a broad question—the threat landscape is pretty vast, after all—but I'd boil it down to four primary challenges. First, in the current market, CISOs are often forced to stitch together a slew of different products and services, which is really two challenges in one: the data is spread out, and you need people to manage all of those tools. Second, threat detection and response isn’t a 9-to-5 job. You need a 24/7 response strategy, and this is also a people challenge. Third, security cannot be a roadblock, it has to be a business enabler that can help companies increase efficiency, streamline operations, and even improve their bottom line. This is easier said than done, when you are trying to implement necessary controls. Lastly, the threat landscape is continuously evolving at a rapid rate, with automation increasing the tempo for both attackers and defenders. None of this is as simple as it sounds, especially in the current macroeconomic environment where budgets are being carefully vetted.
Security: Why do CISOs face challenges in gluing together a plethora of products and services? How can they address this challenge?
Notch: To put it bluntly, there are a lot of threats that need to be addressed today. And as the threat landscape expands, new products and services arise to address those threats. That’s a good thing—but it also means that the average CISO is working with a lot of different solutions that don’t always play well together. This is a big reason we’re seeing the industry trend toward consolidation: most businesses don’t have the time, money, or expertise to figure out how to integrate a wide range of disparate solutions, and it’s difficult for them to find the talent to do so. It’s also why we’re seeing more businesses turn to managed detection and response (MDR) solutions. Security and business leaders are beginning to recognize that it’s often more economical (and more effective) to let outside experts do what they do best, giving their own employees space and time to focus on more pressing business or risk management tasks.
Security: Why do CISOs face challenges when building a 24/7 response strategy? How can they address this challenge?
Notch: Achieving 24/7 coverage isn’t easy. Staffing alone can be a real challenge for CISOs. Even with the right tech in place, you still need people to monitor those tools, people to provide investigative capabilities, and a team for full-blown incident response. That’s a wide range of different skill sets at a time when the security industry is navigating a 3.5 million person staffing shortage. Better training and recruitment strategies can help mitigate the problem to some degree, but it’s still going to be a challenge—especially for small businesses, which may not have the budget to pay a large number of employees in the first place.
Unfortunately, cyber criminals work around the clock, 365 days a year. An attack can happen at any time, which means coverage and speed of response are key. For a lot of businesses, this is an issue of scalability—even if they can get the right people in place, can they grow with the company? Often, they find that if they need continuous coverage, managed security is a good option for them.
Security: How can CISOs focus on framing security as a business enabler?
Notch: Not all CISOs are alike—some come from a technology background, and others from more of a business or risk background. That said, it’s often important for CISOs to be able to frame both problems and their solutions in terms of business impact when approaching board members or other executives. That’s not always easy, because a CISO’s job is often framed as being about prevention, and it can be difficult to quantify return on investment (ROI) for a breach that never happened. That said, it’s better than having that same conversation if a breach does occur. But CISOs need to be able to have business-level conversations about what happens both before and after a breach, and be able to present business tradeoffs and prioritize efforts to reduce risk.
One thing that tends to resonate at the c-level is an emphasis on ways security solutions can streamline operations. A solution might appear expensive, but if it frees up personnel to focus on more important business tasks, then that cost becomes more easily justifiable. Automating certain repetitive security or even operational tasks can also improve both the efficiency and accuracy of the operation, and prevent valuable security team members from becoming burnt out. At a time when analyst retention is a high priority, this is extremely important. It’s important to frame security as more than just checking a compliance box. The same solutions that can help prevent a breach can also make operations flow more smoothly across the board.
Security: How can CISOs strengthen transparency and communication?
Notch: Transparency and communication are important at all levels, but particularly where executives and the board are concerned. There’s a lot of jargon in the security industry, and it can be easy to get bogged down in acronyms or lost in the minutia of specific products and their advantages. It’s important to craft your messaging specifically for your audience in a way that helps them understand not just your end goals, but the way you operate and why. It’s good advice at any level—it might help a board member understand why a specific cybersecurity solution is necessary, but it also might help an entry-level employee understand why they need to change their password every 90 days or use multifactor authentication when accessing the server. Always consider your audience, and try to align your outcomes with something that is important to them. You want to convey not only what you want, but why you want it, how you plan to achieve it, the role they can play in helping, and most importantly what they’re going to get out of it.
