Bobby Ford, CSO at Hewlett Packard Enterprise and former CISO at Unilever, shared what he has learned from his career so far, and why he believes that listening is the key to keeping our data safe.

Listen to the full podcast here, or read on for Bobby’s top three takeaways.

Mature security programs happen at the intersection of business intelligence and threat intelligence

When building a security program at a new company, you have to recognize that every company is different. Every board is different, every CEO, every manager is different, and if you go in there with some preconceived idea of what they need based on your previous experiences, then you’re setting yourself up for failure. So the first thing you have to do is listen. And that is one of the things that I believe most professionals get wrong – they come into an organization and initially, do more talking than they do listening. 

So, what does a good listening plan look like?

At its core, a good listening plan follows three steps:

1. Identify the stakeholders
2. Plan questions to ask them
3. Let the conversation go where they want to take it (i.e. listen)

Once you’ve devised a plan and you’re engaging in these conversations, it is important to understand that what you’re really listening for is business intelligence.

1. How does this organization make its money?
2. What are the strategic imperatives for this organisation?
3. What are the geographies that they really want to be in?
4. What are the user behavior and user appetite like?

Once you have gathered that business intelligence, you layer threat intelligence on top. It’s that simple, and it is at this intersection where the best security programs are born.

The function of the CISO is to enable the organization to take risks

I believe that the function of the CISO is to enable the organization to take risks – they’re not meant to be the captain of the ‘no police’. If the organization didn’t take any risk, then they wouldn’t need anyone to manage these risks!

Now imagine you have hired me to provide security services. If you told me: ‘Hey, I wanna go to Tel Aviv’ and I said: ‘You can’t go there, it’s too dangerous’. So, you say: ‘What about Bagdad? Or Manchester?’. If my response each time is: ‘No, it’s too dangerous’, at some point you are going to say: ‘Bobby, that’s not why I hired you!’. 

‘I hired you because I want to take risk. I don’t need you telling me where I can’t go, I need you to gather threat intelligence so that when I identify the places I want to go, you can equip me with the controls I need in order to go there.’ 

That, for me, is the role of a CISO – to enable the organization to take risks while putting the right controls in place to reduce risk as much as possible.

Securing edge devices is now more important than ever, but it is no easy feat

I believe that it becomes more important to secure the edge when working from home. When people work in an office and they’re sitting at a desk with their colleages around, there are certain sites that they may not visit because of the additional scrutiny.

Now that people are working from home, they may feel more inclined or more comfortable visiting these sites, where the security is not as robust as we would like. What that means for me as a CISO is that I have to have controls in place that allow you to do that while keeping the work environment secure.  

So, I think that looking forward we are going to have to think differently about edge devices and how we can secure them. But this is no easy task, and we are going to have to get pretty creative.

For more from Bobby Ford and his take on cybersecurity today, listen to our Tessian Podcast episode, here.