Four C-level cybersecurity executives sat down at the recent FAIR Conference for a panel discussion on what they’ve learned about resilience during the pandemic. You’d think that making technology resilient would have been top of mind – in fact, the focus was mostly on making their people more resilient.
Moderator: Omar Khawaja, CISO, Highmark Health
Betty Elliott, CISO, Freddie Mac
Mary Elizabeth Faulkner, CISO, Thrivent Financial
Harold Marcenaro, Digital Risk Officer, BCP
Here are four insights from the session:
1. In a crisis, look to people ahead of technology resilience
“The technology was the easy part; it’s really developing appropriate processes as it relates to our people” that was the challenge, said Betty Elliott. Processes should build motivation and reduce friction, said Harold Marcenaro. “We learned the key is in reducing friction to change, with training, templates, codes inserted.” Maintaining motivation was critical in the face of the distractions and pressures of work from home, Mary Elizabeth Faulkner said.
2. Open new channels of communication
Mary Elizabeth and Omar both introduced new meeting formats to air staff concerns. “It took me changing my leadership style to be more vulnerable,” Omar said, as in “I know what’s on your mind and I don’t have a good answer for it but…we’re working on it.”
Clockwise from top left: Omar Khawaja, Mary Elizabeth Faulkner, Betty Elliott, Harold Marcenaro,
3. Take it one step at a time
“Being able to stretch without breaking,” was imperative, said Omar. His motto: “Relentless incrementalism is our ultimate weapon.” He recommended that CISOs put their staffs through a resilience assessment (CISA offers one) so that they train to be “responding not reacting” to crises.
4. Focus on corporate strategy, not infosec resilience strategy
“The big thing COVID did was clarify what the priorities were,” Omar said, “get the employees to safety and deliver services to our customers safely. When you are so unified on the mission, the execution that comes is just phenomenal.” Harold added that his team was able to align with the corporate mission, “because we use FAIR to estimate loss exposure and that’s the value of the initiatives that we propose for risk management, and that gets prioritized with other business initiatives through the same OKR process.”