As part of a series of Q&A discussions with senior security leaders, we spoke to Pete Gibson, former Chief Information Officer at Friendly’s Restaurant, whose responsibilities include protecting its 130 outlets across the U.S.
Q – What are the biggest areas of security concern for CIOs in the next 6-12 months?
A – I don’t tend to take an approach to cybersecurity based on singular issues – I believe it’s more important and effective to take a holistic brand protection stance. This means covering the entire spectrum of challenges and opportunities, so everything from network architecture to user training represents because they are all vital components of an effective leadership strategy.
Q – Does cybersecurity get sufficient buy-in from the boardroom?
A – Not always, and that’s something that needs to change. For example, some boardrooms will only wake up to the importance of cybersecurity when they have been attacked, and many security leaders do an extremely effective job despite a lack of engagement from the top. And don’t forget, cybersecurity isn’t just about prevention – today’s CISOs must also be able to guide their organizations through a crisis because when a problem arrives, senior leadership is then very focused on addressing the business impact.
Q – How has the role of CISO changed since the onset of COVID-19?
A – In many ways, it’s been extremely challenging – CISOs and their teams often have to monitor huge IT estates with only a few people to cover it all. On the other side, adversaries are trying to find the one vulnerability that will give them the leverage they require, but that’s all it takes.
Personally, I have become a big advocate of zero trust and the positive impact it can have on both external and internal threats. As more organizations focus on this as a core part of their cybersecurity philosophy, we’re likely to see it improve the ability of CISOs to protect their networks, users and data.
Q – To what extent do the major, headline-making incidents such as Solarwinds, Kaseya, Colonial, the Biden Executive Order and new legislation have a practical impact on the way CISOs approach security strategy?
A – There are some useful and important developments coming out of government strategy and from our legislators in general, but they need to take advice from security leaders to make sure there is a good balance between effective protection and laws that are too onerous. For example, the CCPA represents an important set of rules for consumers, but some of the requirements can be very challenging for organizations to meet. Take the issue of former employees that are also consumers of products or services from the place they used to work – meeting a request to remove all their data from systems can be extremely difficult to achieve, despite their importance in law and for the rights of individual citizens.
Q – If money was no object, where should organizations, in general, be increasing their cybersecurity investments?
A – Invest in building a really solid and robust cybersecurity team that reports to the CIO. These teams should then focus on knowledge-based goals. For example, ransomware protection is not just about buying an appliance, it’s also about how the organization reacts once they have been breached and how they can defeat it. Ideally, each business should be able to push a button and restore, and by treating cybersecurity as a strategic play, businesses can make much more effective investments that can help them overcome today’s wide-ranging risks.