CISO of the Week, Gary Hayslip, Global CISO, Webroot
As Chief Information Security (CISO) for Webroot, Gary Hayslip advises executive leadership on protecting critical information and oversees Webroot’s enterprise cybersecurity strategy. Gary is a proven cybersecurity professional, with a 20+ year record of establishing and leading enterprise information security programs. Gary’s previous information security roles include multiple CIO and CISO roles for the U.S. Navy (Active Duty), as a U.S. Federal Government employee and for the City of San Diego. Gary has a Bachelor of Science in Information Systems Management, a Master’s degree in Business Administration, and extensive experience in Information Security, Enterprise Risk Management, and Data Privacy.
Why did the role of the CISO appeal to you?
I have always been intrigued by technology and computers and increasingly found myself dealing with security issues. As a network architect and later as a CIO, I was fascinated with how networks could be designed to protect an organization and the numerous tactics cybercriminals used to launch an attack. As I became more involved with security initiatives and then accepted additional duties dealing with audit, compliance, and data privacy, I decided I liked the security field and accepted my first CISO position. Over the years I have observed how my role has matured and become more aligned to the business community. I myself find this refreshing because I have always felt the purpose of cybersecurity was to serve the organization through the management of its risk portfolio by using technology, security controls and a mature security program.
How do you convey to the board the message that with regards to cybersecurity you can minimize the risk but you are never going to be 100% secure?
When addressing boards, you may think a CISO’s role should be to talk security, but I’ve found it’s really a discussion about business and risk. I believe the CISO must convey the company’s current state with regards to its risk exposure and then provide recommendations for improvement.
In providing recommendations, it’s important to explain that no business is ever 100% secure- there is always a chance for an incident. While the CISO needs to understand these risks, providing context and remediation recommendations, the business needs to own these risks.
It’s also the CISO’s role to educate the board that a mature, properly supported security program is a strategic asset that enables the organization to be resilient and manage its risks efficiently.
What advice do you have for security leaders?
Creating a cybersecurity culture, or influencing an existing cybersecurity culture is not easy- it’s a continuous work in progress. To have the most success, you need to get involved with your peers in the organization, network with other business units outside of security, and participate in company events. Truly listening more than you talk and learning about others in the organization helps to build trust over time. To effectively do the job, the CISO needs to understand how the business works, employees need to see the CISO educating himself/herself on what the employees need to be successful, and how the company’s security program can serve them.
It is with this level of visibility and trust that a CISO can start to implement organizational change and implement new initiatives like phishing training, cyber awareness training, and Office of the CISO blogs and articles. The biggest thing I have learned from creating cybersecurity awareness cultures for numerous diverse organizations is the security program must be viewed as a partner and employees must feel security is of value, not just a process that interferes with their work.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
I am fond of saying that as a CISO, you must continuously educate yourself on the technology changes within your field and the threats to them.
To gain context into what truly matters the CISO must understand their organization, understand its business operations, and the channels it competes in. The CISO needs to understand who are the critical partners for the business, what technologies and data the business leverages to be competitive, and finally any compliance or regulatory requirements that must be met.
With this insight, a CISO can then focus on the issues that relate to their company, its partners, the technologies in use, and their security program. I like to have a core set of websites, blogs, news feeds etc. that pertain to my employer and then I have a second set that is more wide ranging and applies to the cybersecurity community and technology issues at large. I interact with each channel daily, whether I’m sharing an article on Twitter or commenting on a LinkedIn post. I find it crucial to know my space and the impact of issues to my company and our customers.
How can CISOs balance security and innovation?
To me, managing innovation starts with knowledge. To be effective, CISOs need to understand the services and technologies inside their own security stack and the internal services security teams provide daily to the company that help it be successful. Additionally, they need to have visibility of new company initiatives, as adding or changing anything within your organization program will have a ripple effect across the organization, and perhaps increase your security risk.
With this information, you can advise leadership on incorporating innovation without sacrificing security. Innovation is a fundamental part of cybersecurity and essential to grow a mature security and risk management program. It’s not something that CISOs should shy away from.
How can we address the perception of cybersecurity holding back the business?
CISOs collaborate to survive; no one can do cybersecurity effectively in a box. For the CISO and security team to not be viewed as the “No” team, they must be actively involved in the business. I believe a mature security program and its objectives should be completely transparent to all employees. Everyone should understand what the security team’s role is and know what security projects are active and their value to the company.
Having a transparent security team can be accomplished by lunches and visits to departmental quarterly meetings to give briefings about the security department, core services to the company and what projects the security team has in the queue. It’s also important to involve employees from various departments to be a part of projects to help people see the business value a security program brings to the company.
As a CISO I have learned that the old ways of keeping the program behind closed doors and just telling employees they have to do something just doesn’t work. This leads to shadow IT, where employees ignore security training, actually putting the organization at greater risk. Having a modern security program that is involved in business operations and actively working with employees provides a safer business environment for the company and enables cybersecurity to be viewed as a strategic asset.
I am fond of saying that a CISOs job is to not say “no”, but to say “maybe”. The role of this position is continuously changing and lately has become more aligned to assist organizations with managing their risk and protecting their diverse assets. It’s this maturing of the CISO role that is rewarding- I am able to serve my company and mentor my teams. I don’t forget how blessed I am to be in this position and to have led some amazing security professionals in the teams I have managed over the years. It is through the support of Webroot and the hard work of my peers, employees and team members that we have a dynamic security program that provides internal services to both our departments and customers.