Cybersecurity Leaders – Stephen Davis, CISO at W.R. Grace & Co.
Stephen Davis serves as the CISO for W.R. Grace and Co., a global leader in specialty chemicals, catalysts and materials technologies with operations in 30 countries and 3,900 employees worldwide, where he is responsible for building and executing the global information security strategy to protect Grace’s brand reputation, information systems and assets.
He has more than 18 years of experience across all facets of information security, serving in leadership positions for financial services firms such as Morgan Stanley and Navy Federal Credit Union and demonstrating a proven track record of success managing global cybersecurity operations, IT security infrastructure, risk management and incident response programs.
Stephen is active in the information security industry, serving as an Advisory Board Member for the Cyber Security Programs at Ithaca College in New York, earning his Certified Information Security Manager (CISM) from ISACA, Certified Information Systems Security Professional (CISSP) from (ISC)2, and B.S. in Business from Fort Hays State University in Kansas.
Are there any common traits as to what makes a successful security program?
In order to build a successful security program, it’s essential for CISOs and security leaders to create a clear and compelling vision, communicate that vision with confidence, and persuasively sell that vision to the leadership team, employees and internal stakeholders. Without these common traits, it’s difficult to form the relationships, allocate the resources and build the buy-in necessary to overcome inertia, drive change and generate support for your security program.
At Grace, for example, security is a shared responsibility. We all must do our best each day to protect Grace’s intellectual property, financial stability and competitive strength from unnecessary risk. We believe that together, we’re more secure. But to get everyone on board with this vision, we needed to find a way to encourage each and every Grace employee to take security seriously, rally around a common cause and become active cybersecurity advocates.
So we developed a comprehensive security awareness training program and internal communications strategy to raise awareness, educate employees and invite them to become Grace Cyber Champions. Because our employees are our first line of defense, we are in the process of training our 4,000 employees around the world to practice strong security hygiene, remain vigilant against cyber attacks and report suspicious activity immediately.
How important is it to have the CEO thinking that security matters?
We are fortunate at Grace to have top-down support from our CEO and members of our Executive Leadership Team for all of our information security initiatives. Because our CEO is a true champion of Grace’s information security program, he consistently makes cybersecurity a topic of discussion in his all-hands meetings, supports our efforts to conduct ongoing security awareness training and reinforces the need for all employees to report phishing e-mails.
These actions result in the leadership team adopting the same message in their own communications, all-hands meetings and actions to drive employees to become Grace Cyber Champions as well. This leads to more adoption and less resistance across our global employee base as we roll out new programs, enforce new policies or deploy new technologies.
Without his buy-in and support it would be more challenging to communicate the importance of our policies and procedures to other members of our leadership team. Therefore, it’s important for CISOs to have a strong working relationship with their CEO, make trusted recommendations and promote proven information security solutions. Because when you’re working with the CEO, there are no second chances. You have to be correct.
How can CISOs better understand a business’ needs?
Before CISOs and security leaders can implement the right balance between people, process and technology, it’s important they understand the specific needs of the industry and business they are serving. This requires more than just familiarity with core IT functions, but developing a deep understanding of company-specific processes, workflows, policies and procedures.
Without taking the time to build strong relationships with other team leaders, executives and internal stakeholders, CISOs won’t have developed the soft skills that are necessary to complement their technical skills. This means more listening than talking, balancing competing objectives and respecting differences of opinion on how to achieve success for all parties.
This allows security professionals to understand each business area, build baselines, conduct risk assessments and identify security gaps between current and future states to strengthen the business security profile. In doing so, security can build support for its programs by helping stakeholders work both effectively and securely without creating undue business interruptions.
What unique security challenges does your industry face?
The manufacturing industry is a top target for cyber attackers. 50% of manufacturers suffered a data breach in the last 12 months, according to Industry Week. The Ponemon Institute reported the average cost of a data breach was $8.19M USD. According to KnowB4’s 2019 Phishing by Industry Benchmarking Report, it takes one year of security awareness training and simulated phishing testing on average for manufacturing companies with more than 1,000 employees to reduce their benchmark phish prone rate to 2%, which is a primary point of exposure.
Manufacturers are also experiencing increased security challenges as plants, factories and assembly lines shift operational technologies (OT) from individual silos to being continuously connected to the Industrial Internet of Things (IIoT). The need to share real-time data for valves, pumps and temperature gauges from the factory floor with plant managers, engineers and technicians to make decisions has led to more OT systems being exposed to the Internet, without the same built-in protections found in traditional Information Technology (IT) systems.
Because the OT systems found in plants used to operate on closed networks, many employees think the risk is minimal, without realizing these systems are now open to the network, the cloud and external partners. For example, third-party vendors need remote access for their technicians to update critical infrastructure firmware, which results in more points of exposure, such as configuration errors, network vulnerabilities and cyber attacks. This requires more awareness, education and training to address these industry-specific risks, beyond more widespread information security threats, such as phishing emails, ransomware and malicious websites.
How can CISOs balance security and innovation?
CISOs and security leaders have to walk a fine line between balancing security and innovation. On one hand we need to reduce risk, while on the other hand maintain employee productivity. Historically, there has been tension between these two strategic objectives, with innovation seen as the gas pedal and security seen as the brake pedal. Without taking steps to ensure these often opposing forces work in parallel, organizations are less likely to adapt to changing customer demands, respond to industry competitors and accelerate digital transformation.
At Grace, our internal team of information security professionals is dedicated to managing threats, minimizing risk and sustaining business operations. Our mission is to develop, execute and implement the strategy, policy and procedures needed to protect the confidentiality, integrity and availability of Grace’s information systems and assets from existing, emerging and unknown threats. Our goal is to help stakeholders recognize potential security threats, report suspicious activity and refrain from behavior that could compromise our IP or brand reputation.
How has industry cooperation made an impact on cybersecurity?
Information sharing has made a big impact on the cybersecurity industry over the last several years. The ability to share best practices, threat intelligence and incident response recommendations with our peers in the information security industry allows us to accelerate the time it takes to identify, contain and remediate existing and emerging cyber attacks.
Our security operations center is able to improve its visibility into previously unknown threats and manage detection and response efforts in a much more systematic and orchestrated way. As these new threats emerge, information sharing platforms push real-time data and actionable intelligence to facilitate collaboration between public and private sector security professionals.
Information sharing has evolved over the years from face-to-face meetings, networking events and email distribution lists to now include LinkedIn groups, subscription services and dedicated technology platforms.
As time goes on, manufacturers have an opportunity to learn from other industries, such as financial services, healthcare and retail, to bring its security leaders together.
Cybersecurity Leaders – Stephen Davis, CISO at W.R. Grace & Co.