Jessica Nemmers - The First Global Cyber Security Observatory

Cybersecurity Leaders – Jessica Nemmers, Chief Security Officer at Elevate Credit

Jessica Nemmers is the Chief Security Officer of Elevate Credit, headquartered in Ft. Worth, Texas.

As a CSO, Jessica focuses on building security programs that align with business objectives and compliance drivers to reduce the risk of business disruption, financial loss, or brand damage from a cyber-attack.

Prior to her role as CSO in the financial industry, Jessica built a comprehensive security program for a Fortune 500 manufacturing company, focused on the protection of critical systems on business and Operational Technology (OT) networks at more than 230 sites worldwide. With over 24 years in the IT industry, Jessica has led IT teams in the US, India, Romania, and Mexico and held both technical and non-technical positions, which has allowed her to leverage her unique ability to translate technical solutions to non-technical audiences.

Jessica has been recognized for her work as a trailblazer in the field of cyber security and continues to champion causes to address the cyber security talent shortage and to promote opportunities for women in cyber security careers.

What are the common traits that indicate a successful security program?

There are many factors that support a successful security program, and I believe the most important is that the program is the right fit for the company. For example, a security program at a manufacturing company should be designed to meet different regulatory requirements and controls than one at a financial organization.

Additional traits of a successful security program include executive and board-level support, program alignment to support the business goals, a partnership with the IT department, a defense-in-depth security program design, and a strong focus on building a culture of security awareness.

When speaking the language of business to their boards, are there certain phrases Leaders/CISOs should be using?

The threat to information/cyber security is a leading risk to almost every organization, regardless of the industry. When CISOs focus their board presentations on technical vulnerabilities and security technology, executives and board members may not understand the security risk to the company or assume that security is a technology risk that should be solved by the IT department.

My most successful presentations to boards have been about the security program as it relates to protecting a home. In my house example, I use analogies like Multi-Factor Authentication (MFA) being an extra lock on the front door and security awareness like a fire drill to prepare for the unexpected.

I have received feedback that by relating the components of my security program to common themes rather than relaying the information in technical terms, executives and the board feel they better understand how we define cyber risk and how we prioritize investment into the program.

What soft skills can help security executives collaborate more effectively?

Do they want to increase revenue by creating a better user experience with their product? Do they want to grow the business and expand into new markets? By understanding the business’ priorities and drivers, CISOs can respond with security solutions that enable the business to succeed in a secure manner.

Ransomware and phishing are among the highest risks that have threatened industries of all types around the world. From your perspective, how can companies better mitigate the risks to these threats?

In 2021, we will still be faced with massive ransomware attacks, and now cyber criminals are also stealing data, often leaving companies forced to pay the ransom. Phishing emails continue to be the most used entry point of ransomware.

Three proactive approaches including email security solutions, a strong security awareness program, and continuous phish tests for a user population can greatly reduce the risk of a successful ransomware attack.

If someone falls for a phishing email, the next important defense is strong endpoint security designed to immediately detect ransomware behavior and stop the spread of the malware through the environment.

Every company should assume it is not “if” but “when” they will be attacked, so it is also important to have a defined cyber incident response plan in place and a prepared team which has practiced the plan in tabletop or red team type exercises.

How can CISOs ensure that they know what new projects are on the road map and that security is considered before the project is well underway?

It is a challenge to ensure that new projects, technology implementations, and/or applications have been vetted by the security organization. A CISO’s ability to align with the business and create “Secure by Design” models helps ensure that initial conversations about security are happening during project planning and design and not introduced during the build or deployment phases of a project. Also, building security reviews into the project plan from the beginning and assigning team members to champion security practices helps a security organization to ensure that security is built into each phase of the project and evaluated prior to the go-live date.

Could you offer any advice on how CISOs/Security Leaders and CIOs can work together effectively?

I think one of the biggest surprises for new CISOs is the realization that their security teams do not actually “do” security work in most organizations. IT teams are often the ones who maintain the infrastructure that supports security solutions, patch machines to manage vulnerabilities, or remediate devices that have been compromised. If the CISO approaches the CIO with the understanding that the security program’s requirements often impact IT staff’s time and budget, the CISO and CIO have an opportunity to work together across the security and IT teams.

The CISO role has grown from a technology-focused role to a trusted advisor and strategic business leader. The traditional corporate network protected by a firewall has evolved into internet facing systems, cloud computing, and rapid deployment of IoT devices that present risks to systems, data, and a company’s reputation. Ensuring a business and its data are protected against cyber related risks requires strong leadership and collaboration between the CISO and business leaders.

CISOs now have a seat in the boardroom and must foster executive engagement through effectively communicating cyber related risk, building security awareness, and aligning with business goals. Technology remains a critical part of a defense in depth security strategy, but a successful security program will also promote a culture of security and an opportunity for cyber risk to be recognized and shared across the organization.