Chief Information Security Officers should be thinking evergreen processes, not whack-a-mole, says Heather Gantt-Evans, CISO at financial services software provider Marqeta.
“The biggest challenge for the CISO role is a willingness to define a strategy, define priorities and not let your team get distracted by every little thing that pops up,” Gantt-Evans said. “You can tactically play whack-a-mole, or you can strategically create an evergreen process, system, framework to be able to not be in that place again.
“It’s a balance of making sure that you know if a really bad mole pops up, that you tactically address that promptly. But since you can’t do that for every little thing, you have to be able to stick to a strategy, articulate and align to your priorities, because implementing robust programs and controls takes time, and so you have to be committed and grounded in that journey.”
Gantt-Evans served in the U.S. Army Reserves as an all-source threat intelligence analyst, and supported Air Force Cyber Command as a contractor, focusing on cyber threat intelligence and integration of intelligence into security operations. On the corporate side, she consulted with Ernst & Young to develop Fortune 100 cybersecurity programs across multiple industries; was the CISO at identity security software provider SailPoint; and served in a deputy CISO capacity at the Home Depot.
Gantt-Evans’ work with the military has led her to take a very threat-centric approach to how she seeks to communicate, understand and manage risk. In the military and at E&Y, “I also got used to the concept of operating like a SWAT team,” she said.
“You’re read into new projects and new environments without a lot of context beforehand, and you have to manage through that ambiguity,” she said. “The adaptability to manage through ambiguity gives you a more grounded risk tolerance. You’re never going to know all of the facts, so being comfortable managing through that is key. “
In the course of her career, Gantt-Evans has gradually gone to smaller and smaller organizations, concluding that “I really value being able to reach people and put my arms around the environment.”
“The ability to feel that sense of completion when you’ve rolled out a security control is very important to me and my integrity,” she said. “Sometimes when you’re in these super large organizations, it’s simply not possible to achieve that. And so that’s something I’ve sought out in my current role, the ability to ensure that I can put my arms fully around the people and the infrastructure.”
One thing that’s top of her mind is exploring whether there are smarter ways to define operating models.
“We have to rethink how we operate so we can present ourselves as a singular voice to the rest of the company on what needs to be remediated,” she said. “Five or six years ago we were not talking about the same capabilities that we need in place. For example, now there are API security tools, there are attack surface management tools.
“And it’s not as clean of an operating model as it used to be, where maybe you had an endpoint team focused solely on endpoint agents, and a security operations team focused just on monitoring threats. Now we’re finding ourselves needing to have a lot more cohesion across services, a lot more cross training and redundancy in people. Teams’ mandates can overlap, so we can’t continue to operate in those silos that we used to have that were very clean cut.”
Gantt-Evans envisions the CISO role possibly evolving to focus on all digital risk, which is more broad and nuanced than just information security, and could include things such as disaster recovery, she said. She also sees the role possibly evolving into more of a resiliency role, or a customer trust role.
“I hope to see a future where there’s a lot more discussion about succession planning for your CISO, and how to elevate effective CISOs into some of those other broader branches within the organization,” she said.
Gantt-Evans said it can feel like Groundhog Day when asked to identify trends in cybersecurity, “because the trend is that it’s always accelerating in terms of the technology and the tactics the adversaries are taking.” This last includes adversarial integration of AI to help more automatically discover and exploit vulnerabilities, and to make more compelling social engineering content.
She’s noticed that CISOs aren’t job-hopping as much as they used to, and welcomes that mutual commitment of security leaders and companies, given that cybersecurity transformations take six-plus years to do effectively, she said.
“SolarWinds led the way by sticking behind their CISO during that event. I think it proved to the world that you don’t have to scapegoat your CISO to make it through a cataclysmic cyber event,” she said.
“Second, CISOs have been around a little bit longer, and there’s greater understanding of what they do. Thirdly, some of the policy directives coming out of the SEC and other bodies really emphasize the importance of a strong security team and strong security talent at the board level. All of these things have culminated in less fear on the CISO’s part of needing to get out before something happens, and more commitment and understanding of cybersecurity risk and how to address it.”
Companies might need different types of CISOs at different stages in their lifecycles, she said. A company that needs to push the engineering and development organizations to make change might need a CISO with a strong engineering and development background. Sometimes companies need a CISO who is more adept at speaking at the board and executive levels to inform and educate and reassure, she said.
“It very much depends on the stage the company is at with regards to security culture and awareness, and the company culture itself,” she said.
When CISOs are doing the hiring, Gantt-Evans thinks they need to be “a lot more creative in the non-traditional backgrounds that map really well to some security roles.”
“For example, I’ve had great success hiring teachers into security training and awareness leadership roles,” she said. “I’ve had great success hiring healthcare lab data scientists into vulnerability management roles. So I believe thinking through the competencies and what non-traditional backgrounds might exhibit those really strongly is a great way to add increased diversity in your team. And lastly, I would highlight that you can do so much with people who are passionate. Some of the best people I’ve worked with were self taught.”
How she decompresses from her high-pressure job changes with the seasons of life, Gantt- Evans said.
“Right now, I’m enjoying being very bored outside of work. I’ve been doing things to focus on slowing my nervous system down – red light therapy, meditation, enjoying stillness, watching my kids play,” she said.
“But when I’m feeling in a more outgoing season of life, I really enjoy purchasing tickets to be entertained. I feel like in our virtual world, we do so much performing by nature of being on screen. And so I really enjoy going and having a comedian or a musician or a ballet troupe or a theater troupe perform. I find that so relaxing to be able to take a step back, go into somebody else’s artistic world and not have to perform.”