After a Year in the Bunker, CISOs Reflect on Lessons Learned

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

After more than a year keeping their organizations secure during a global pandemic, what’s it like to be a CISO trying to focus on the job while family, friends and colleagues are getting sick and dying around them?

“As security professionals, we are used to dealing with crises and so maybe that's why we do good at it,” said Florence Mottay, Senior Vice President Information Security and Global CISO for the Dutch grocery retail company, Ahold Delhaize. “We're expected to be calm. We're expected to be the strong ones. But the COVID-19 crisis was very different in that it also affected all of us personally.”

Mottay, one of several senior security execs at the RSA Conference 2021 who shared their experiences via video hookup with former Symantec Chief Technology Officer Hugh Thompson, said her department initially functioned as if nothing odd was happening even as the pandemic rampaged throughout Europe.

“Very quickly I realized that everyone on the team was trying to put on a brave face and act as if they had everything under control,” she recalled. “I think I was doing it too. But the fact is that we were all struggling in our own way.”

Meanwhile, pandemic or no pandemic, the company was still growing and adding headcount. Ahold Delhaize ended up hiring 45,000 people in 2020. Other than the usual onboarding process, everything else was done remotely.

“I couldn't even imagine – not just having to deal with the physical security implications and the new protocols and the things that have to happen in the stores. But also suddenly everybody's working remotely. The kind of stress this puts on the IT team when you've got a global security organization that's now being asked to secure this massive ecosystem. How do you manage the team through something like that?”

It was “challenging,” Mottay said, offering what might prove to be one of the biggest understatements of the entire conference.

“I held a town hall just under two weeks after lock down with my entire team. And I shared that for me, it had been hard combining work and helping my daughters with distance learning and that I was worried about my family, about my grandmother.”

She then introduced a concept to her team that she dubbed called “the vitamin shots.” Every morning, each team leader would hold a 30-minute meeting so people could talk about what they were feeling – their struggles, their fears, where we needed help; it was an exercise designed to get people to share and unburden themselves as much as possible.

“I really encouraged the entire team to share as much as they felt comfortable with, of course, but just to share with others and just develop that system where they could trust each other. That's really helped. It worked out really well.”

Not for the Faint of Heart

During normal times, Marene Allison held down a big job as Johnson & Johnson’s CISO. The pandemic made it that much bigger.

As J&J embarked on an accelerated project to develop a COVID-19 vaccine, the company became an even bigger-than-usual target for cyber gangs that specialized in attacking the healthcare industry.

“COVID made us a target,” Allison said, adding that it forced her team “to do our very, very best work” to maintain resilience in the face of the stepped-up volume of threats.

“I thought about the magnitude of what was before us, before my organization, before my information security, risk management group. When you know something is big, but you really don't know how big it is and being able to use almost everything I've learned...to be able to take an arrow out of the quiver and be able to say, `I got this. We got this.’ And it wasn't just the information security organization. It was the whole risk management at J&J.”

She expressed great satisfaction at the job turned in by her team over the last year but after a year like the past one, Allison left Thompson with one final thought – “being a CSO is not for the faint of heart.”

Year of Survival

Like the other executives responsible for security when COVID struck, Reem Al-Shammari was forced to navigate a dramatically changed work world for her and her employer, the Kuwait Oil Company.  

“2020 was a year of survival,” she said. “It was about trying to grasp what has changed and a very unprecedented and accelerated digital transformation. And the business was in shock. We were the guardians that were being tested in real time.”

But after being battle tested by a once-in-a-century health crisis, Al-Shammari said her team responded by growing stronger as it drew together in the face of a shared challenge.

“As we have evolved, as we have learned through this year, we became closer to each other,” she said. “We wanted to strengthen the first line of defense as cyber security defenders, and that was by enriching the people.”

Al-Shammari said she also recognized that cyber security was a culture that needed to be reflected everywhere, particularly as the Kuwait Oil Company underwent its own digital transformation.

“I saw how crucial it is to embed these cyber security culture controls and measures effectively and efficiently,” she said. “It's not about an audit. It's not about compliance. It's about weaving cyber security into this technology and making your digital transformation journey very secure. And this is what we have done...building that partnership between cyber security and the business as we started to strengthen that trust relationship between each other.”

If 2020 was a year of survival, Al-Shammari predicted 2021 would be a year of resilience where the focus on excellence and agility would pay dividends. 

“It's never about, `will we be attacked?’ It's just about when? So knowing that fact and being aware that we need to get cyber security involved and weaved into this transformation, this is where our success factors in.”