As we wrap up Cybersecurity Awareness Month, ISMA collaborated with ISMA member Danny McPherson, Executive Vice President and Chief Security Officer of Verisign, and Hema Lakshminarayanan, Senior Director of Verisign, to discuss the evolving world of cybersecurity and why it should not be an afterthought. Danny and Hema have kindly taken the time to give their responses to the burning questions being asked in the cyber industry today.

Why do you believe cybersecurity should be a priority in workplaces by building it into products and processes? Why should it not be an afterthought?

Cybersecurity is evolving. It’s no longer about just protecting the company from security risks; it’s becoming a new source of competitive advantage. Customers synonymize security with quality and value; hence it’s crucial to build security upfront into products and services, in order to gain and retain customer confidence. Security as an ‘afterthought’ can be expensive and even impact the bottom-line and can introduce unnecessary complexity, performance degradation, or fragility [in a company’s systems or network]. It’s also simply inexcusable to overlook cybersecurity vulnerabilities in today’s environment of sophisticated cyber events, such as social engineering, ransomware, and DDoS attacks.

Why do you feel physical/corporate and cybersecurity leaders should collaborate to achieve overall security success in their workplace? Do you have any “top tips” for how this can be done effectively?

Today’s physical and cyber-attack surfaces overlap considerably. Cyber incidents can lead to physical security and life safety issues, while physical security breaches are often a precursor to an eventual cyber breach. So physical and cybersecurity leaders must consider each other’s perspectives and speak each other’s language. Some corporate security programs, such as Insider Threat mitigation, encompass both cyber and physical security aspects, making it important for these functions to be closely aligned.

Top tips: break-down silos within organizational structures; a converged or holistic security strategy combining both physical and cyber security will lead to natural synergies. Even if there is not direct chain of command reporting, security awareness programs, ambassadors, and internal councils can help to educate, identify, and mitigate risks across the enterprise.

What do you believe is the future of cybersecurity?

As technology evolves, so do the adversaries and their techniques; teams should focus on creating layered defenses and self-healing systems to minimize disruptions – especially in the critical infrastructure services and applications spaces. Understanding supply chain risks and systemic dependencies, both of which are increasing at alarming rates, is paramount.

As Internet of Things (IoT) devices continue to proliferate, and everything is ‘connected’, legacy systems and capabilities will not be sufficient to prevent and respond to evolving security threats. Automated defense systems that secure by default, and that can monitor, detect, respond and prevent cyberattacks in real time, will be ‘table stakes’ in the future.

What is something you think cybersecurity leaders may not always consider but should?

The portfolios of security departments have significantly expanded in the last five years. They now share the responsibility of corporate governance and data privacy with other functions, and play a pivotal role in meeting regulatory requirements, managing reputation, ensuring business continuity, and contributing to corporate social responsibility. With these new responsibilities, cybersecurity leaders are in fact business leaders, developing and delivering cyber resilience capabilities where cyber should be at or near the top of nearly every organization’s enterprise risk inventory.

Describe the cybersecurity workforce of tomorrow

The cybersecurity field is rapidly growing, and cyberattack techniques are evolving by the minute, with new adversaries emerging across the globe. A successful cybersecurity approach, to proactively address those attacks, requires the best and most creative talent available.

To attract and retain the best talent in any field, it’s important for organizations to seek to increase the diversity of their workforce, and the same is true for the field of cybersecurity. So, the cybersecurity workforce of tomorrow looks more diverse, and more inclusive, in every way – across gender, nationality, ethnicity, and orientation.

Cybersecurity has evolved beyond hardware and software: it requires human connection, awareness, and interaction across the enterprise. It is those organizations with a robust focus on DEI (Diversity, Equity, and Inclusion) and Women in Cyber / Women in STEM programs that will be able to recruit and retain the most diverse, competent, and prepared workforce.

ISMA is so grateful for the collaboration opportunities with our members and are proud to have such a valuable knowledge-sharing platform to provide to the industry.

“Cybersecurity Awareness Month is a great opportunity to dedicate a little extra time and resources to what should be year-round security awareness and education programs. It’s also a great opportunity to remind your folks that good security hygiene depends on everyone. You can’t simply buy your way out of a problem after a cyber event occurs. Awareness and education of all the stakeholders in your ecosystem is critical to mitigate cyber risks.”
Danny McPherson, Executive Vice President and Chief Security Officer, Verisign