Rinki Sethi, Vice President and CISO at Twitter will discuss Transforming Security Culture in a Fireside Chat on Wednesday, November 11 starting at 17:40 pm at Cybersecurity Leadership Summit 2021.
To give you a sneak preview of what to expect, we asked Rinki some questions about her upcoming presentation.
The role of the CISO has transformed, right? When I started my career, the word CISO didn't really exist outside of banking. I started my career in a utility company. There was no CISO there. In fact, one of the companies I went to work for in tech very early in my career, they had hired the first non-bank CISO. And I remember when I started the CISO role was just starting to come to bear, and folks were just starting to learn what a CISO did. And now it's every company, it's almost mandate that you have to have a security leader in place. And the security leader has taken various forms. And depending on company to company that you go to, the CISO is not like a CFO or a Chief Legal Officer with very defined structure in how those functions usually perform, how they report, how they are organized. The CISO is still kind of varying, and it's still being defined, in company to company, in some companies it's a very business risk compliance function and others, it's more of a technical function that's developing architectures for different products, in others, it's just a compliance function. It just depends, but the amazing part is that the CISO role is almost at every company that you look at now, and even start-ups are thinking very early about bringing a CISO in early on.
And, now more than ever, I think you're starting to see the development of risk committees in addition to audit committees and board meetings at companies. CISOs are not just presenting at the board. They might be presenting at the audit committee, at the risk committee, and the CISO role now you see more CISOs serving on boards as well. The value of a Chief Information Security Officer has just grown tremendously. And I think in the future, we'll see, hopefully more and more non-tech boards have CISOs on them and the CISOs just having a very powerful role in a company, helping enable the business strategy, which is already starting to happen. But I think we're going to see, just a complete elevation of this role.
I think the toughest part around security culture is it's all about how do you win the hearts and minds, right? You can develop security standards all day. You can build tools all day. But who cares if nobody cares, if there's a way to bypass it and folks don't really take to heart why this is important, then you're really losing the essence of security and winning the hearts and minds, I think is a very, very, very hard job. You have to understand how a person works. That person might be in the development org., they might be in the engineering org., or they might be in the legal org. or the marketing org., and you have to think about what they care about, how they work and then really bring the right data to them to say, this is why this is important and figuring out in the context of your company, how do you build that culture?
And it varies from company to company. I remember at a very engineering heavy culture that I worked in, we had to bring proof of how we could attack the app that they had built to make them really believe that they had to understand security in a more meaningful way and when they saw their own app, that they had developed, being attacked like that, I think that's what won their hearts and minds to say “Oh, wow, okay. That now I really do understand why this is important”. And bringing data to the discussion, I think always helps in transforming security culture. And that data varies depending on what team it is that you're trying to influence. I would say one thing I also learned is that information security has been something that organically grows in the company and you kind of see where it starts really small and it’s a grassroots effort and then it starts kind of growing.
Although that can be effective, it's a lot slower than having top-down championship. And what I mean by that is having your executive team at the highest levels, championing security, winning their hearts and minds first and making them your biggest champions and allies and driving the security culture. And if you have that at the top, I think it makes it a lot easier and you can run security then a lot faster and companies who do that well, I think they see their business runs faster because security becomes an enabler. And you don't see as many incidents and having to go and firefight later on.
Yeah. I'm looking forward to doing the fireside chat. And I think some of the things that I hope to share are some of the things we talked about today at a deeper level, but I think there's a lot more to it, right? When you're transforming a security culture, it also matters that your information security team, how you've built that, who you've brought on board - that their mindset itself is in a good place as well. And I think, in this past year, we've gone through a lot, past year and a half. Gosh, it will almost be two years with COVID, right. We've gone through a lot.
You know, we've seen not only just because of the pandemic, but there's a lot of world events and things that affect mental health and so forth, which makes people prone to more mistakes. I think sharing some of my personal stories on what I went through during that time, and how, coming to a company in a hundred percent high remote environment, having to build trust in a remote environment like that, and then having to build security culture was extremely challenging. But here I am one year into the role and we've made major progress. And I think, in the fireside chat, I'm really excited to get deeper into those stories and, share with all of you, my learnings.