Risk DNA Dialogues is your backstage pass into the world of cybersecurity. In this series we’re inviting top CISOs to share their perspectives, strategies, and candid remarks about managing third-party risks. Join us as we dive into the Risk DNA that defines the challenges and triumphs in the cyber realm today—all through the eyes of those at the forefront of the field.
Intro
Few businesses could survive without the support of third-party vendors. As enterprises become more and more digitally driven, however, knowing and understanding the risks in your digital supply chain is paramount to protecting your own cybersecurity. Assessing third-party risks has become the Holy Grail for forward-leaning organizations, and as regulations and challenges grow, few have possessed the right tools to see those risks clearly… until now.
No one understands how to assess third-party risks better than Sue Bergamo, Chief Information Security Officer (CISO) for BTE Partners —a company that provides executive consulting services in digital transformation, cybersecurity, product engineering, GRC and industry certification assessments, security assessments, board preparation, and cybersecurity training.
As a technical expert, innovator, and seasoned veteran in the cybersecurity/people-process-technology field, Sue has helped dozens of companies improve their cyber defenses. Recently, we had a chance to sit down with her to see what’s trending and what CISOs everywhere should be thinking about as they assess the Risk DNA of their own organizations.
Panorays (P): Can you share with us a little about your journey to becoming a CISO?
Bergamo (B): I began my professional journey as a system administrator, working my way up to CIO and then CISO. Along the way, I learned about various technologies and how security should be addressed from various angles. I also had a reputation as someone who could get things done on-time and on-budget.
P: If you were to describe your position as a CISO in simple terms, what might those be?
B: That’s an easy question. I’m a strong woman, capable of defending the world against faceless cybercriminals.
P: When was the first time you were hacked and what did that experience teach you?
B: I walked into a new job and after asking about all of the alerts that were being received and during the investigation, I learned that the company had been previously hacked. The lesson I learned was that “alert fatigue” is real, as the company had so many alerts the staff didn’t even bother to research them.
P: CISOs are frequently asked whether it’s better to have experience or credentials. What do you believe helps make a better CISO?
B: The experience that a CISO has is a key component of the job. Many CISOs are multi-faceted and support more than just a SecOps organization, so having experience in multiple disciplines —cloud security, application security, DevSecOps, SecOps, vulnerability management, fraud, physical, GRC, and privacy—are key to protecting our companies.
P: What are the barriers to success that many CISOs face?
B: Lack of support continues to be a barrier for many of us. Many businesses believe that protecting a company is the CISO’s job and therefore, we are expected to be everywhere, all of the time, with minimal investment and support from the other departments in the organization. This scenario typically changes upon a major (material) breach when customer trust wanes and revenues begin to fall accordingly.
P: Risk management and risk tolerance are important parts of a CISO’s overall security program, but not all CISOs understand the importance of managing risk at the executive level. Do you believe there is a gap in understanding risk at the executive level? If so, how can CISOs educate their fellow executives about the benefits of managing risk and understanding their Risk DNA?
B: I firmly believe there is a gap in many companies between how they approach risk management and what it takes to effectively discuss risk. This is a critical component for a security program and the one area that an external auditor starts an audit with. The CISO can start these discussions with the CEO to gain their support and then find a way to bring risk management to the executive team to foster the deeper conversation.
P: What are some challenges you foresee in the coming year regarding third-party cybersecurity and how does it affect your Risk DNA?
B: Lack of visibility, driven by the shortage of technology available to truly understand third-party risk, is one of the key areas within third-party cybersecurity that companies need to address. The other challenge is that many C-level executives don’t realize that this gaping hole exists. Consequently, they haven’t figured out that their threat landscape has become an open playing field for cybercriminals.
P: As a CISO, how are you managing the Risk DNA within your environments?
B: Risk can be managed in multiple ways. Technology can be used to monitor the environment to identify and remediate threats and vulnerabilities. Processes and procedures can then be implemented to create repeatable and consistent workflows to eliminate human error when processing data manually. Lastly, governance and continuous improvement are used to identify and remediate gaps before cybercriminals find them.
P: What are you seeing or experiencing in the market? Are investment dollars for new cybersecurity solutions hard to come by?
B: Investments need to be well thought out and considered, along with a perspective on the risk level if the investment isn’t granted.
P: With the myriad of data privacy laws in the US and Europe, how can CISOs better manage their vendors and ensure compliance with these regulations?
B: Vendors should go through a risk assessment to understand their security posture and maturity level. Having insight into how data is processed, transported, or used in other key areas is critical to understand before signing a contract with a vendor.
P: Do you believe that businesses are adequately prepared for the potential risks associated with the increasing prevalence of AI despite its numerous benefits?
B: Even if your business isn’t “ready” for AI, it’s very likely your third-parties are already using it. There are many wonderful technology products in the market that can help you get ready for the AI invasion. The benefits and risks must be weighed, but AI is definitely here to stay.
P: In your opinion, why do you believe CISOs have an upward sell to get an organization to focus on what’s transpiring in the supply chain?
B: I believe that 2024 will be the year of third-party risk management. A flurry of information is being communicated regarding the gap that exists between understanding risk and what CISOs need to do to educate their fellow executives about the benefits of managing risk and Risk DNA. CISOs are starting to take notice.
P: As you look at the changing risk landscape, what are the three most important steps you would recommend that other CISOs should take right now to help bolster cybersecurity within their organizations?
B: While there are many ways to build a solid cybersecurity program, I would recommend that CISOs follow the triad of confidentiality, integrity, and availability. This trio will lead them to a framework where they can work across the organization to implement the next three steps of the program: technology, process, and people (education and awareness). Cybersecurity is a combination of these items. Taken together they create an effective program.
To optimize your defenses using the latest cyber-risk-management technology, request a demo.