Running a Security Organization in Times of Uncertainty and Change

As part of Verified: Presented by AWS Security, a new video series of discussions with security leaders, Amazon Web Services CISO Steve Schmidt sat down with Noopur Davis, EVP and Chief Product and Information Security Officer at Comcast, to discuss what it’s like to run a large security organization during challenging times. You can watch the full video here.

Noopur, an experienced executive with a diverse technology and management background, touches on three key areas that are of particular interest to her peers…and happen to be some of the more common topics I discuss with customer executives. These topics are just as important (perhaps more so) as the technical aspects of securing operations in the cloud.

Security Culture

Building a strong security culture is something that requires constant care and feeding. It is a company-wide effort, not just an effort limited to the security or information technology teams. It goes beyond annual security awareness training for employees. It is about empowerment, accountability, and ownership. If you think you have a security problem, then you must assume that it is real. Security leaders must make it easy for people to raise security issues in a positive manner, through mechanisms such as ticketing or a hotline system. If, after an investigation, the security team determines it was not a real issue, thank the submitter and let their manager know you appreciate having an extra set of eyes on your extended security team. If it is a real issue that you otherwise wouldn’t have caught, use the opportunity to make a positive example of the use case and, of course, strengthen your overall security posture.

Security Hiring

Noopur has some great examples of what she’s done to widen the tent. I’ve written on the importance of diversity and inclusion regarding security teams, but these are some other mechanisms that Noopur has implemented at Comcast:

1. The EngX program focuses on young engineers just coming into the workforce and encourages/supports new hires to choose a career in cybersecurity.
2. The Act 2 program focuses on those workers who are looking to return to the workforce after extended time away, who want to return and make an impact with their experienced skillsets. (Amazon has a similar program in this important area)
3. Noopur says she leads by this model: “Diverse leadership attracts diverse people.” This has given Noopur the ability to hire women for 50% of her direct report positions.

Security Program

Once you’ve hired the right team and fostered the right culture, running an effective security program is an essential component of your organization’s overall risk management program. Setting a vision, creating tenets, and then checking back in on that vision and tenets periodically are crucial keys to success. Your program and its components should be flexible since situations change. Ensure every member of your team understands the vision, and uses its tenets in their decision-making process, while providing them the autonomy they need to protect the organization and have satisfying careers. Lastly, you must be able to measure the impact of your investments across people, process, and technology and report it not only in technical parlance, but in business value terms. Like IT, security is not an add-on to the overall business…it is a critical part of it.

Based on the learnings from Noopur’s interview and the most common questions I get from customer executives, it is clear that organizations and security teams are constantly growing, learning, and adapting to changes in business, social, and political environments. Those organizations that continue to focus on their people, culture, and processes and challenge themselves to get better across all those elements will be rewarded with stronger business outcomes, and the ability to adapt to new challenges head on.