On the sidelines of the RSA Conference in Abu Dhabi, Qualys CISO Mark Butler sat down with Security Advisor ME to discuss how CISOs should focus on helping deliver business growth through security.
Can you please tell us about what your role as CISO at Qualys entails?
As a CISO, I have more of an outward facing role. I am tasked to talk to CIOs and fellow CISOs and other business leaders to ensure that our goals and strategies are aligned from a product roadmap’s standpoint.
Qualys has traditionally been known as a vulnerability scanning company. That’s a foundational element of our offerings. We are primarily centred on security visibility not just for vulnerabilities but also for everything from web applications to File Integrity Monitoring. Furthermore, we are also increasing our focus on threat protection, which has brought huge benefits to our customers.
Do you think that cybersecurity has now become an important part of the boardroom agenda?
Yes, absolutely. Whether it’s by design or by some sort of trigger like a recent breach, cybersecurity is now increasingly becoming a big part of boardroom discussions.
Non-IT C-level executives may only care about it because they don’t want to be in the papers and they don’t want a negative event to happen within the firm but they are now more than ever becoming more concerned about cybersecurity.
However, some more matured organisations are looking at it from a different standpoint. They view it as a differentiator in staying ahead of the competition. They see it as an opportunity to build their brand’s image as an organisation that has strong security capabilities. The boards are looking at security as a core competency for running their business and transforming their products into the digital world.
How has the view on cybersecurity evolved over the years?
When we talk to CIOs and CISOs today, one of the main questions they ask is: “How can you help me simplify my environment?” They want to know how they can reduce the number of tools that they use and solutions they deploy. They are interested in how we can help them optimise their investments. It’s not necessarily a financial discussion but it’s a matter of simplifying systems so they’ll no longer need a lot of resources to run their security teams. They are becoming more and more interested in ensuring that they get to focus on more targeted and critical issues.
Business leaders are now beginning to realise that it is no longer about the number of solutions you deploy. It’s about having the minimal amount of security tools in place and getting them to integrate data, communicate with each other and developing an orchestration and response framework. There’s also a growing interest in building products that have security built-in instead of just having them as an add-on.
How can CISOs better communicate the importance of security within the company?
I think there are still CISOs today that need to evolve themselves because they’re still running security programmes just for the sake of doing it. This needs to change. They need to communicate to the rest of the business and instead of adding new policies, guidelines or controls, which are all important as well, they should focus on how they create business value through security.
CISOs need to keep in mind that the security programme exists for the business. Therefore, the systems and policies under it should complement the goals of the business.
This mindset is slowly but surely starting to change. But this is what I see as the biggest challenge and, in some ways, an opportunity for CISOs today.
How can CISOs help create an IT-security aware culture within their organisations?
I think we have done a disservice to our employees in terms of creating that kind of culture. What I mean by that is, in a way, we have built a culture of ‘Don’t’ within the workplace i.e. “don’t open that”, “don’t click on this”, “don’t install that” and so on. While none of those are incorrect, it created a punitive environment. Instead, we should spend time on establishing preventative controls and measures wherein, say, they won’t be able to install software unless they have the right access or authorisation.
The number of sophisticated cyber threats that are out there are growing and our employees are at risk every day. But, if we have the right preventative measures in place then our employees won’t be in high impact situations.
We, of course, need to focus on training and educating them. But we should also create a culture wherein whenever our employees encounter a cybersecurity issue and they would want to immediately share it without feeling like they will be penalised in any way. There should be an open line of communication within the whole organisation.