Garanta seu exemplar do Security Service Edge (SSE) para Leigos. Baixe o eBook

Security Transformation PlaybookEpisode 05: Achieving Security Nirvana

Episode 05:
Achieving Security Nirvana

In the same way that having brakes on a car enables you to go faster, having a good security team that is able to assess and balance risk and bring forward solutions that allow you to take the right risks in a responsible way, can actually help the company move faster and help achieve business goals.

—Gary Harbison, VP, Global CISO at Bayer
Gary Harbison VP, Global CISO at Bayer

This episode features an interview with Gary Harbison VP, Global CISO at Bayer. Bayer is a global enterprise with core competencies in the Life Science fields of healthcare and agriculture with a market cap of $53.5B. Gary has over 19 years of experience in the Information Security domain (21 years of overall IT experience) that includes roles at multiple global fortune 500 companies, as well as public sector experience with the US Department of Defense.

 

On this episode, Gary delves into where he thinks the largest gaps in security are today, what he believes will be a major issue in the future that nobody is currently aware of, and why he analogizes security leaders to car brakes.

 

 

Timestamps

*(3:17) - How Gary got into security
*(4:42) - Gary’s current role at Bayer
*(5:40) - Segment: Taboo Topics
*(5:55) - What outsiders get wrong about security
*(7:40) - The fasting growing risk in security today
*(9:15) - How to do drive real-time risk assessment
*(9:28) - Segment: Deep Dive

*(28:52) - How Gary keeps up with security and gets better at his job
*(31:27) - What Gary would tell his younger CSO-self
*(33:30) - Segment: The Future
*(33:43) - What nobody is talking about right now that will be a
major issue in the future
*(35:22) - What CSOs need to invest in for the future
*(36:49) - Segments: Quick Hit

 

Other ways to listen:

On this episode

Jason Clark
Chief Strategy and Marketing Officer at Netskope

Jason brings decades of experience building and executing successful strategic security programs to Netskope.

He was previously the chief security and strategy officer for Optiv, developing a comprehensive suite of solutions to help CXO executives enhance their security strategies and accelerate alignment of those strategies with the business. Prior to Optiv, Clark held a leadership role at Websense, where he was a driving force behind the company’s transformation into a provider of critical technology for chief information security officers (CISOs). In a prior role as CISO and vice president of infrastructure for Emerson Electric, Clark significantly decreased the company’s risk by developing and executing a successful security program for 140,000 employees across 1,500 locations. He was previously CISO for The New York Times, and has held security leadership and technical roles at EverBank, BB&T and the U.S. Army.

Gary Harbison VP, Global CISO at Bayer Gary Harbison VP, Global CISO at Bayer

Gary Harbison
VP, Global CISO at Bayer

Gary is a proven security leader with over 19 years of experience in the Information Security domain (21 years of overall IT experience) that includes roles at multiple global fortune 500 companies, as well as public sector experience with the US Department of Defense. His background has included technical experience, strategy and architecture-focused roles, cyber and threat experience, and various leadership roles focused on building high-performing teams to drive the strategy and direction for Information Security while partnering with his customers to enable key business objectives. Gary has a track record of developing security and risk management programs built to evolve with changing business needs and evolving threats. He also serves as an advisor to several cyber security startups, sits on multiple Executive Advisory Boards for Cybersecurity companies, and is a frequent speaker at industry events.

Jason brings decades of experience building and executing successful strategic security programs to Netskope.

He was previously the chief security and strategy officer for Optiv, developing a comprehensive suite of solutions to help CXO executives enhance their security strategies and accelerate alignment of those strategies with the business. Prior to Optiv, Clark held a leadership role at Websense, where he was a driving force behind the company’s transformation into a provider of critical technology for chief information security officers (CISOs). In a prior role as CISO and vice president of infrastructure for Emerson Electric, Clark significantly decreased the company’s risk by developing and executing a successful security program for 140,000 employees across 1,500 locations. He was previously CISO for The New York Times, and has held security leadership and technical roles at EverBank, BB&T and the U.S. Army.

×

Gary is a proven security leader with over 19 years of experience in the Information Security domain (21 years of overall IT experience) that includes roles at multiple global fortune 500 companies, as well as public sector experience with the US Department of Defense. His background has included technical experience, strategy and architecture-focused roles, cyber and threat experience, and various leadership roles focused on building high-performing teams to drive the strategy and direction for Information Security while partnering with his customers to enable key business objectives. Gary has a track record of developing security and risk management programs built to evolve with changing business needs and evolving threats. He also serves as an advisor to several cyber security startups, sits on multiple Executive Advisory Boards for Cybersecurity companies, and is a frequent speaker at industry events.

×

Transcript

Open for transcript

Gary Harbison: I would say that that more than anything, I think people look at security as we exist to stop things. And while yes we do want to stop attacks from happening and such, but in much the same way that having brakes on a car enables you to go faster, having a good security team that is to assess and balance risk and bring forward solutions that allow you to take the right risks in a responsible way, can actually help the company move faster and help achieve business goals. So looking at it as we're here to say no or to stop things, we're actually here to help figure out a way to say yes in a responsible way, and that can actually help the business move faster.

Producer: Hello, and welcome to Security Visionaries hosted by Jason Clark, CSO at Netskope. You just heard from today's guest, Gary Harbison, VP and global chief information security officer of Bayer. Achieving security nirvana is not an easy endeavor. The security landscape is constantly changing, especially now that with the cloud, data can be accessed from just about anywhere. On any given day, you and your team can be on the brink of tranquility and the next, utter chaos. But in the same way that having brakes on a car enables you to go faster, security teams can help enable companies to grow. Nirvana is met when security teams can assess, balance risk and bring forward solutions that allow companies to take the right risk in a responsible way. Doing so allows companies to move smoother, faster, and achieve their desired business goals and that includes as Gary so eloquently puts it, being able to have security followed data, wherever it goes. Before we dive into Gary's interview, here's a brief word from our sponsor.

Sponsor: The Security Visionaries podcast is powered by the team at Netskope. Netskope is the SASE leader, offering everything you need to provide a fast, data centric and cloud smart user experience at the speed of business today. Learn more at N-E-T-S-K-O-P-E.com.

Producer: Without further ado, please enjoy episode five of Security Visionaries with Gary Harbison, VP and global chief information security officer of Bayer and your host, Jason Clark.

Jason Clark: Welcome to Security Visionaries. I'm your host, Jason Clark. Chief strategy and security officer at Netskope. Today, I am joined by a very special guest and friend, Gary Harbison. Gary, how are you?

Gary Harbison: Doing well, Jason. How are you?

Jason Clark: Doing awesome, man. Super fantastic. I'm enjoying our nice fall weather that we both have here in St. Louis today. Actually, we could have maybe even done this in person. That've been a good idea.

Gary Harbison: Very true, this is a good time to be in St. Louis right now in the fall.

Jason Clark: Yeah. And I feel the other thing when I think about this is we maybe should have done it as happy hour and had been drinking a beer or bourbon together at the same time too. But oh well, we'll do that. We'll do that next time here.

Gary Harbison: Next time, yes.

Jason Clark: So Gary, we've known each other for a long time and I've done a lot of cool stuff, which we'll talk about together here, but let's start in the very beginning. How did you get into security? What was your first job?

Gary Harbison: Good question. So when I was going to junior college, I think I was 19 and I got a role at a Air Force base close by right across the river from St. Louis. And at the time, I was in a network and telecommunications engineer role and it came down from headquarters that there were new firewalls to be installed and they came to the network team and found two of us that knew Unix and networking, and those became ours to install and own going forward. So that was my first introduction into security, was installing and managing their firewalls and then that spread into looking at server operating systems and other things, and just continue to expand from there. So not something I ever really planned, but it worked out.

Jason Clark: Okay. I think that's probably for any of us that have done this for over 20 something years, I think firewall was probably the first ask and the first way we came into the security team. By chance, what was the brand of those firewalls back then?

Gary Harbison: It was Sidewinder firewalls.

Jason Clark: Yeah. I haven't seen one of those in a very, very long time.

Gary Harbison: It's been a while, yes. They were acquired. And I think eventually I think decommissioned I the end.

Jason Clark: So now tell us a little bit about your role as the CISO for Bayer.

Gary Harbison: So right now I'm the global chief information security officer at Bayer. So responsible for all cyber security activities across all of our divisions and functions globally. Bayer has multiple business areas. We have a crop science division focused on agriculture and driving advancements and continuing to improve the food supply and feed the world. We have a pharmaceuticals division that is working on next generation treatments and medicines and such to help everyone continue to improve health. And then we have a consumer health division that sells more of the over the counter brands of products there also on the healthcare side.

Jason Clark: So I'll give you a bunch of questions here and we'll just go back and forth. Again, turn it on me at any point in time. But first question for you is what do you think people get that are side of security?

Jason Clark: Right. In the business or other parts of IT. What do they get wrong about security?

Gary Harbison: I would say that that more than anything, I think people look at security as we exist to stop things. And while yes, we do want to stop attacks from happening and such, but in much the same way that having brakes on a car enables you to go faster, having a good security team that is able to assess and balance risk and bring forward solutions that allow you to take the right risks in a responsible way, can actually help the company move faster and help achieve business goals. So looking at it as we're here to say no or to stop things, we're actually here to help figure out a way to say yes in a responsible way and that can actually help the business move faster.

Jason Clark: I was doing something this with Dustin Wilcox, the CISO for Anthem and I like the way he said it, he said somebody on our panel was like, "We should be always trying to remove friction everywhere we can and it should be frictionless and insecurity." And he said, "No. Actually, we need the right amount of friction. Friction is important in certain times." Right? You can say yes, but tell me the reason why. Type in the one sentence reason why you need to upload this data here and just be engaging where they say, "You know what? I actually don't need to, or yes, I have a good reason." Right?

Gary Harbison: Absolutely. I think that of course you want the controls and such to be as frictionless as possible for end users, but the word I've often used was tension. You want a healthy tension in the system that's got the checks and balances, but I agree with him as much as possible removing the friction that impacts the ability for employee and users to get their job done each day.

Jason Clark: So what do you think is the fastest growing risk in cybersecurity that most people don't realize? So the risks that are sneaking up fast on them.

Gary Harbison: Yeah. I would highlight overall, I just think the overall data security and governance space is one that is just evolving so quickly. And so it's not only thinking about protecting the data, data's become so portable. We can carry terabytes of data in our pocket and when we both got into security, that would've probably filled data centers. So the storage, the portability of data, it can be moved and shifted about so quickly, it's being shared with partners and third parties, it's being hosted in cloud environments. And so understanding how to protect the data and where it's being transferred.

But then the other part that is continuing to change and evolve are the laws and regulations globally on how data has to be protected, where data has to be stored at, where it can be accessed from. So especially for a company that operates globally in a number of countries and regions and jurisdictions, it becomes complicated to understand how to protect the data, where to store the data and what access to provide to the data. So I think companies are focused on it and they're continuing to work on it, but the regulations and laws and threats are changing so quickly, it's just an ever evolving space.

Jason Clark: Yeah. So basically, would you summarize it because you started with the governance and risk around it, but then you obviously... Would you just call that data risk? Is it just overall the fastest growing risk is their data risk?

Gary Harbison: I would say so, yes.

Jason Clark: Yeah.

Gary Harbison: I think that's a good way to phrase it.

Jason Clark: The reasons why they've lost the visibility would be just reiterating, right? One, it's everywhere and it's very portable. It's in the cloud, it's on mobile. (singing)

So I think jumping to that point, would you say then that's the number one place that's probably innovation is needed from a cybersecurity perspective.

Gary Harbison: I would agree, yes. Looking at technologies to detect attacks, to monitor our environments, to build in the right security around environments. In the past, we've we focused a lot of those heavily on infrastructure and servers and devices and such. Where the future is going, everything is going to the cloud and employees and users are going to be working from anywhere and maybe sometimes from a number of different types of devices. And so I think there is the need to continue to innovate on how we protect data and moving the controls closer to the data and not relying on securing the servers or the devices or the cloud environments they're in, but how do we protect the data wherever it goes and wherever it's stored, on having the right detection and visibility around data movement and what data is being moved where, and also understanding and being able to overlay those requirements on how data's stored, where and how it's protected.

And there are capabilities that exist there but they're often fragmented today. The more we can automate that, do it in real time and get that good visibility of where our data's stored, how it's protected, who's accessing it and are we compliant with it in a automated, real time way. That's going to be really where we need to get to and I think there's still a lot of innovation that's possible and that's needed to get there.

Jason Clark: You said that real time word is very important because I'd argue that most people still look at risk as one time. I have the Big Four come in and do a risk assessment. I was just talking to a very large financial institution and the deputy CISO there was saying they're planning their once a year Office 365 risk assessment. I'm like, "But it changes tomorrow depending on what new vulnerabilities or what new data's there. I'm like, "Why would you even do that once a year?" How have you driven more real time risk assessments of your cloud or infra

Gary Harbison: Yeah. I think like everyone, we're still figuring some of that out. I think that as you said, traditionally, we look at risk assessments as being a point in time. Maybe you do an annual assessment, or if you're assessing a third party, you're reassessing them on a periodic interval based on risk. But getting that more real time risk assessment is really I think where everyone's striving to get to. There is more automation and more data that we can stream off the devices, get real time visibility. But I think the importance is taking the visibility and understanding the security of the cloud environment or the workloads that they're on or the platforms that the data's in and being able to overlay the automated visibility we have with the business context to understand the importance of the severity of that asset. I think that's what helps us get into more of a real time assessment of risk and understanding of how we're managing that in our environment.

Jason Clark: Yeah, yeah. Agree. I think you just described one of my favorite topics, which is SASE, right? Secure access services edge, and the whole purpose of that is moving the security perimeter and taking all those older technologies and merging them into one inspection point that can be seamless right for you. You once said, actually, you drew it on my board and I'll never forget the sentence. And you said, Nirvana to me is when the security controls follow my data everywhere it goes. And I think SASE is an element of that. What's your view on the secure services edge and just what Gartner's doing in creating this MQ and the impact, how fast do you think that will be adopted out there in the enterprise by your peers? And as part of that, how do the security and network teams start to converge and come together to execute that?

Gary Harbison: Sure. So I think the movement to get to the SASE type of model where you essentially much in the same way we were just discussing the concept the castle and moat philosophy where we've got one perimeter around the outside of our network like the wall around a castle and things that are inside are good, things that are outside are threats and we've got to defend the walls. That's really moving past us and it's actually moved past us some time ago. So the concept of understanding that we're going to have data hosted in many environments, multiple SaaS platforms, multiple infrastructure-as-a-service environments, we're going to have employees working from everywhere, we're going to have third parties that need access to data to collaborate and drive innovation and we're going to head to the cloud.

The future of staying on premise is going to probably happen for certain unique scenarios or where you might have operations locally like a manufacturing site. But otherwise, a lot of this is going to go to the cloud and to do that and do it well, we're going to have to be able to protect anywhere and access from anywhere. Then that does require that concept of having what was previously your perimeter be in the cloud. Then it needs to be able to virtually sit in front of what you're protecting, wherever it may be and it needs to also sit in front of the access from your employees or from your users, protect them and also screen their access to the assets they're trying to access.

So I really feel that is going to be more of the future model and I think most companies are at least looking at it or considering it. The timeline of how quickly they embrace it or adopt that architecture overall and that implementation probably depends on the type of business they are, what their requirements are, where they operate, what industry they're in, what regulatory requirements they have. So everyone may implement it in a different speed, but I haven't talked to many companies who aren't at least looking at it and building a strategy around it.

Jason Clark: Isn't that a factor of just in the end, how fast they're moving to the cloud, how fast they're adopting SaaS, right? Because at that point, you're so stretched. There's a tipping point, there's a percent of amount of apps and data in the cloud or mobile users not on my network where I at some point, have no choice.

Gary Harbison: Absolutely. The speed will be driven by the business. And like so many things, I always try and relate that when we look at a security strategy or roadmap, those things aren't there just because a security team thinks the technology's cooler, we want to do something. You build your projects around three types of drivers. You've got business drivers where we need to implement something in order to enable the business to move quickly and achieve their goals. We need to implement something to address a set of risks that we have within the company, or we need to implement something driven by the threats and the evolution of the threat landscape. So the timeline, we're always balancing that timeline against three types of drivers on how quickly we move. So to your point, Jason, I absolutely think that a lot of it is driven by how quickly the business is going to the cloud and then we need to make sure that we align those capabilities so that they're ready to enable the business to move forward.

On the second part of your question on organizational changes, I think that the network teams and the security teams have always worked closely together and throughout over time, there's been different models on where some of the infrastructure controls sit at, do they sit in the network do they sit in the security team, but there's always been that partnership no matter how that's worked. And what I see in the future is the network is going to change for network teams but I don't think the concept of access over a network and packets flowing over the wire isn't going to go away. There's still always going to be the need for network talent, but that network talent has to evolve.

If someone sees themselves as a router person or a switch person and building out those networks, that's going to change significantly as you start to see software defined networks and essentially companies are going to Amazon or Google or AWS... I'm sorry, Microsoft, and they're spinning up data centers in the cloud. So the network teams have to understand that in the future, networks are going to be built more by code than physically connecting devices. So the need for network talent and expertise is always going to be there, but that's got to re-skill and evolve to understand how to ensure the delivery of services and connectivity in a more modern way in the future. And I think that there's always going to be that close cooperation between security and networks.

Jason Clark: So, all right. Just replaying it back. So you've got people that are focused hyper-focused on the LAN and so you're always going to have on-prem stuff. Right. And so I see those probably being a more a function of desktop engineering at some point, but then you've got the routing teams that are trying to get your user to an app. It's all about access. Their job is to get the users to that data but as that data, as that user is more and more off the network using the internet and that data more importantly is more and more not sitting in your data center, it's in the cloud, it's in SaaS apps, it's in 365. As that pendulum shifts and let's say that 70% of your data, right? So now 70% of the time, you're using the internet where networking is happening but you're in essence, outsourcing networking to whoever's running that network and then there's still controls you need to worry about.

So that networking thinking, doesn't it end up going into the security team that owns that inspection point because you still have to have that inspection point for security or it goes to that cloud infrastructure organization that you're outsourcing to or it goes to the app team. So I guess what I'm saying is, isn't there a pendulum shift point where networking... I've had a pretty large networking team in the past when I was at Emerson who had 2,000 locations. But where is that point where if you were a networker today, if your son was a network engineer, where would you be advising him to start to think about and to learn and what organization maybe to start thinking about joining as it does start going into other orgs.

Gary Harbison: Now, good question and I think the network engineers as we've known them in the past, that is going to change significantly as I said but depending on the type of company you are, if you're a totally cloud-based company and your on premise sites are mostly office buildings where knowledge workers are there working. Yes, there's going to be very little need for networking. You can have local connectivity set up in your building and connect to the cloud and have cloud-based security. For companies with a number of global sites and manufacturing locations and labs and other types of locations, you're still probably going to have a global WAN connecting some of this together. So I don't think the network expertise ever goes away and you still got to be able to stitch that local environment to your cloud environments, SD-WAN starts to come in.

So there's the need for network expertise. To your point, where goes, a lot of it probably depends on the type of company, the structure of IT. In a company that's mostly a tech company, that may be just embedded within the DevOps teams, right? In a company that maybe has more traditional manufacturing type of activities, you may still see a networking team that has to do do some of that work but has to work much more closely with other teams than they ever have in the past. So I don't know if there will be one answer to it. I think to your point, it could end up in a number of other teams.

Jason Clark: What would you tell your son asking you for that advice of what to learn?

Gary Harbison: I would always encourage anyone going into IT to broaden their basic understanding of foundational IT elements as much as possible. And that's one thing I've seen that we have lost in the industry over the last 10 to 15 years is we have pushed people toward specializing so much. When you get down to troubleshooting a very complex issue, there's not many people left that understand how it all fits together and works together. So I would encourage them to learn as many different areas and then figure out which team they want to go into.

Jason Clark: Okay. With that, you and I have spent a lot of time together trying to help the industry right from an innovation. You and I work on a bunch of startups stuff together and VCs. But I also together, we created the Security Advisor Alliance focus on trying to help the skills gap and the diversity gap in security. Maybe talk a little bit about why, why that's important to you and why you're a part of that organization.

Gary Harbison: Absolutely. As I think anyone is who is building in a security organization, managing a security organization sees, there is a huge talent gap. There's a talent gap on numbers overall. There's a talent gap on depth of expertise. There's a talent gap around diversity overall which you mentioned. And part of that stems from back to the first question you asked me on how a lot of folks got into security early on. You got into it because you got a role somewhere where you learned it on the job. A lot of folks came out of government, military, maybe financial services who were a little bit ahead on some of the security topics in the early days, but there weren't a lot of or any, even early on, college programs to learn security. And so you really had to get a job to learn it and that just didn't scale when the explosion and the demand continued to increase year over year.

And now we're trying to get there, there's a lot of universities driving programs continuing to evolve that, but as an industry, I think we've got to really look at how we also help create the next generation of security practitioners to help fill that gap and that's why from the early days, always been so passionate about the Security Advisor Alliance on saying, how do we address that gap? How do we get to getting to middle school children up into high school and get them excited about cybersecurity as a possible career path and also protect them, help them understand how to protect themselves because the internet a dangerous place for younger children. So we raise their awareness that allow them to protect themselves, but also get them hopefully interested in a field that they could move into eventually.

I think helping existing practitioners continue to grow as leaders. We need the next generation of leaders to step up with innovative new ideas and bring forward new ways to tackle the problems that we're facing. And then the third piece and probably one of the biggest ones is the diversity gap. For an industry that is struggling to find talent, we're not tapping into huge, huge portions of the population that could bring new ideas in a new ways of thinking and really help us drive things forward. And so I think we've really got to think about how do we tackle the overall inclusion and diversity within cybersecurity. And if we're able to do that, we're going to see an improvement on not only the numbers, but overall the diversity of thinking and creativity within the industry overall. So I think it's something that all of us as security practitioners and leaders should be thinking about is how do we help the industry overall?

Jason Clark: Yeah. And thank you for everything that you've done for the industry. You've put a lot of energy obviously with what we just talked about, but also, you created this security program, the master's program with Lamont at WashU, right? So maybe how did that opportunity pop up and anything else you want to say about where that needs to go and what should high schools do?

Gary Harbison: Sure. So I think the opportunity at WashU came up, they were creating the cybersecurity masters program. And I really liked their approach, which is they were looking for industry practitioners to come in and really be adjunct instructors so that their students could really get a real world, real life type of teaching and examples and content coming from practitioners that are embedded in it each day to build this next generation of security practitioners. So I think it's been great. I talked to them initially and Lamont and I, and working with Eric Kruse as well. He was actually a student in one of our classes and then became a co-adjunct with us on our cloud security class. I really enjoy trying to help college students coming through learn more about this and some that are actually already in their profession wanting to develop more.

And so it's very rewarding to help others learn and grow and develop them but at the same time, helping hopefully build something that is repeatable within the industry. And so these other programs start to force multiply and help us address the talent gap. So I think it's something that's been very rewarding and I think the next is to look at each end of that pipeline. So A, how do we help individuals in high school figure out how to get into those programs? I receive a lot of questions from folks I just know locally as some of these students are coming out of high school, they really don't know how to or where to start. So how do we help them get plugged into the pipeline. Then how do we look at how we bridge the individuals coming out of these programs and get them ready to step into a role within these companies and start to begin their careers. So I think the overall educational space is doing a better job of creating the programs, but we've got to address each end of the pipeline to truly start to address the overall problem.

Jason Clark: Love it. That's perfect. So it's funny, Gary. We're sitting here and I hear your emails coming into Outlook and obviously it's a constant flow of information coming at you and your job's super stressful. I think CISO job is probably one of the hardest C level jobs that exist for a lot of factors, but how do you keep up? What's the secret to scaling? How do you keep up with the news, the intelligence reports, the shift in technologies, the new innovations, understanding what your risks are and what your business is doing at the same time, all of that. Do you have a secret to how you stay afloat with it all?

Gary Harbison: Good question and that is the challenge. There is so much information out there, consuming it in a meaningful way is always difficult. I try and identify certain news sources and aggregation giving me a summary of headlines and then I try and focus on the topics I want to come up to speed on or stay up to speed the most. So anything that can aggregate some of those news stories or data and updates externally is always helpful. I think the second piece is using your network. So talking to your colleagues both externally and internally and hearing from them, what are the important things to them and really hearing what they're seeing out there. I think that is always a second way to keep your finger on the pulse of what's going on. And then the third piece is having a good team around you and then your team is plugged in and they know what things you need to know to keep you updated. So the network, the team and then just figuring out how to aggregate the information into meaningful high priority topics that you want to come up to speed on.

Jason Clark: I think one of your secrets, Gary, and good CISOs do this, right? Is you hire other CISOs and you've hired people that were CISOs in other places or many multiple who people could be CISOs anywhere and that gives you an advantage because they know your job. And so they're not just focused on their silo.

Gary Harbison: Completely agree. Having a good team is always the number one, element of success and surrounding yourself with people that are very knowledgeable, very good, have high degrees of accountability and also sometimes, that are good at things that you're not. Understanding your gaps and having people around you that are good at other things or can challenge your thinking is always good.

Jason Clark: Yeah. So if you could go back to your younger self when you first became a CISO, what would you tell the brand new CISO, Gary.

Gary Harbison: It's coming into it initially, I remember I took on the first role, I was really rebuilding the team, had a number of leadership team roles open, a number of other key leader roles open in the organization. Our business was going through a number of changes and so there was so much emotion already. There was really very little stability and everything was changing. There was a lot of work that I was trying to fill multiple roles at the same time and it was a stressful beginning. So I think over time, you learn how to prioritize. And for instance there, I finally figured that I had to take a step back and focus on filling some of the roles because it wasn't sustainable for me to continue to fill three or four or five other open roles on top of my own. So I had to try and delegate some of what was going on to folks who could keep that running or tend the fires a bit while I go out and I hire the folks to come in and take on those responsibilities.

So prioritizing the right activities and being able to do that in the midst of chaos and change. So I think that's something that I've learned over time. And I think the second piece is to expect constant change and there isn't always going to be a status quo though. World is changing quickly, technology is evolving quickly. Businesses are going through digital transformations. The overall talent, the war on talent and changing of people is happening. So nothing really ever stays static. So each day, you've got to be ready for new challenges and be able to adapt and continue move forward on that. And so realizing that is the normal, that there isn't really a normal, the normal is change, I think just helps you put everything in perspective.

Jason Clark: So with that change, let's fast forward to 2030. (singing)

Nine years from now, what do you think is the biggest issue facing security, fast forwarding in the future? Cloud's obviously happening now. Everything we know is happening now, but what's the thing that nobody's talking about right now that will be an issue in the future.

Gary Harbison: I think, and it's all already happening somewhat, but I think in the future, one of the things that we as security practitioners are just starting to get our heads around fully but I think that consumers, us as consumers in our personal lives will get our head around more is that areas that we've never thought of, of being impacted by cyber security in the physical world are going to in the future more and more. We've already got appliances that are connected and have an IP address on the internet and they're sinking back in and you can manage them centrally. The security of our homes, our vehicles, and our cars and the safety of driving cars, more and more mass transit and critical infrastructure.

As digital comes into more and more aspects of our physical life and those things can be impacted by cybersecurity, I think that's something that everyone hasn't fully appreciated yet. It is a very, very big impact when you see a large breach of a company and maybe an impact on personal data and other things. But when we start to get into loss of life scenarios around cybersecurity attacks, I think that definitely will continue to change how we look at risk and how we approach cybersecurity. Jason Clark: Yeah. So is there anything that as you think about that problem, that all security programs or CISOs should be thinking about or at least investing in even potentially to get ahead of that?

Gary Harbison: I think one of the things to invest in is ensuring that you have a forward looking strategy and that strategy isn't something back to our conversation earlier, that you build once and you put on a shelf and you review it annually as you're looking and preparing for your projects next year and you build a three year roadmap and you believe that you're going to stick at exactly because the reality is you probably won't and you're going to be reassessing priorities quarterly. You've always got to be able to keep your eyes on the horizons of what's coming and then be prepared and not wait till it's right on your doorstep and now you have to react. I don't know if there's a specific technology or anything that you prepare for, but it's how you operate and maintain your strategy, how you continue to assess and make adjustments based on the changes around you.

Jason Clark: I think that's perfect. Basically, you're saying be strategic in your long range planning while at the same time, know that it's going to change, that the winds are going to change. As you're looking at the horizon, you've got to adjust and change your tactics but staying with that true North Star of whatever that destination is when you know the issues that are going to come up in the future. So that makes sense. So last couple questions are one quick answers, right? (singing)

So first one is if what's one talent or skill that's not on your resume. It could be personal or anything.

Gary Harbison: I would say one thing that I think has helped me through my career, that I've always gotten feedbacks and end of view reviews or from peers and others is the ability to maintain and stay balanced and look at both sides of any problem or any issue or risk, of being able to stay calm even in contentious or high pressure situations and be able to break down complex problems and figure out how to start to move forward or provide solutions. So I think I relied on those more maybe soft skills types of things, just as much as I relied on more technical skills.

Jason Clark: So it's super important, right? To be able to be calm with all the things happening when you've got a lot of incidents happening, trying to be able to focus and really be able to think and seek the clearly and not react. So that's a special skill. So second question, what is your favorite domain in

Gary Harbison: Good question. I think if I look back to my more technical background, still the most exciting space that can still get the excitement going and the adrenaline going is looking at the threat space and the attacks and how we continue to address them and respond to them. It's stressful but it's exciting and it's that continued game of chess. So I'd have to say that times when I start feeling myself getting pulled back into the weeds, I tend to do it there because it's just always been interesting.

Jason Clark: Right. And it's our purpose, right? It's defending ourselves against this growing adversary that's innovating even faster than we are. And the last question, if you were not in security, what would you be doing?

Gary Harbison: That's a great question I'm really not exactly sure. Coming out of college, I wasn't really sure what I wanted to do. It was everything from being an accountant to possibly being a mechanic or electrician to IT systems. And throughout my career, I've been fortunate that opportunities have come and I've always assessed it on what I can learn from a new opportunity and what can I bring to the opportunity to continue to make things better. So I don't know exactly what I would be doing, but I think it would be something that would always have a new challenge and a quite a bit of change. And I think that's something that I've always been drawn to in security is the fact that no two days have ever been alike. There's always a new challenge and it always requires a fresh perspective every day.

Jason Clark: Well, awesome. Well, that's all we have time for. So Gary, this has been awesome. I know that we could have done this for an entire day and just had fun going back and forth, especially if we had a beer. And so that's what we'll do next time, but thanks. Was there anything in closing you want to leave the listeners with?

Gary Harbison: No. I would just thank everybody who drops in and listens this podcast. And thanks, Jason and team, for are having me as a guest today. I enjoyed talking through it and looking forward to doing it over a beer next time.

Jason Clark: Awesome. Well, great. Well, have a great weekend and enjoy the weather.

Gary Harbison: Thanks, you too Jason. Take care.

Sponsor: The Security Visionaries podcast is powered by the team at Netskope. Looking for the right cloud security platform form to enable your digital transformation journey? The Netskope Security Cloud helps you safely and quickly connect users directly to the internet from any device to any application. Learn more N-E-T-S-K-O-P-E.com.

Producer: Thank you for listening to Security Visionaries. Please take a moment to rate and review the show and share it with someone you know who might enjoy stay tuned for episodes releasing every other week and we'll see you in the next one.

Subscribe to the future of security transformation

Ao enviar este formulário, você concorda com nossos Termos de Uso e reconhece a nossa Declaração de Privacidade.