SecureWorld returned to Houston for the first time in four years with a conference agenda loaded with impactful panels, vendors tackling topics top of mind to cybersecurity professionals, and a buzz of excitement to be back together again to network, commiserate, and share successes.
"It was a great event," said Paul Dial, CISO of AECOM, who was part of a closing keynote panel on "CISO: Chief in Name Only." "It has been years since I attended a SecureWorld event. I'm glad that I was able to be part of this one!"
Dial was joined by panelists Stephanie Franklin-Thomas, PhD, SVP & CISO, ABM Industries; Ionel Chila, VP of IT Security and Compliance, Cornerstone Capital Bank; and Julie Boehl, Director of Information Security, Southwestern Energy, who shared their perspectives from various industries on the challenges and opportunities facing CISOs and equivalents today. The panel was artfully moderated by Dd Budiharto, CISO, Advisory Board Member, and Founder of Cyber Point Advisory, a vCISO firm.
One hot subtopic was the reporting structure for CISOs. Do they report to the CIO, the CFO, or the CEO. And do they have a straight or dotted line to the board?
"So in terms of reporting structure, I'm actually in a really good position in that I report to both the CIO and Chief Revenue Officer, so I'm kind of sitting in this kind of administrator role. On top of that, even the role before this one, it was a private company, and so I had a reporting relationship to the board," Boehl said. "So I've been reporting to the board for a while, and I kind of feel like that is coming from a regulation standpoint. But I do think that there's a natural conflict between reporting into the CIO.
I probably have a distinct belief around IT in general needing to report to the CEO, because if you are, regardless of what your business is, and you haven't figured out how technology enables you, you've missed the boat. I don't think there's any industry, any business, that technology does not play a role. So if IT is not on an equal footing with the rest of the leadership, I find that to be a problem."
RELATED: Here's an article from The National CIO Review on "The Organizational Importance of the Chief Information Security Officer."
One quote from the article: "The positioning of the CISO role in an organization's hierarchy can serve as a bellwether of the importance that a company places on its success and directly impacts its ability to engage with executive leadership, collaborate with other business units, and advocate for security initiatives that align with business objectives."
Budiharto also served as a panelist on the opening keynote session, titled "CISO Panel: Lessons Learned and Advice for the Next Generation of Cybersecurity Professionals."
She was joined by Adnan Hussain, Cybersecurity Engineering Manager, Schlumberger; Michael Gregg, CISO, State of North Dakota; Linda White, Director of Information Security, Axiom Medical; and moderator Mario Chiock, CISO & Fellow Emeritus, Schlumberger.
They shared their wisdom with a bent toward how what they've learned over their 100-plus combined years of experience can help the future generation of cybersecurity professionals and the organizations they represent.
"What we [at Schlumberger] have done recently for the last maybe three years is that we have a rotation program where the key for people who are talented enough and we see potential in them, what we do is we rotate them to different pillars," Hussain said. "They go through data analytics, a business application, digital applications, etc. And they go through all those pillars every four to six months. And once they go through all those pillars, we now know that they not only understand the technical domain, whatever domain they're coming from, but they understand all the cybersecurity."
"We call them cybersecurity champions," Chiock added.
The lunch keynote featured Deron McElroy, Chief of Cybersecurity for the U.S. Cybersecurity and Infrastructure Security Agency (CISA), one of the newest federal agencies which is tasked with protecting our nation's critical infrastructure.
He broke down the eight core principles CISA looks at when evaluating at cyber resilience: Mission focus, risk-based, efficiency oriented, standards and regulation neutral, requirements-driven, a converged approach, collaborative and process maturity, and improvement as a foundation.
"Approaching [resiliency] as a business problem really helps," McElroy said. "Not only identifying what you need to be doing to support the business but get the attention of the business leads, and focusing on the most critical business business services first. It really kind of shines a light on what you are doing, what you're not doing, and what you should be doing; what your leadership wants you to do."
Other sessions included:
- "Transformational and Change Efforts: Why Do They Fail?," Al Lindseth, Principal, CI5O Advisory Services LLC
- "Cybersecurity Really Is a Team Sport," Shawn E. Tuma, Co-Chair of the Data Privacy & Cybersecurity Practice, Spencer Fane LLP
- A great panel on "What Academia Is Doing to Prepare Next-Gen Cybersecurity Professionals," featuring Eric C. Botts, Director, Global Cybersecurity Program, University of St. Thomas; Carlos Torres, Assistant Professor, Baylor University; Dr. Katie Evans, Dean of the College of Science and Engineering, Houston Christian University; Deniz Gurkan, Associate Professor, University of Houston; and moderated by Chiock
- Informative presentations from vendor and association partners, including SentinelOne, Winmill, Okta, Exabeam, Skybox Security, Expel, Uptycs, WiCyS, National Cybersecurity Alliance, and Cloudflare
SecureWorld Houston was held May 18, 2023, at the Norris Conference Center at Houston CityCentre and will return there next spring. Watch the SecureWorld events page for the exact date.