The smaller, the better: Corporate CISOs turn to invite-only meetings to compare notes
If you are a chief information security officer, the best place to meet your peers may not be at the big events in Las Vegas, San Francisco, or the traveling roadshow coming through your town.
It may be at the restaurant around the corner.
Corporate security executives are beginning to favor exclusive, invite-only meetings where they trade ideas with other security bosses on how to protect business secrets, mainly as a way to fight the fatigue that comes from an onslaught of sales pitches.
Chief information security officers at Fortune 500 firms receive hundreds of sales calls, emails and LinkedIn messages every month from vendors hawking the latest technology promising to protect them from the next major breach. But many CISOs working 60-plus hours a week don’t have time to sit down to listen to a pitch and, when they do, the technology often fails to impress.
So they’re seeking out other CISOs for advice on which vendors can be trusted. These informal settings typically take place over lunch, drinks, by phone or in situations where they can speak freely. While it’s not new for CISOs to compare notes with their counterparts in other companies, the number of invite-only sessions is growing as the pressure on executives grows to get things right, said Dave Tyson, former CISO at SC Johnson.
“We all have a pool of people, including sales people and consulting people, that we trust,” he said. “And we all have a list of products that work for us, so we’re constantly getting information from each other and adjusting tactics based on that data.”
Those groups are distinct from the nonprofit, sector-specific Information Sharing and Analysis Centers (ISACs) which bring together practitioners from the public and private sectors. Instead, the private CISO groups often are regional and involve executives from different industries who all are located in a single area. (Scoop News Group, the parent of CyberScoop organizes small meetings of CISOs and CIOs from the public and private sectors.)
For example: the Wisconsin Security Leadership Council involved representatives from SC Johnson, Kohler manufacturing, Trek bicycles, and other companies based in the state. The group met on a regular basis to discuss GDPR compliance, ways of installing a network access control system and anti-phishing measures.
The Agora group, a Seattle-based group once made up of 100 companies, is perhaps the best-known early attempt at this kind of information-sharing, according to a 1998 New York Times article. At the time, conversations centered on “what the security obstacles are, how to tell when a virus is an emergency and how to keep pornography out of the workplace,” the Times reported.
Efforts have intensified in the 20 years since, with groups meeting in Atlanta, New York City and “throughout the country,” said Tyson, who now is the CEO of the consultancy firm CISO Insights.
There’s a new level of urgency for CISOs to make the right decisions in the face of a deluge of salespeople and pressure from higher up in the corporate structure, he added. That’s especially true for CISOs at traditional U.S. retail companies struggling to navigate the shift from brick-and-mortar to e-commerce shopping, he said.
“If [an organization gets] hacked tomorrow, they’re done,” Tyson said. “And the CISO is in the position of trying to do everything to stop that from happening. But the dirty secret of the industry is that management is trying to handle a broad range of risks, and the last thing they want to hear right now is that cyber is out of control, so they keep quiet about it.”
Jim Motes, who recently moved to Texas and took over security at GameStop, said he has joined an existing CISO council, where he said hopes to mirror the model of the Wisconsin Security Leadership Council. Peer relationships have been helpful for Motes in the past, when he was part of the Wisconsin group while leading Kohler’s security team.
In one case, Motes helped another CISO secure new connected devices that entered the workplace.
“A friend of mine was wondering what he could use for monitoring his factory security devices, and automation within his factory from a security perspective,” Motes said. “I basically told him about a product I’ve evaluated, and how the company could improve its security program.”
Other conversations have focused on implementing new firewall technology, or avoiding redundancy that sometimes comes when security pros invest in multiple products that do the same thing.
“I probably talk with other CISOs at least once a month, even if it’s just to bounce ideas off one another,” Motes added. “It’s about having conversations with people who can answer you honestly.”