Cybereason CISO Interview Series: You can’t do security in a bubble

September 13, 2017 | 10 minute read

Some security leaders intentionally keep a low profile and would rather operate behind the scenes. Sue Bergamo, who balances the roles of CISO and CIO at digital commerce, content management and marketing software company Episerver, doesn’t fall into that camp. Security, she said, can’t be carried out in a bubble.

“If you are trying to stand alone and have all of the answers, it’s the wrong path to take,” said Bergamo, whose career includes serving as a CIO three times. Security executives should be sharing ideas, since that makes them better leaders, she said.

In addition to sharing ideas, Bergamo, who’s also worked at Microsoft as a global technology strategist, encourages her colleagues to give back to the technology and security communities by mentoring and helping others network.

“People in the security industry shouldn’t be on the market for a long period of time -- especially if they have skills that are relevant. So for those of us in a leadership position, please give back and help these individuals network to find roles because we can all use more resources,” she said.

You're Episerver's CIO and CISO. There seems to be a perception in business that CIOs don't understand information security and CISOs don't understand that they can't halt every use of technology because of security concerns. How do you balance both roles?

My peers in the industry like to chide me and say that I’m conflicted; the CIO needs to keep production up and running and the CISO needs to protect it. My answer to them is always I know exactly what I’m doing and I take their chiding in jest.

Every CIO needs to have knowledge of security. Ultimately, they are responsible for the production of corporate assets, and it’s not just about protecting  them. It’s about making sure that these assets are available to keep the company not only safe, but also up and running. There is no longer a dividing line between the roles, it has to really be one in the same. You have to be aware of what’s happening in your environment.

What makes this position your dream job?

What makes this role amazing is that I absolutely love the commerce and digital marketing industry. It folds into what I was doing prior to going to Microsoft and then, at Microsoft, with a focus on the cloud and security. It’s great to have the opportunity to be a CIO again, and being able to dovetail all of these skills with security.

Could you talk about the career path you followed.

I think very purposefully and thoughtfully, so years ago, I started watching the security landscape. I had the role within my department as a CIO, and then I took it up another notch and started getting even more involved in the industry. To have the opportunity to have both roles within one company is just incredible. For me, it’s about watching what’s happening and being a part of the wave instead of letting the wave hit you like a tsunami. I’m good at watching that next wave and it worked out.

Your career includes three tours of duty as a CIO. What attracted you to the role of CISO?

I absolutely love security. I’ve been involved in a master’s program in cyber, and I’m just about finished. To have the opportunity to bridge the two roles was an exceptional opportunity for me. I’ve been cloud focused for a long time, and I don’t think it’s a secret that I worked at Microsoft.

At Microsoft, I was involved with Azure [Microsoft’s cloud computing platform] and security, so I had a lot of opportunities to speak with customers about the cloud and how to protect and be secure in the cloud. Then in working with customers on different compliance and regulatory initiatives. Having this opportunity to be both CIO and CISO was just a dream come true. Everything just aligned for me, and it was in the right industry with the right company. I’m pinching myself every day.

How can security executives balance security and innovation?

I wholeheartedly believe that, in the security industry, we are seeing a lot of innovation. If you look at some of the advanced technologies that are out there with AI, machine learning and the recognition of patterns through advanced analytics, we are innovating. Technologies like IoT, they’re getting a bad rap, but we have to figure out how to bring innovation into the workplace and make sure that it’s within a protected environment.

Sue BergamoThere are various ways to protect an environment, whether it’s in an R&D environment, or if it’s in a production environment, we just need to make sure that we understand what we’re getting ourselves into. There are all kinds of vendor technologies that will help us to protect some of these newer, innovative technologies. That was kind of a round-robin answer, but, you need to make sure that you’re not introducing something that’s leading edge for the sake of it being leading edge. It needs to have a purpose, and it needs to be in a secure environment.

How can the CISOs and boards work better together?

I think I’m going to go back to the basics on this question. I can’t imagine at this stage, with what’s been happening across every industry, that the board would have their head stuck in the sand and say, “Well, it can’t happen to us.”

CIOs have to have an incident response plan. You just have to have one. There’s no question about it anymore. You can’t wait until a breach happens. You have to take it from the standpoint of a breach has happened. When it happens, you can’t start by saying “Now, what are we going to do?” Make sure you’ve lined up and have the necessary resources that you’ll need before it’s too late. Get prepared, and make sure everybody understands the reasons why you need to be prepared. Don’t wait.

What key elements should an incident response plan have?

A good incident response plan has all the internal and external resources that you’re going to need to bring in. The list starts with internal development and infrastructure personnel, and includes customer communications. Depending how big the breach is, it could be forensic experts, attorneys and law enforcement. I counsel people on this, so this is very near and dear to my heart. How will you protect your brand when a breach occurs? Again, in that incident response plan, you have to understand what constitutes an incident. Is it just an event, or is it a major incident? Then there are different paths that you’re going to follow depending on the size and the magnitude of what’s happening to your company.

If you wait until a breach happens, then you’ll be in reactive mode, and you may not think about all the different nuances in areas that you’ll need to consider. If you have a well-thought-out plan, then you literally take off the plan off the shelf and start executing. This is why it’s important to create a plan when you’re not in reactive mode, so that a purposely prepared incident response plan can be put together. That should at least give the board a comfort factor that as the CIO or the CISO, you’ve thought about how to protect the business, the brand, the revenue, the market share and that they can put their trust in you to have figured this all out ahead of time.

It sounds like CISOs are doing much more than network security and putting up firewalls. Their duties now include figuring out how security enables and helps the business.

Technology is just something that I have to think about and know about. For me, it’s all about the business every single day. It has to be about the business. The CISO role, in my mind, is not only business and technology, but it’s also, what are those external threats that you need to be aware of? Make sure that you’re protecting the corporation and assets against those threats.

How can CISOs better align information security departments with the business’s goals?

I think the answer is to listen. Your internal customer, they have a lot of things going on: market segment, increasing revenue, increasing foothold in the industry. I could name 10 other things. They’re always looking for that next way to enhance and increase the business overall. We have to be cognizant of what they’re doing and giving them guidance. In some cases, it may be a directive, but in my mind, it’s more to offer guidance while they’re out there trying to grow a business. The CISO needs to help protect what the business is trying to do.

I think we have to look beyond just the tech, and be aware of what other security issues could impact the business. Maybe it’s compliance or a regulatory certification. Maybe we’re going to start doing business in a nation that has issues around security or do business with a country that has privacy laws that you need to adhere to. It’s being aware of both sides of the spectrum, both positively and negatively. Companies have policies, so how do we take the policies that we’re adhering to and make them a part of our lives so that it’s not an afterthought and rather a part of the process.

What soft skills do CISOs need to succeed?

We need to be transparent, and what I mean by that is be open to discussions. Even if they’re not favorable discussions, you still have to listen to the business needs. If someone comes to you and says, “Your firewall rules are prohibiting me from doing business.” Listen, and then make a determination as to what you want to do by being both transparent and communicative.

We also have to be relevant with knowing our craft, by being able to understand the external threats that may try to come into our environment. Collaboration is key and a willingness to be supportive helps. The business doesn’t want to be inhibited or prohibited. They expect the CISO to find real resolutions to help them grow the business, so you can’t just stick your head in the sand and say, “This is the way it’s going to be.” There may be times you have to do that, but if you look broadly, you can always try to find a resolution that’s helpful and supportive.

The CISO may also need to play the role of mediator or diplomat and not automatically say no to every project.

I think CISOs have a little bit of that reputation. But if you go in with an approach of collaboration and transparency and if there’s a reason to say no, make sure that everyone understands the reason. If there’s a different approach that you can use to resolve a business problem, then go ahead and do the research, and figure it out. If you just say no, you’re not going to have your job very long.

The tenure of some CISOs does seem pretty short.

Again, it’s in the approach. You have to be open and willing to work with the business areas. When I see people lose their positions, it’s either one of two reasons; economic downturn, which equates to a business downturn, or they probably said no an awful lot. It’s just not helpful at all.

Why aren’t CISOs more transparent, good at listening or better at communicating?

I’m going to give you an interesting perspective for an answer. I know a lot of CISOs who are very ambiguous on purpose. They don’t have a profile. They’re not relatively known in the industry. They’re the super sleuth behind the scenes. I’m not degrading them for their persona or their approach. I think everybody has a different mode and method of operation.

I’m more open. I’m not going to give you trade secrets about my company’s security program, but my approach is open. I want to be known in the industry. I want people to come to me and share ideas. I believe that this approach will make me a better CISO, and I think it’ll help Episerver in the long run. I don’t have all the answers, so I  have to rely on our broader team, and that includes me.

I completely believe that we should be sharing ideas. I’ve been to many conferences and seminars and private groups and one-on-one discussions. We do share information, there’s no question about that. Some of it’s more private than other discussions, but again, the industry is changing so rapidly. The technology is changing. The threats are changing constantly. You can’t do it in a bubble. If you are trying to, it’s the wrong path to take.

Do you have a mentor? If you do, what should security leaders look for in a mentor?

I have someone in the industry who’s been my mentor for a while, who’s well-known and has a broad set of career experience. It depends what you’re looking for in a mentor. No matter what, you should have someone to bounce ideas off of and to provide a different perspective. I mentor a lot of other people. I mentor up-and-coming executives and I even have a new grad that I’m mentoring. I think it’s a good way to give back and, again, gain different perspectives.

The new grad is interesting for me. I’m a seasoned vet, and to have the perception of a young person who’s in security and recently graduated from a security program is wonderful. We all need to be well-rounded and gain different ideas and perspectives

As a seasoned vet, what advice would you give to people who are just starting their security careers?

Be aware of what’s out there. Know your business. Know the pain points. Know the threats in the industry. You have to constantly be aware. It’s a tall order, but again, the business is relying on you to solve their pain points.

Don’t be afraid of technology. There are wonderful technologies out there to help you mitigate risk. If your local network administrator is responsible for security, reading logs, dealing with the firewall, then they are doing way too many jobs, and if that’s your security program, then give that local network administrator some help. There are plenty of companies and technologies out there to help you minimize your risk. Not one person can do it all alone.

How can an information security department demonstrate ROI?

I’m going to go back to the mitigation of risk. If we’re mitigating risk throughout the business and allowing our businesses to grow, again, proactively, I think that the ROI will prove itself. Let’s talk about spamming and phishing as an example. CEOs in corporations throughout the world are one of the most targeted roles out there. Whatever you can do to protect the CEO from phishing and spamming expeditions, is an easy one, right? It’s something that we should all be doing. If they are hacked and, unfortunately, somebody gets into their email and pulls confidential information from their inbox, the ROI is going to show itself pretty quickly.

Again, we can go back to technology. Protect what matters and make the business case for why you need it. If the business is protected, then you’ve done your job, and the ROI is there.

What else can CISOs do to be successful?

Give back to people in the workforce who are trying to get into technology, be it the new grad or the older worker that’s looking to stay employed. Join organizations. Help people network. Be aware of the fact that, in this technology environment, everybody talks about the fact that we can’t find adequate resources who are skilled and have expertise and these individuals are out there. It’s in the information technology and security areas. People in the security industry shouldn’t be on the market for a long period of time -- especially if they have skills that are relevant. So for those of us in a leadership position, please give back and help these individuals network to find roles because we can all use more resources.

What are some effective ways for people to give back?

I help people network. You’d be surprised what effect a conversation will have. We all have people in our network who need something, so be mindful. Reach out. Be open to conversations because you never know what someone is going to need or what you’ll need one day, so constantly network and be aware.

How has the information security landscape changed either technically or philosophically since you being involved in technology?

Mine has been a fast-paced career from the beginning, so I’m constantly watching out for newer technologies. I don’t lead with a new shiny object. Rather I like to stay leading edge, and make sure that I’m aware of what’s happening in the landscape. You have to understand what your business is trying to do. Don’t just bring technology in for technology sake. Understand what the problem is, and then try to resolve it with the best means possible.

And sometimes it’s not a technical solution, so awareness, relevancy, watching the landscape are all important. You can’t know everything about every single product that’s out there, but when a business issue comes along, do the research. Get educated as quickly as possible, and help the company make good decisions about the technology that they want to bring in.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.