In a recent interview with Help Net Security, Sean Embry, the Chief Information Security Officer (CISO) at eBay, shared his insights on key aspects of cybersecurity leadership. He delved into the importance of balancing long-term strategic planning with immediate threat response, evaluating the return on investment (ROI) of adopting new technologies, and addressing cybersecurity fatigue among employees.
When it comes to balancing long-term strategic cybersecurity investments with immediate tactical threat response, Embry emphasized the need for a dynamic approach. eBay maintains a three-year roadmap that is updated annually to account for changes in the threat landscape, business priorities, and emerging technologies. This roadmap serves as a framework for developing specific annual plans that are aligned with the organization’s priorities. Additionally, eBay’s tactical threat response is managed round-the-clock and is continuously evaluated to identify gaps and opportunities for improvement.
In evaluating the ROI of adopting new security technologies and frameworks, eBay focuses on the problem or risk being addressed and its impact on various business aspects such as costs, service availability, and customer trust. Proof of concepts is conducted to test assumptions, and feasibility assessments are carried out to ensure scalability and minimal impact on teams. Embry highlighted instances where implementing new security solutions not only saved money but also enhanced customer and employee experience.
Addressing cybersecurity fatigue among employees is another crucial aspect of cybersecurity leadership. Embry stressed the importance of building a culture that prioritizes good security practices at all levels of the organization. eBay utilizes various mechanisms, such as virtual architecture teams, Security Champions program, and regular stakeholder meetings, to ensure that employees are included in cybersecurity plans and initiatives. Communication and providing resources before implementing major changes play a key role in preventing fatigue and maintaining productivity.
Navigating the complexities of adhering to multiple cybersecurity regulations requires collaboration and support from all business stakeholders. eBay emphasizes the importance of teamwork and alignment across legal, IT, HR, and other units to ensure compliance with evolving regulatory requirements. Clear policies and standards are integrated to address cybersecurity regulations, and automation capabilities are leveraged to detect and remediate security gaps efficiently.
For newly appointed CISOs seeking executive buy-in for cybersecurity strategies, Embry offers valuable advice. He emphasizes the need for effective communication and collaboration within the organization to understand the security posture and align it with business strategies. CISOs should be able to articulate the threat landscape, risks, and mitigation controls based on the company’s risk appetite. Considering both financial and non-financial metrics in the ROI conversation, such as customer trust and brand reputation, is essential for gaining executive support.
In conclusion, cybersecurity leadership requires a strategic yet agile approach to address evolving threats and challenges. By balancing long-term planning with immediate response, evaluating ROI of new technologies, addressing employee fatigue, and collaborating across the organization, CISOs can effectively enhance cybersecurity posture and ensure business resilience in an increasingly digital landscape.