As risks proliferate, it’s critical to shift the angle of the conversation to opportunity. If we can understand foundational risks and prepare for them, your organization can grow bigger and move faster. We sat down with Manju Mude and Terry O’Daniel, two Chief Information Security Officers, to discuss:
- Why it’s critical to have the ability to partner with executives across the company to be able to bring the full risk story to your board
- Break down silos through visibility and transparency
- Change the speed at which business transforms through AI
Watch the full conversation and read the can’t-miss highlights below.
What would you hope cybersecurity professionals understand about audit and risk that would improve InfoSec as a discipline?
Terry O’Daniel (Chief Information Security Officer): “Frameworks offer the most beneficial structure where we can truly mitigate the most risk. That’s what audit and compliance teams bring to the table. When approaching risk with a framework as our foundation, we can consider what’s important. It may not be new, or sexy, but it’s critical. Think about the Verizon Data Breach Incident Report that’s published every year. For the past five years, the top attack vectors have consistently been misconfigured, malware, and phishing. These are not new. These are not something that a security professional needs a high degree of technical expertise to solve. Frankly, they’re boring problems. But really, addressing them is the most impactful way to mitigate risk. So, taking an auditor’s view of ‘let’s look at risk across the framework’ helps security find places that may not be new or exciting but are where we really need to apply pressure to improve things.”
What is your vision of a successful compliance program?
Manju Mude (Chief Information Security Officer): “When I think about security and compliance, I don’t think of them as separate entities. I think it’s really about partnership. To influence others to care about risk, it’s critical to have the ability to partner with executives across the company. Different executives and company leaders all look at risk from a different angle, and it’s crucial to be able to collaborate when quantifying risks. That helps you bring the full risk story to your executives and board. You can do that by developing relationships where you can foster conversations about what risk means to your company, team, and overall growth. If you create opportunities where you break down those silos through visibility and transparency, it goes a long way. And those silos are things that have worked against us historically. Those silos are the reasons why some regulations even exist today.”
What excites you about AI?
Manju Mude (Chief Information Security Officer): “I am really excited about AI. I think it’s really changing the game, now that so many of us don’t have to do manual, repetitive tasks that we used to do. That helps me use time more efficiently and make effective decisions. This allows the business to move faster and make wiser decisions. I look forward to using AI every single day. I think we have to leverage AI responsibly, and it has to be done with the right amount of oversight. But AI will change the game and the speed of how business transforms over the next decade.”
Terry O’Daniel (Chief Information Security Officer): “AI has tremendous value in taking the vast bulk of human language that we have to parse and pulling insights from it. Think about the modern tech stack. It’s cloud-based. Often, it’s centered on using SaaS services and API connections to other companies. If you think about the job of security, it’s radically shifted from merely the assets we own and control. Security must focus on our connections to twenty, fifty, or a hundred different SaaS companies and cloud services or providers.
How do we make sense of that vast universe of risk? One of the ways we do that today is by manually reading SOC2 reports. That has a tremendous cost in terms of human hours; frankly, the value isn’t great. But if I can throw every SOC2 report I get from a vendor (or a potential vendor) into AI, I can get quick insights highlighting disparities between vendor reports and vendor practices. AI, and specifically large language models, allow us to look at natural language at scale and get quick insights from it. The most important thing risk can do is give us a roadmap of where to invest. That way, we reduce risks that could damage the business. Then, we can experiment and disrupt. If we focus on things that can hurt us, we can move faster and more freely in other areas.”
Looking for more thought leadership? Check out our on-demand webinar library for more leaders and experts discussing timely issues, insights, and experiences.