ashumskiy - Fotolia
The changing supply chain landscape was a hot topic at the October 2019 FutureCon event in Boston, where Netscout CSO Deb Briggs hosted a fireside chat with Cisco CSO Edna Conway. Their conversation centered on the third-party ecosystem, which has created new complications for security professionals who understand their organizations are only as secure as their vendors and partners.
Briggs, who holds an MBA from Southern New Hampshire University, a CISSP certification and a B.S. in computer science from Massachusetts College of Liberal Arts, has led the cybersecurity program at Netscout for the past 15 years and previously worked at RSA. In her 20 years in the industry, she has witnessed fundamental changes and constantly evolving challenges.
Here, Briggs discusses her experience at FutureCon, third-party risk and the changes she has witnessed to her industry over the course of her career.
Editor's note: This transcript has been edited for length and clarity.
What is it like to work in the security sector, where enterprise threats never stop and new technologies are always emerging? How do you keep up?
Deb Briggs: I've been thinking about what kind of people are attracted to this role. For me, I think it goes back to my childhood and what I enjoyed. I loved hide-and-seek. I took my parents' box set apart because I wanted to see how it worked. I liked Stratego and Battleship and Connect Four. Cybersecurity is a lot like a chess game -- watching someone else's chess game, practicing it.
To get into cybersecurity, you have to be a certain type of person. I come in, and I may think I know what I'm going to do for the day, but the day can go sideways. You have to be agile and flexible each day and be passionate about learning how things work from a strategic perspective.
How have you seen the CSO role change in your years in the industry?
Briggs: It's really changed. Ten years ago, there were not a lot of us out there. Nowadays, most companies need someone whose job is information security. I think it's become a much more visible role, with a lot more responsibility and pressure. CSOs are now involved in some of the strategic outcomes of the company and are seen as educators of risk.
Deb BriggsCSO, Netscout
If you look back five to 10 years ago, risk was owned by IT security teams. Today, it is owned by the business. This is one of the things that can be difficult for people when they enter the role of a cybersecurity leader. The cybersecurity team does not own risk. We are responsible for educating people on it and understanding how we can mitigate risk. But, at the end of the day, it's really the company or business that owns that risk profile and accepts that risk.
How was your fireside chat with Conway at FutureCon? What was your reaction to her keynote address?
Briggs: Edna is a true visionary in the field. Years ago at Cisco, Edna was championing third-party risk and the global value chain and supply chain. In her keynote, she talked about how that has matured into understanding risk of the whole third-party ecosystem.
It was interesting to be the one questioning her during the fireside chat. She has a way of speaking about the complex third-party ecosystem. You don't have to boil the ocean, but you need to take a risk-based approach to that ecosystem. I told her someday she needs to write a book about the security in the third-party ecosystem for dummies -- for the rest of us.
How does the interdependence of third-party ecosystem components affect security professionals' responsibilities?
Briggs: It depends on the company you work for. If you're a services company, your ecosystem is made up a lot of third parties, including people, policy, process and technology.
If you are a high-tech manufacturer, like Cisco, you have to think about everything from where you get your parts to where the distribution centers are and more. You have to protect every piece -- from the original circuit board, to the network parts and the bare metal. In Cisco's case, not only does it have to worry about network security, but also the threat of someone trying to produce a knockoff.
You have to think about not only physical security, but information security and people's security. You have to be tuned into what is potentially happening in your company. If there is a rumor about layoffs or a plant closing, how will that impact people? Big events in peoples' lives, like becoming parents, getting married or sending children off to college, can create susceptibilities and risk, too. You can get all the way into the finite details, but the most important part is to start with the things that have the highest risk to the third-party ecosystem.
What is your experience as a woman and a leader in a male-dominated field?
Briggs: I have seen changes. Five or 10 years ago, if I went to a conference, I was part of probably 1% of women attendees. I have seen it get up to 10%, but it has plateaued over the last two or three years. I don't want to say it is a surprise to me -- it is a tough field. I attended a conference last year, and I would never go back again. In my mind, it was not a safe conference for women. I can say that because I was sexually assaulted verbally. If I had a daughter, I would tell her that this is an incredible field and you'll always have a job, but you have to be a tough person in order to be in it.
SearchSecurity editors discuss the underrepresentation of women at cybersecurity conferences and how it affects the infosec industry.
In what ways has serving in the CSO role been fulfilling?
Briggs: I'm not sure how to put it into words. I don't know if it is unique in this industry, but because we're all aware of the shortage of talent, we're all reaching back. This is done by engaging students at high school career days, assisting Girl Scouts with their cybersecurity badges, organizing bring your kids to work days and making ourselves available to younger people when they ask to shadow us for the day.
People in cybersecurity know what is coming with the talent pool gap, and in response, there is action to reach back in those ways. I'm proud of the industry for that. Those engagements are very rewarding. It's great to see younger generations graduating from school with computer science degrees, IT degrees, cybersecurity degrees and witnessing them at the outset of their career path.
Any final thoughts on the FutureCon experience this year?
Briggs: In this industry, we all recognize that bad actors and the dark web make it easy for the people who are trying to attack us to work together and to pool resources. Within enterprises and within cybersecurity, we need to do more of the same -- sharing intelligence about the attacks that we're seeing.
Conferences like FutureCon that have great speakers, a handful of vendors and the opportunity to meet new people and learn about what they're seeing and doing are ideal. Those three things are what I'm interested in, and FutureCon did all that.
I am attending the Executive Women's Forum, a women-only cybersecurity event. There is expected to be 400 or 500 of us. I'm excited about this because, in my whole career, I have never been to an event that is women only.