Industry Trends

Field CISO Q&A: Joan Ross

By Fortinet | December 11, 2019

We regularly conduct Q&As with Fortinet executives to share their key insights and leadership perspectives. Below is an interview with Joan Ross, Field CISO at Fortinet, that touches on common challenges that C-level executives face, the future of cybersecurity, and advice for today’s CISOs.

You talk to a lot of C-level executives. What are a few common themes that come up as concerns – across industries, enterprise sizes, etc.? What are some of the common pain points?

Most organizations are in some form of transition, with their security investment, architecture investment, their key personnel, and sometimes, with all three aspects. As new visions, personnel, and infrastructure refreshes are implemented, understanding the most effective technologies that support their business, reduce their capital costs, and provide greater automation are common themes and concerns that organizations need to address – no matter the industry or enterprise size.

Are there any disconnects between CISOs and other business leaders within their organization that may be surprising to the security organization?

The first question I ask of any executive is to describe their strategy and their current challenges and  I listen carefully to their answer regarding their team playbook. For example, most of us are great Monday-morning quarterbacks at analyzing why our team won or lost a game. Andre Agassi tells of how he won eight tennis Open slams. He would hold center baseline court and hit the ball wide sideline to sideline, gradually wearing his opponent down – he may lose a set or two, but ultimately he conserved more energy to win the longer points. The same is true of security teams and cyber breaches. How and why are they breaking through defenses?

The disconnect I hear most is that executives often don’t view their security teams as the trained ‘prize athletes’ they really are. Many are working long hours using various tools to analyze logs and detect patterns with a dedication and loyalty witnessed by few except the team and the CISO. As a result, many understandably complain they are overtasked and put on other company busy work that take priority over actual security duties. As part of any truly effective security strategy, however, investment and retention of these important personnel must be critical goals in your strategy, along with equipping them with good tools and technologies that enable the team to focus and be successful. Know that every day they wake up and come in to stop potential breaches.

What does the future of security look like? 

More control and automation will be implemented, eliminating mundane tasks that are frequent sources of human error is the future. We’ll witness DevSecOps – or as I like to call it, SecDevOps – providing feedback in sub-second real-time in programming and code-implementation. They will do this by utilizing neural networking and machine learning (ML) to analyze small segments and diverse cross-sections of code, malware, back-doors and use artificial intelligence (AI) to take action long before it gets to the production stage. Processes that currently require several stages to complete will be significantly reduced and streamlined with greater accuracy, and greater job fulfillment will be achieved by focusing on business application processes that improve life on this planet. For both economic and ecological reasons, more businesses will not only move to, but natively build for,  the cloud, and those that have not been adept at security will partner with organizations that are to achieve greater privacy and protection of their customer and organizational data.

How does a security fabric approach protect customers in the future of security?

I view the Fortinet Security Fabric as analogous to Maslow’s hierarchy of needs for CISOs, but with slightly different headings more appropriate to achieving the goal of security and privacy as basic needs for organizations adamant to protect against attacks.

Applicability – First, a fabric can be applied to and cover all of an environment. Whether a company starts with one fabric-enabled device or many, it’s on its way to creating a diverse redundancy and fabric of security control that can stretch from the furthest, most remote and previously neglected access point to the most-used application system.

Visibility – Every CISO needs to see into every corner of the environment. And with a fabric approach, every device – even headless IoT devices – can be made visible, and user access to devices can be easily controlled by region, by application, by time of day, or however the organization deems fit.

Extensibility – Most organizations are heavily invested in millions of dollars of security tools, and Fortinet, our partners, and API networks can help extend this investment  to maximize return on investment and reduce cost of ownership.

Control – Once a CISO has visibility, they need to control what happens on the network – whether it’s validating maintenance procedures, change control effectiveness, new release activities, or advanced implementations features performing to expectation. Fortinet technology, such as user and entity behavior analytics (UEBA) and FortiDeceptor technology, offers greater control, automation, and advanced concepts to better observe and understand the usage, behaviors, and alerts on an organization’s networks.

Cloud – If security visibility into the cloud has languished behind that of the enterprise, it’s time for a technology refresh. With a few simple investments, an organization can control access to come only from authorized work domains, implement two-factor (2FA) or multi-factor authentication (MFA), restrict transfers, approve and secure new VMs, and so much more – all from the proverbial single pane of glass management and control console.

Is there any specific advice that you find yourself sharing most often in your discussions with other CISOs and CSOs?

Take the time to meet and talk with other CISOs. Don’t work 24 hours a day – it’s not all on you. Your executive team shares the security responsibility, as does everyone in your organization. Lift your head up and take a meeting to see what new technology is out here, and realize you are one of the good guys and gals. Let’s get more of us into the profession, especially minorities and women!

Learn more about the challenges CISOs face in the modern era.

Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.