Jul 8, 2021
On this Episode of The New CISO, Steve Moore is joined by special guest Mark Ferguson, the CISO for a cyber security company Bombardier. They discuss roles of a CISO in cybersecurity and the strategies involved in dealing with breaches and building teams.
Moving to Canada
Originally from Scotland but now residing in Montreal, Canada, Ferguson shares some background on where he has lived in the past and the process of moving to Canada. Ferguson expresses his excitement of experiencing Montreal when it becomes more open. He has been taking some French classes to become better acquainted with the language.
Ferguson has been able to travel often and live in many places for his job. Opportunities to relocate have been present multiple times throughout his career. Ferguson advises taking opportunities to relocate for a career. He has moved to the United States, to Poland, and now to Canada. He enjoys the experiences of new places. Moore discusses how relocation may be less common in companies based out of the United States.
First CISO Role
Ferguson reflects on the decision to become a CISO. He honestly admits that some days it can be exhausting and doubts can arise. There are good days and bad days in the role. At the end of the day, he knows he is capable of solving any problems that arise. The role brings a lot of diversity.
Getting to be a CISO/4 Pillars
How did you get to the point of being a CISO, Moore asks? Ferguson says he had a great mentor and was able to help identify his assets. Getting things done and strategic planning are important as well. The four main pillars of strategy are.
1). Educational awareness
2). Strong Identity Management/Data Security
3). Strong basics of IT management and maintenance
4). Using agile technology
Building a program & Facing Challenges
You have to know what players you need to make things work. Building strong relationships is important and will assist with the aspect of vulnerability management. It can be a challenge to identify where problems lie and explaining the problems can be a challenge as well. Ferguson notes these are things he still actively is working on.
Moore notes that the CISO position can be nearly impossible at times. However, others pulling their weight in the company is essential. IT systems are extremely complex and joining everything to work as one can be difficult. This is, realistically, not a simple problem to solve.
Breaches with assets could be a big detriment to the company. Holding people accountable and working together is one way to avoid these breaches. Running audits is time consuming, but important to keep everything in check.
Best parts of the job
Ferguson shares some of the best parts of his job. One of his favorite things is building great teams. Finding great people to work with is very rewarding. These people don’t have to be perfect, but finding what makes them an asset to the team is great. Inevitably, these team members will come and go, but developing great teams is one of the best parts of the CISO role, says Ferguson.
Breach Response Plan
One of the first lessons to learn is that a cyber breach is not a cyber security problem. Ferguson mentioned that they recently faced a breach, and there is a lot to learn from the situation. This occurred at a critical time. They assumed the breach would be coming from the bottom up, however it was at a more executive level. Their team learned about internal response from this.
A good response to a breach is having the right people involved in the situation. A business team to be involved in the response is important because it is a business problem. Quickly building out this team is very important. Making sure everyone knows what the problem and objective are is essential.
Once a breach occurs, there is a lot of responsibility involved. People often don’t understand the size of this responsibility until it occurs. With the right culture and leadership, response will occur more smoothly.
Important response tactics are
Communicating with the
Ferguson states that this is one of the most important ways of responding to a breach. Notifying the customers off the bat is necessary. How do you notify them? Ferguson shares how he approached communication. Turn to key stakeholders first and listen to others as well during the process. Having conversations will be time consuming but will ultimately go a lot further than sending an automated message. Many people will want to speak with the people directly involved because it gives them confidence with the answers they are receiving.
Ferguson shares how this has helped him to grow as a leader. He was balancing a lot at the time of the breach so it forced him to test and extend himself to tackle the series of events. He now has a new capacity he can operate at. Real life experience is truly the only way to learn a situation like this.
Ferguson also notes he is not always going to be the smartest person in the room, although that is the expectation of the CISO. Being ready to handle this challenge is important when taking on this role. Be sure to convey confidence when coming up with a plan. Working through challenges grows us professionally.
Being a new CISO
What does being a new CISO mean to Ferguson? A key piece is being the crisis manager. Managing many things successfully can be a challenge, so managing these crises is a large part of being a CISO. Having a high stress threshold is a necessary skill, as well.