A Glimpse into the World of a CISO

Brian Spanswick, currently serving as Chief Information Security Officer (CISO) and Head of IT at Cohesity, brings two decades of valuable experience in overseeing IT and cybersecurity divisions within dynamic, high-growth enterprises. He has also offered consulting services to prominent global blue-chip corporations. His leadership plays a crucial role in advancing the fundamental functions of the business, expediting digital transformations, and establishing robust cybersecurity measures to protect company, customer, and employee data. 

Before joining Cohesity, Brian held the position of overseeing Risk and Information Protection at Splunk, where he led and significantly expanded the team responsible for managing cyber risk throughout the company. Brian’s previous roles include spearheading the digital transformation of core business operations at McKesson and Grainger. He earned his BA in Economics from the University of Colorado.

CIO World Asia had the honour of conducting an interview with Brian Spanswick. This interview aimed to delve deeper into the life and responsibilities of a CISO.

---

A Day in the Life of a CISO

Brian Spanswick’s day typically begins early due to managing a remote team spread across multiple countries. Over time, his responsibilities have expanded to oversee not just the IT Infrastructure, Business Applications, and InfoSec teams but also the Central Analytics and Indirect Procurement teams. Collaboration with each team lead remains crucial as they collectively focus on pivotal initiatives and address ongoing challenges.

His role entails increased engagement with customers, especially since his IT and InfoSec teams utilize the company’s products. Engaging with customers involves discussions on enhancing cyber resilience strategies and meeting security objectives. This customer interaction offers valuable insights into diverse approaches to securing organizations and aligning with the goals of business partners.

Moreover, Brian plays a key role in collaborating with the Product team, offering the perspectives of a Chief Information Security Officer (CISO) and Chief Information Officer (CIO). He actively contributes to shaping product development and innovation roadmaps, closely supporting ProductSec efforts to ensure the security of the Software Delivery Lifecycle. This involvement ensures that products meet the required security standards demanded by customers.

Differentiating CIOs and CISOs

Traditionally, the role of the CISO has centred on auditing the security posture of the organization and ensuring that IT functions adhere to security policies and standards. In contrast, the CIO’s role has primarily revolved around providing IT services to support business operations. At the operational level, security teams typically focus on preventing cyberattacks, while IT teams concentrate on data protection, such as backup and recovery. 

However, in the face of the escalating threat of cyberattacks, organizations are reevaluating and reshaping the relationship between IT and cybersecurity, both at the operational level and within the C-suite. Today, CIOs and CISOs share a common objective: delivering IT services securely in alignment with business goals.

In the pursuit of constructing a comprehensive cyber resilience strategy, businesses must unite these two domains. Failing to do so carries significant business risks and leaves organizations vulnerable to malicious actors.

Unconventional Daily Practices for Sustaining Energy and Focus in a Demanding Role

Brian, an introvert, channels his passion into his work, though it often drains his energy. To recharge, he invests ample time in quieter pursuits such as playing golf, attending rock concerts, and diving into reading. These activities not only keep him engaged but also serve as a means to replenish his energy.

Additionally, Brian initiates his day by crafting a personalized soundtrack from his extensive record collection, carefully selecting 5-10 records that will dictate the day’s ambiance. This morning ritual not only structures his day but also prompts him to intermittently rise and change the record, reminiscent of a cherished childhood routine. This simple yet nostalgic act provides Brian with a source of profound contentment amidst the bustling routine of daily life.

Key Challenges Faced by the CISO Role

Brian emphasizes a critical challenge in the InfoSec domain—prioritizing investments to safeguard against evolving cyber threats. While fundamental security measures like patching, encryption, and network segmentation remain crucial, the ever-increasing efficacy of attackers necessitates additional strategic investments. These must not only protect assets but also mitigate potential impacts in case of a breach.

Moreover, another pressing issue surfaces as businesses embrace AI, ML-powered tools, and expansive language models. Brian acknowledges their immense potential but warns about the inherent cybersecurity risks. Integrating these innovations without exposing organizations to severe vulnerabilities requires careful management. Striking a balance between leveraging these capabilities for business growth and minimizing associated risks presents an intricate challenge.

The core dilemma revolves around aligning cybersecurity imperatives with overarching business goals. Organizations are adopting a risk-centric approach to information security, customizing security measures based on their risk tolerance. The crucial factor lies in translating cyber risk into terms that resonate with business objectives.

In the sphere of cybersecurity, the traditional risk calculation factors in “likelihood” and “impact.” However, for better synchronization with business partners, it’s advantageous to redefine “likelihood” as the probability of an event occurring within a year, paired with expressing impact in monetary terms. This refined risk assessment approach facilitates business-centric decision-making, allowing for comprehensive evaluations of potential investments.

The Path to Becoming a CISO

Brian’s academic background lies in Economics, and although his fascination with technology persisted, his true passion lay in unraveling intricate problems. Over time, as he delved deeper into the realm of technology, he recognized a prevalent challenge within the IT and InfoSec sectors: the need to showcase their contributions to overall business success. Drawing from the critical thinking skills honed through Economics, Brian attributes much of his success in delivering robust IT and Security services to this approach.

Reflecting on his journey, Brian notes that the role he currently holds wasn’t a possibility during his schooling years in the 1980s. Moreover, he has observed a significant shift in InfoSec, transitioning from a focus on compliance and audits to a fundamental pillar of business operations within the last five years. With the rapid advancements in AI, ML technologies, and sophisticated cyberattack methodologies, Brian underscores the paramount importance of possessing critical thinking skills in the InfoSec domain.

Simultaneously, Brian contemplates the present era, heralding it as an exceptionally thrilling time to be involved in technology and cybersecurity. Businesses now rely more than ever on these disciplines, with the landscape evolving at an unprecedented pace and stakes reaching new heights. For Brian, the allure lies in the sheer excitement of these fields amid such transformative times.

“Have a strong, informed perspective that drives direction and alignment, but don’t be afraid to evolve that point of view as new information presents itself or as situations change. To be successful in a C-level position you need to have the strength of your convictions and the humility to evolve as situations change – and they always do. “ – Brian shared his insights, when queried about advice for aspiring CISOs and newcomers to the tech industry

---