Tech Journal CXO Corner: The Evolution of Cybersecurity and the Role of the CISO

Q&A With Arun DeSouza, CISO and CPO, Nexteer Automotive

By Insight Editor / 13 Sep 2021 / Topics: Hybrid workforce Featured Cybersecurity

Listen to a deeper conversation with Arun DeSouza in this TechTalk.

The large-scale migration to remote work redefined the threatscape for cybersecurity leaders everywhere. Now, more than a year later, many are still trying to identify and close potential security gaps, while staying one step ahead of cybercriminals. We wanted to know, what role does the Chief Information Security Officer (CISO) play in this constantly evolving, cat-and-mouse game of threat detection and prevention? We sat down with Arun DeSouza, CISO and CPO for Nexteer Automotive, to find out.

What’s your role today? How has it evolved and where do you see it going?

I’m the Chief Information Security and Privacy Officer (CISO & CPO). I pioneered an integrated global InfoSec and Privacy program, developed a long-range strategic roadmap linked to business objectives and built a strong team from the ground up. I’m responsible for the delivery of multiple services, including but not limited to:

Strategic planning
Identity and access management
Incident management
Privacy management
Risk management
Governance and standards
Security operations
Training and awareness

The CISO role has evolved significantly in this decade. Depending on the risk appetite and scale of digital transformation in organizations, the CISO role now spans across some or all of the following personas:

Technical
Business aligned
Risk focused
Transformational

When I started my career as a CISO in 2003, I was spending most of my time in persona one above. Currently, my role spans personas two through four. The convergence of security, privacy and enterprise risk also offers potential for CISOs to become Chief Risk Officers (CROs) of organizations going forward.

Cybersecurity is top of mind for IT and security professionals today. Why is cybersecurity so challenging right now?

The winds of change are blowing through today’s workplaces. Macro trends such as Industry 4.0 and distributed work require companies to enact and accelerate digital transformation powered by the cloud. Technologies such as Artificial Intelligence (AI), blockchain, edge computing, the Internet of Things (IoT), autonomous vehicles, robotic process automation, etc., are helping to foster innovation and competitive advantage.

The security and privacy risk nexus of the IoT brings a unique set of challenges. Nation-state hacking and supply chain threats are also major factors in the evolution of cyber risk.

Cybersecurity Ventures projected there would be 3.5 million open positions by the end of 2021. Thus, companies are not able to staff up appropriately with the highly skilled resources needed to protect the enterprise. Ultimately, the exponential rise in security threats and the acute shortage of InfoSec resources makes these very challenging times in cybersecurity.

Some IT leaders have argued that IT spending is being wasted on cybersecurity that supports remote work. Yet, the workforce is demanding “anywhere work” flexibility. What are your thoughts on this?

Remote or distributed work is here to stay. There’s a paradigm shift underway due to:

Flexibility and work-life balance: Many employees enjoy this feature, especially if their daily commute is significant.
Talent acquisition: Companies can leverage distributed talent and hire the best people. In many instances, this allows both parties to make a win-win arrangement.
Executive buy-in: Companies like Twitter have embraced this trend and are enabling their employees to work remotely indefinitely.

As a CISO, I believe I should help enable the business. Given the above trends, it’s now par for the course. Further, the trifecta of identity, Zero Trust and software defined perimeter power seamless access to “anytime, anywhere, authorized” access to digital applications and services.

How do you think security will evolve in response to trends such as anywhere operations and edge computing?

I believe that adoption of Zero Trust will accelerate. Dynamic threat protection will be further propagated by security providers banding together in alliances and tightly integrating their platforms to strengthen Zero Trust. One such example is the Spectra alliance between Okta, Proofpoint, Crowdstrike and Netskope. Another example is the Zero Trust alliance between ZScaler, Cloudflare and Sentinel One. This trend benefits enterprises and providers. I expect that this trend will grow. InfoSec professionals will also band together to share best practices via organizations like the Cloud Security Alliance.

Nexteer Automotive received the 2021 CSO50 Award from IDG. The award recognizes security initiatives that demonstrate “outstanding business value and thought leadership.” Your project was NEXTINTRUST. Can you tell us about it?

This is the second CSO50 award for Nexteer during my tenure — our first was for identity lifecycle management. Our 2020 award was for the thought leadership and deployment of an IoT security platform in our manufacturing plants. This platform enables:

Device visibility
Policy definition
Behavior and risk analysis
Enforcement of policies and standards

As Nexteer embraces digital manufacturing to increase efficiency and optimize operating costs, there’s been an explosion of IoT devices on the plant floor. Further, more and more of our home devices are becoming internet connected. The exponential proliferation of IoT devices and immature security practices make them targets for attack.

Key CISO guiding principles for Nexteer’s IoT security deployment are as follows:

Characterize – Identify and classify assets and stratify them by business value and risk.
Demarcate – Implement network zones with a clear demarcation between IT and OT networks.
Understand – Visualize and identify threats and vulnerabilities across networks inclusive of devices, traffic, etc.
Unify – Control access by users and devices across both secure wireless and wired access.
Adapt – Leverage Zero Trust to enact adaptive control schemes in real time.
Converge – Develop explicit, third-party access and risk management protocols, including Privileged Remote Access. These are particularly relevant to OT networks to strengthen the security architecture.
Beware – The following root causes have led to IoT device security issues in the past:
- Static credentials embedded in the device
- Lack of encryption
- No software updates
- API security gaps

The IoT security platform enables visibility to all devices on the manufacturing network. It allows us to identify device posture in real time, detect embedded threats and drive proactive control strategies. This enables enterprise risk management and strengthens cybersecurity.

IT talent, particularly for cybersecurity, is in high demand and short supply. How is your team designed for success?

My first step was to build a detailed services and competency framework with the skills needed for each role as well as a strategic hiring plan. We periodically review and update this framework. It can also be used for career pathing and succession planning.

Further, I employ the following steps and strategies to manage and develop talent:

Define an appropriate mix of in-house and outsourced services.
Conduct cross training across service tiers.
Utilize managed services.
Leverage training and development and succession plans.
Negotiate cost savings to “self-fund” key roles.
Develop a “grassroots” talent pipeline (students and co-ops).
Identify talent early and strengthen the pipeline.
Build affiliations with industry groups and universities to identify interested talent.

I’m also pleased to say that my team is diverse, with 50% men and 50% women. This has also helped drive synergies and creativity.

What’s been the most profound executive decision you’ve made as a CISO?

Early in my CISO career, I was on the cusp of enacting a global network and security transformation. I worked hard to build a strong business case and payback to illustrate the value. However, times were tough. The board cut, so my budget was reduced, and I was still asked to lead and complete the transformation.

I embraced what I now call “the power of federation.” I reached out to all the key partners for help and found win-win strategies. I obtained significant discounts for professional services. For software, I consolidated contracts in the U.S., since our budget was euro-based, allowing us to benefit from the exchange rate. Ultimately, we finished the project under budget.

We saved significantly on operating costs, strengthened enterprise security, enhanced network quality of service and consolidated servers. The project inspired multiple case studies and resulted in a Network World All Star award.

Essentially, the most profound executive decision I made was to ask for help and not quit. I learned early on that building strategic, trusted partnerships and strong business relationships can be a great asset to all parties.

Want to learn more from IT leaders like Arun DeSouza? Browse our full CXO Corner collection, featuring thought leaders from Westerra Credit Union, Google, Ignite Brewing, VMware and more.

About the contributor:

Arun DeSouza

Chief Information Security & Privacy Officer at Nexteer Automotive

Arun DeSouza is currently Chief Information Security & Privacy Officer at Nexteer Automotive Corporation. He has extensive global IT and security leadership and organizational transformation experience, including as CISO and CIO. He is an expert in strategic planning, change management and risk management.

Key takeaways

Follow these guiding principles:

Embrace change fearlessly.
Build and maintain trusted partnerships.
Manage priorities effectively.
Foster a culture of respect and trust.
Leverage communication and relationship management.
Differentiate requirements from “desirements” in projects.
Manage stakeholder expectations.

These ingredients are key to success:

Collaboration and communication
Envisioning and storytelling
Program management
Negotiation and vendor management
Strategic cost optimization

Explore this issue

Article All-In: Facing Down Cybercrime With a Fold-Proof Strategy Image

Tech Journal All-In: Facing Down Cybercrime With a Fold-Proof Strategy

Article Cloud + Edge: The Innovation Equation Image

Tech Journal Cloud + Edge: The Innovation Equation

Article Prepping for Your CMMC Audit: 5 Questions to Guide Your Compliance Journey Image

Tech Journal Prepping for Your CMMC Audit: 5 Questions to Guide Your Compliance Journey

LinkedIn Live LinkedIn Live: The Ideal Lifecycle Experience

Solution brief Azure Solution Assessment

Video The Making of Penn One

Solution brief Cisco Hybrid Work Experience

Ad: TechTalk: Real conversations. Quick Insights. Listen

Article CXO Corner: For Business Leaders, Possibility Is in the Partnership Image

Tech Journal CXO Corner: For Business Leaders, Possibility Is in the Partnership

Article Leadership Roundup: Our Favorite CxO Advice to be a Better Leader in 2023 Image

Tech Journal Leadership Roundup: Our Favorite CxO Advice to be a Better Leader in 2023

Article CXO Corner: Danny Allan, CTO & SVP of Product Strategy at Veeam — The Audacious Ambitions of an Idealist CTO Image

Tech Journal CXO Corner: Danny Allan, CTO & SVP of Product Strategy at Veeam — The Audacious Ambitions of an Idealist CTO

Article CXO Corner: Dan Groves, VP of IT for Westerra Credit Union - Disruption is Part of the Journey Image

Tech Journal CXO Corner: Dan Groves, VP of IT for Westerra Credit Union - Disruption is Part of the Journey

Narrow your topic:

CXO corner View all focus areas

All keyword categories: Article Tech Journal Hybrid workforce Featured Cybersecurity Fall 2021 Manufacturing Connected Workforce CXO corner Cloud + Data Center Transformation

Menu