Security Priorities and Strategies for Private and Public Companies

A CISO journey

Ryan Davis knows a thing or two about helping companies navigate their security journeys. With more than 15 years of experience in information technology and security, he leads and unifies corporate security strategy. He previously served as CISO and CIO at Veracode and is now CISO at NS1, an IBM Company. 

He joined Friends Friday to talk to Dan DeCloss about his personal journey in becoming a CISO and the lessons he has learned along the way. He shared his experiences as a security leader at both private and public companies and through multiple exit events. 

Watch the full episode or read on for the highlights.

What’s one of the most important aspects of being a CISO? 

Dan and Ryan kicked off the conversation by discussing the value CISOs can add to organization and the critical nature of the role to every organization, public or private. They agreed that the security function of the organization having a seat leadership table is both more necessary and more common than ever. 

Ryan said, “And I think more now than ever, CISOs are being afforded that spot at the table to be able to speak with not just the audit committee, not just the risk committee, but the entire board. And I think that’s really important, whether you’re a small privately held company or you’re a publicly traded one, having that communication, because what day goes by that there’s not some headline about somebody having a breach or some loss of data or whatever it may be, and the board needs to be apprised of where you’re sitting before those events so that they can be prepared to answer questions of investors and, quite frankly, the public when you do have an event.”

Do CISOs have different priorities at public versus private companies? 

Dan asked, “Do you think CISOs at private companies have different areas of focus versus public? I’d be curious what your thoughts are there and maybe advice to those that are in that seat.” 

Ryan replied, “The short answer is yes, there are definitely differences when you’re privately held versus publicly traded. When you’re publicly traded, there’s a tremendous amount of scrutiny, not just from regulatory bodies — the SEC and whomever else — especially if you’re in finance or health or whatever. There’s many regulatory bodies that oversee those different sectors, but you have the scrutiny of your customers ubiquitously right across the board. But investors as well is a much broader audience when you’re publicly traded.”

The accountability and visibility is much higher at publicly traded companies; therefore the CISO must be prepared for a high level of scrutiny. Additionally, the CISO must be much more aware that decisions and statements — and even personal social media, for example — can be interpreted as representative of the company. At public companies, the number of individuals with a vested interest is just so much higher than at private companies. 

What CISO responsibilities did you not anticipate?  

Dan continued by delving into unexpected aspects of the CISO role. He asked, “Have there been any responsibilities that maybe you didn’t anticipate? I mean, just in general as being a CISO, not necessarily public versus private. As you’ve grown in this, in the CISO role, has anything come up where you’re like, man, I didn’t actually anticipate this being part of my job or things that I would have had to worry about or focus on?”

Ryan responded, “Yeah, I don’t think I anticipated needing a law degree. I don’t think there’s any … well, maybe, I’m sure there’s probably CISOs out there that do, in fact, have a law degree. We spend a lot of time working with customers and third parties because in this day and age, it’s a risk conversation for everybody. And third party risk is probably one of the biggest challenges of my role and, quite frankly, of the industry at this point. And so having very strong relationships with the legal team is not something that I really — especially, you know, when you, as you’re working your way up, you know, in security — it’s something you’re kind of maybe not explicitly exposed to. But when you get to that level, there’s all of a sudden like, oh, we need you to make sure that we can agree to these terms and we’re going to be contractually mandated, you know, with a $5 million contract that has that much liability affixed to it.”

Dan said, “I think it highlights, too, you know, we always talk about, you know, as a good security professional, you need to be a really good communicator. You’re talking with lawyers almost all the time, and so being able to understand, help a lawyer who may or may not have a deep technical background, but being able to understand the risk or the impact that certain vulnerabilities or implications would have on the business. It’s just one more audience that you may not have anticipated that you really need to be able to communicate well with.”

Ryan agreed, “At the end of the day, right, my job is to still make sure that we can adhere to whatever we’re contractually committing ourselves to, whether it’s with a customer or a third party and making sure with third parties that we have the appropriate protection measures in place that will be afforded to us.” 

From your view as a CISO, where do you see the industry going? 

Dan asked, “Where do you see the industry going? And what do you think that CISOs and security teams and stakeholders really should be keeping on the forefront, on the radar as the industry continues to evolve?”

Ryan said, “Well, let’s start with the elephant in the room, right? AI is the topic du jour. And I think for security professionals, it’s one you have to be thinking about in a couple of different contexts. One, what is the risk that AI presents to intellectual property. You know, folks going off and utilizing the Copilots of the world to generate code. But then secondarily, is that AI generated code secure?”

Ryan went on to say the while AI is obvious a huge concern in the industry facing everyone, including CISOs, it isn’t all risk. It also presents immense opportunity. “And so I think one of the big things that I try to talk to my team about, and certainly socialize with other CISOs, is where are the places that we can really use things like large language models to help us parse through data, because they’re really good at doing things like that, taking large volumes of data and saying what are the interesting things? Or show me things with these types of characteristics.”

How can the CISO leverage the security program during an exit event? 

To close the conversation, Dan asked about acquisitions and going public: “And that’s the whole diligence process when going through some kind of either an exit event or like an M & A (merger and acquisition)? You’ve had a unique experience in being involved in that. I’d love to kind of get your take on it. Did that surprise you? Or, was there anything that took you off guard or like, just how important was the security posture and how important of a role did that play in the overall transactions?”

Ryan replied, “I think the biggest takeaway from all of it is when you’re about to buy something, whether it’s a $50,000 car or an entire company, you want to know the amount of risk that you’re taking on the. And so the entire information security conversation as a part of a diligence process now is a pretty critical component. Of course, what your business performance is and how much debt you have and what’s the customer acquisition cost, and all of those things, of course, are the primary driver of the conversation. But the information security program is, of course, a huge component. More so than ever.”

Follow PlexTrac on LinkedIn for more engaging episodes of PlexTrac Friends Friday, featuring leaders across all aspects of the cybersecurity industry.