CISO Success Story: Evolving From Breaches to Business Strategy

If you’re a chief information security officer (CISO) thinking your job is to prevent breaches, you’d better start shifting your mindset. You should be thinking of yourself as a risk manager and a “translation bridge” to senior management.

That’s according to Joseph Karpenko (at right), CISO at Stratascale, a North Carolina–based cybersecurity services company. As the threat landscape grows more complex, he says, cybersecurity leaders need to think like business executives who are managing legal risk, protecting revenue streams, and driving resilience in the event of a breach.

Karpenko, at Stratascale since 2021, has nearly three decades of experience advancing cybersecurity initiatives and strengthening critical infrastructure at various organizations, generating a resume as prodigious as that beard of his (which, he acknowledges, took less time to develop – he’s been growing it for the past few years).

Deploy a wide range of controls – remote, at scale, in real time – to close your vulnerability and compliance gaps.

Starting out as a hardware and security engineer, Karpenko has enjoyed stints at Cisco, payroll giant ADP, the intergovernmental treaty organization Packet Clearing House, the Center for Applied Internet Data Analysis, the Information Technology Information Sharing and Analysis Center (IT-ISAC), and more.

We spoke with him about how the CISO role is evolving, how to shift the narrative from cost center to value driver, and why proactive security is more than just a buzzphrase. In the coming year, he says, CISOs have a unique opportunity to drive real change across their organizations.

Let’s start with the CISO role. You say it’s undergoing a transformation?

I see it more as an evolution of the responsibilities that they’ve taken. CISOs have evolved from what used to be mainly a super-technical role to looking at more of the business risks, operational risks, strategic risks, reputational risks, and legal risks.

CISOs need to better communicate with senior management and the board about the maturity of the [security] program… You have to be that translation bridge.

In other words, how do I secure, protect, and defend my environment as well as my business partner?

And what does that evolution from technical role to more of a strategic business partner look like? What’s the new skill set?

It’s the skills that CISOs need to better communicate with senior management and the board about the maturity of the program, where they need investments, and so they can demonstrate what’s being done to help senior management understand how they’re protecting and defending that environment. To me, you have to be that translation bridge.

[Read also: How CISOs can talk cyber risk so that CEOs actually listen]

CISOs will still need to have those conversations downward with their technical team, but upward is where the challenges have existed. One of the key skills CISOs need as we continue to move forward is definitely the soft skills – the personal skills, the sphere of influence. It’s knowing their audience, how to understand what their desires and needs are for the business, what those critical business processes and systems are that make their company operate and run, and how to ensure that they can actually continue to operate a minimum viable company (basically the bare operations and systems needed to function and serve customers) even if there’s some type of disruption.

So as CISOs become more embedded in strategic conversations, what can they do to shift cybersecurity from being viewed primarily as a cost center to being recognized as a revenue enabler?

One of the key parts is focusing on legal and contractual risk. Many deals now require a certain level of cybersecurity maturity. If you’re not up to standard, you risk losing contracts, and if you lose contracts, you’re essentially losing income and revenue. On the flip side, a mature program can help you win new contracts and maintain existing relationships.

Many deals now require a certain level of cybersecurity maturity. If you’re not up to standard, you risk losing contracts.

Then there’s operational risk – partnering with CIOs and CTOs to understand critical systems means you can bounce back quickly if there’s a disruption. That resilience avoids costly downtime. There’s also the operational side of it – how much time are you having people spend on unnecessary tasks? That costs a lot of money. How can you automate those processes? All of this builds trust with the board, partners, and customers.

Are there certain industries that could benefit from tying security to business value sooner rather than later? You worked at ADP – is that something that could be valuable to the finance sector?

So I think everybody can improve, but I feel like financial services is pretty well off. They’ve had a very good focus on cyber for some time and they’re very well organized and orchestrated when it comes to their security programs. I’d say manufacturing and healthcare are two key industries I’d look at.

[Watch also: How a major healthcare provider secured thousands of devices connected to their network through third-party vendors, leveraging real-time data]

Those two have been hit extremely hard whenever there’s a cyber disruption. If you take manufacturing offline, the plant managers know almost down to the second how much that’s costing. And we’ve seen the disruption that cyber incidents have caused to healthcare where hospitals have had to shut down. You have to move surgeries, there’s an impact to patients, and it’s possible those disruptions could cost lives.

And in those instances, resilience is critical. Why is it so important to be proactive rather than reactive in security?

That’s a great question. If you’re reacting, you’re always just responding and fighting fires. No one likes being reactive. It’s exhausting and you get burned out and tired.

If you’re reacting, you’re always just responding and fighting fires… When you take a proactive approach, you’re looking for gaps, things you need to correct, and what you can improve.

But when you take a proactive, measured approach, you’re looking for gaps, things you need to correct, and what you can improve. By doing that, you’re thinking about the key processes you need to secure and protect and defend, and you’re doing that alongside the CTO and CIO.

[Listen also: International cyber adviser Richard J. Harknett explains how businesses can get proactive to secure the supply chain and fuel business opportunity.]

So how can organizations make that switch to being more proactive?

You need to have the proper collaborative incident-response plans with the business – business continuity, disaster recovery, and then incident response. Having those is crucial. You need to hold tabletop exercises for technical staff and senior management with executive leadership. Involving them helps them understand, hey, technology is intertwined in what we do, and you need to be a key part of this and understand that we’re here to help and enable you. At the same time, you need to enable us so that we can support you in the business.

And so to me, the proactive piece of cybersecurity, along with resilience, will continue to be a key focus. It’s really about how quickly I can recover and get the business back up and running.

TO LEARN MORE

Check out other exclusive interviews with security leaders in our “Success Stories” series.

• CISO Success Story – Lowenstein Sandler’s “privacy evangelist” Ken Fishkin on the best cure for boring cybersecurity training
• CISO Success Story – Marvel ‘Superhero’ Mike Wilkes on using AI to fight cybercrime
• CISO Success Story – Apex Group’s Ash Hunt makes it easier to predict cyber risk (accurately) with this formula
• CISO Success Story – How LA County’s Jeff Aguilar trains (and retrains) workers to fight phishing
• CISO Success Story – Honest Medical Group’s Dennis Leber on why he doesn’t talk cybersecurity (much) with the board
• CIO Success Story – Leo A Daly’s Stephen Held looks at the flip side of third-party risk
• CISO Success Story – Zoom’s Michael Adams on achieving cybersecurity 2.0 with cyber risk scoring