When Laura Deaner speaks about the CISO’s mission, she doesn’t talk about preventing breaches and detecting intruders.
Rather, she gives her top task as enabling the long-term business strategy, an objective the CISO delivers by engendering in customers a high level of trust in the company’s ability to keep them safe and their data private.
“My job, and that of the security team, is to protect our clients and maintain their trust by delivering world-class and innovative cybersecurity and risk management services,” she says.
Deaner is the new chief information security officer at Northwestern Mutual; she was appointed to the post in February 2021. She brings with her 21 years of cybersecurity experience and a business-focused perspective that reflects the evolution of the CISO into a full-scale executive role that’s more business leader than security specialist.
“Technology is driving our overall company strategy: We want to create a personalized digital experience so each client feels empowered. So my team, the security team, must be thinking about innovative ways to deliver that digital experience securely.”
Deaner’s perspective on the CISO’s role and its responsibilities shaped her early moves at Northwestern Mutual, as she developed her strategy for its Enterprise Information Risk & Cybersecurity function and its 100-member staff.
Those moves transcend Northwestern Mutual, though, and reflect the broader shifts happening in cybersecurity as CISOs increasingly see their primary objective as being a full-fledged executive who contributes equally to crafting and enabling the business strategy.
As such, her preliminary steps at Northwestern Mutual give a blueprint for how security chiefs can ensure that their and their teams’ day-to-day work and tactical initiatives support a well-formed (and well-informed) security strategy that’s aligned to organizational objectives.
“Having a technical background helps set me up to solve problems, but it’s important for a CISO to enable the long-term business strategy, and you do that by taking the time to understand the business, who its clients are, and what they care about. It’s not about buying another security tool,” Deaner says.
Setting a new security direction
Deaner, who previously served for nearly five years as CISO at S&P Global, started her tenure at Northwestern Mutual by delving into the company’s current state and getting a better understanding of where it was going, seeing such information as critical for setting the security strategy.
“Us technologists want to solve stuff really fast, but you first have to understand the challenges, the mission, what’s important. You really have to take time to understand how the business works, understand what the concerns are, and then start to devise the strategy around how to solve those challenges and how to embed anything a security professional has to do into that business,” she explains.
“And as a CISO you have to understand the whole technology stack—are you in the cloud or a data center, where’s your data, are you global, and what local laws do you have to follow. Then, you need to understand the major requirements for the industry standards you must follow, the legal rules, the threats you’re seeing. It’s then that you can start devising a plan, a realistic plan, on how you’re going to tackle all those challenges and how you can use the technologies and tools you have to do that.”
She builds on longstanding security principles to get that done.
“It’s not the shiny tools or toys. It really is basics and focusing on security hygiene. You have to know what you have, have an asset inventory, understand your network, keep up with vulnerability and patch management, and know the key components of risk reduction and controls that you can apply. You must have an understanding of what your knowns are and then incorporate your tried-and-true tools. These are things the security industry has been talking about for a long time.”
Deaner says she starts with that foundation, using those basics and then adding new elements to address emerging threats and build resiliency.
As an example, she points to the newly urgent need to address third-party risks following the SolarWinds breach, noting “we’re putting thought into any risk our third and fourth partners may pose to our company or the data they may possess.”
She also cites the increasing need to address the risks and challenges that come with the rapid expansion of connected devices and the exponential increase in data as well as the rising number, sophistication, skill, and resources of bad actors.
“This is the world we’re living in, where everyone wants to be connected, where the pandemic just accelerated those digital connections, and where criminals and nation-states are opportunists taking advantage of this shift,” she says.
To counter those threats, Deaner believes she and other CISOs should work together and broaden their teams.
To that end, she’s a board member with the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber intelligence sharing community serving financial institutions via its intelligence platform, resiliency resources and a peer-to-peer network of experts.
“We have to get help from people outside our own company, and we have to be more willing to share under the umbrella of an ISAC, so we can have the skills to really understand the adversaries. We’re sharing tactics, techniques, and protocols that threat actors are using so we can be more proactive. It helps us to stay ahead,” she explains. “And I think we’ll see that being used more.”
Deaner also served from July 2019 to October 2020 as co-chair of the Global Future Council on Cybersecurity with the World Economic Forum. In that role she led a group of top information security experts and influencers from both the private and public sector to develop new ideas and insights that could influence decision-makers and shape cybersecurity’s forward direction.
Deaner also believes in broadening the field of cybersecurity talent to include more women and minorities, noting that CISOs already know that both groups are underrepresented in the profession. She was drawn to technology because her father encouraged her and her three brothers to tinker and because her technology classes at Old Dominion University encouraged her to explore questions around the unintended consequences of technology.
“It started with curiosity, and then I realized there was a whole cyber place for that,” she says.
But she also remembers being one of five women in a class of 300 and knowing first-hand the value of having mentors to advise her on how to move forward in a field where few of the leaders looked like her. It fuels her passion for diversity efforts.
“There were people who didn’t think I belonged in tech because of my gender. I don’t want anyone to feel that way,” she says. “So I want to do what someone did for me when I was in computer science, which was giving me hope that I can keep going, that even though I didn’t see anyone who looked like me, that I could do it.”