The Cyber Jack Podcast: CISOs Aren't Just CISOs Anymore - OneLogin, Vanessa Pegueros

On The Cyber Jack Podcast, we sat down with Vanessa Pegueros, Chief Trust and Security Officer at OneLogin, to discuss how the role and responsibilities of the CISO in organizations have shifted dramatically over the past few years. We also talked about what internal and external threats CISOs should be focused on in today's environment.

[automated transcript for accessibility and your reading leisure]


Jack 00:03


Today Vanessa Pegueros Chief Trust and Security Officer at OneLogin, joins us to talk about the changing role of the CISO the pressures of the job and securing the new digital age. All this and much more on The Cyber Jack Podcast.


Vanessa, thanks so much for joining us today. We're very excited to have you. As always, we kick it off with our guests telling us a little about themselves. Can you share a bit about your role at OneLogin and what you're focused on right now?


Vanessa Pegueros 00:42


I am currently the chief trust and security officer at OneLogin within my responsibilities -- I have cyber security, physical security, IT compliance and privacy. So it's a pretty broad function, but we're a smaller organization. And OneLogin is a cloud based identity and access management solution company, where we provide software that provides services such as single sign on or multi-factor authentication or two-factor authentication, and we have other products in this space as well.


Jack 01:16


That's great. And I know identity has become such a strong centerpiece in everyone’s cybersecurity strategy -- so I'm sure you've been very busy. Today, I know you wanted to talk a little bit about the changing role of the CISO. And it's arguably the most significant cyber role evolution that's happening as we speak. Can you talk a little bit about how the role of the CISO has changed in the last five years? And a better question is -- how has COVID impacted the role of the CISO, if at all.


Vanessa Pegueros 01:45


So, I think in the last five years, and it might have even started a little bit before that the level of sophistication of cyber attacks and threats, the general threat environment has increased so much that most companies, this is becoming a topic of discussion at the highest levels, including the board. I think that the security leader, whoever that may be, has been a person that both the board expects to hear from as well as the executive level. And I don't think that that is a more recent phenomenon in terms of typically in the past, and I've been in security 18 years, the security leader was more of the technical leader, and you know, the person who managed the firewall. Now, the expectations around the security leader is they understand the business, they understand the risks, they're able to communicate those risks, they're able to offer solutions to the business, and they're able to maintain the reputation of the business. Expectations around the security leader have grown significantly to, in my view, become more real business leader versus just a technical leader.


I think what COVID did -- just to address your second part, I don't think most CISOs and most security leaders, they already have a pretty established roadmap of what they want to achieve over the next, you know, two to maybe three years. So I don't think COVID fundamentally changed everything. anything specifically, I think it actually just accelerated some of the projects that were already on that roadmap. And I think most ceases, although it was a very, it was a very rushed movement to get everybody remote and get them secure. I think most welcome the acceleration of some of these technologies by the business. So getting everybody on VPN, making sure that everybody had to input the proper security software on their and their laptop. I think these were things that that the security team and leadership always wanted, they were just accelerated by COVID. And I do think there's still gaps, I read a lot of articles about how the organizations still have not adapted the proper security controls to the remote workforce. So it's still something I think that security leaders are struggling to get implemented even with COVID, you know, helping to accelerate.


Jack 04:12


So diving a little bit deeper into how CISOs are seen inside their own organization. How are CISOs impacting those other lines of business and other aspects of the business outside of just managing the security for the organization?


Vanessa Pegueros 04:29


Security leaders are seeing more as business leaders, they're expected to understand elements of the business more. And so I see security leaders getting much more involved with like talking to customers or assuring customers that their security posture of the company is strong. Getting involved with I'll call it generally sales enablement. What How do you produce white papers and communications that can go to customers that help a business build that trust around your security program, which then help you sell your product in highly regulated industries, I think the security leaders are often called upon to speak to the compliance of their programs to the regulators and having to talk through that and representing many parts of the business when they have that conversation. I think that the whole set of risks around supply chain and supplier risk is really putting the security leaders at the center in terms of having to validate the security of these, these vendors and the suppliers. And that is forcing the security team into areas that they maybe haven't been as involved with in the past such as like marketing. And as marketing brings on new vendors, how, how is the security posture of those marketing vendors acceptable to the business? Are they do they have the right level of compliance in place? are they treating customer data the way they should? So I think that that's another factor that's really driving the security leader to become involved in different parts of HR. Typically, you always have, you know that that involvement has been there for some time, especially when you want to get into employee related issues. So I think that just continues to that that's something that the HR team that continues to, to be the case but I think that the level of it the types of issues that are now having to be worked with HR, whether it's downloading software, the employee shouldn't be downloading or looking at content they shouldn't be so that that kind of I think is evolving, or maybe devolving is the right word. But that work with HR is continuing.


Jack 06:50


Yeah. And I don't think that we can say it enough, security is a team sport. Getting the other aspects of the business on the same page in terms of best practices and policies is absolutely critical. Now, I wanted to shift a bit into the role of ethics and technology in a CISO’s success or demise. This topic has come up quite a bit with all the recent major security breach disclosures. So I wanted to get your thoughts on this.


Vanessa Pegueros 07:17


Well, I think there are definitely situations where ethics in general have come up relative to the security leaders role. The main areas where that becomes I think, super important is the level of transparency that a security leader is sharing with its with his or her supervisors, as well as executive management as well as the board. I think there there's a little bit of people are scared to share the truth sometimes, because they don't know how that might negatively impact them in their career. And they don't know how it might negatively impact their boss who happens to be responsible for maybe a very high risk issue. I think there's that trade off, that is fairly consistently occurring where the leader, the security leader has to decide, am I going to do the right thing by the business? And sometimes that's a trade off on the right thing to do for yourself. And I think that is it's a real, I think dilemma and some point for individuals. And I think that, you know, this is just something as things become more complicated and more, the threat environment becomes more, more sophisticated. And as companies start to adopt new technologies, these risks have to be, they have to be made transparent. And it's important that the security leader knows what their priorities are, is it you have to be willing to possibly risk your own job to do the right thing. And I think that's where a bit of the ethics come in play. There, technology also is evolving to a point where, you know, the privacy elements are starting to become more of a topic of discussion. And, you know, how much information should an organization have about its employees? How much information should it have about its customers? And what role does the security team play in enabling that, that assembly of information or that processing of information, so I think that is also something that the security leader could become involved with, and that's not always the case, but it definitely can happen?


Jack 09:46


Definitely. And now more than ever, employees are being more mindful about what kind of data that they even provide their own company. That's definitely an evolution to keep an eye on and like you mentioned, the role of the CISO could come into play there. So final question. Are there any upcoming threats on the horizon that you think CISOs need to be preparing for?


Vanessa Pegueros 10:07


Well, I think one of the big things is you have to think about talent, your talent, management of your people and succession planning. What what's going to happen when some of your older employees start to retire? How are how are you going to prepare your talent, your people to take on those roles, with the talent war that's occurring in cyber. It's really challenging to retain people. The salaries are going up, the companies are, you know, I was talking to somebody at a startup recently. And they said, they make offers to individuals, and the individual has five other offers from other companies. It’s a real thing. And it's something that that I think cybersecurity leaders need to really start preparing more for, and I think it's going to get worse before it gets better.


The other thing that I think is important is, you know, how AI and ML are evolving and businesses and what are going to be the threats, the security threats in those areas? How are security teams going to position themselves relative to that technology? How and a lot of times, they may be driven by lines of business? And how are you going to put processes and procedures in place to validate the security issues around AI, not to mention the privacy issues and possibly reputational issues that could result from bad AI models. So I think that's important, I think watching cryptocurrency and how that's evolving, how that will impact your business, how it may end up playing into, again, the security team getting pulled in to it.


And again, just general supplier risk. The more and more that companies are outsourcing functions of their business to whether it's a cloud or a SaaS provider, the more challenging just kind of controlling that whole space for security becomes and so security teams really need to start evolving and to address those big business problems.


Jack 12:17

Absolutely. Well, thank you, Vanessa, for being here. We really appreciate it. Definitely keep an eye out for the changing role of the CISO. And for all you listeners out there, we'll catch you on the next episode.


###