As CISO for Fortra, Chris Reffkin spends a great deal of time thinking about security and what the industry can do to get more efficient and effective with the right focus.
What made you decide to pursue a career in cybersecurity?
There was a bulletin board in the Knoy Hall of Technology building on Purdue’s campus. On the board was a flyer with a few classic 90s hacker movies, which I’ve always loved. The flyer piqued my interest, so I submitted my resume. Next thing you know, I was selected for an internship in the security field. I have always been a problem-solver at heart, which is one of the reasons cybersecurity is appealing to me. At its core, all security, whether offensive or defensive, is problem-solving. It’s all about how to break controls or how to build a program to minimize and contain an attack.
Being a CISO in today’s cybersecurity environment must present its fair share of challenges. What keeps you up at night?
Number one, my team. It’s always on the top of my mind to make sure they don’t get burned out, that they stay challenged, and that they are recognized for their work. Most people don’t see what a cybersecurity team does every day. It’s important to me that my team knows they are valued, knows how they fit into the broader team, and understands how they create value for the company. Without them, our security program doesn’t function properly.
Number two, I think about how we can balance projects and priorities. There’s never just one project going on at a time in cybersecurity. Each project not only requires dedication and focus but also a keen sense of balance. I focus on how to best balance the team’s ability and demands with the daily, monthly, and yearly goals.
What are your top tips for companies looking to advance their security programs?
Embrace a Security 101 concept. Security 101 is about the fundamentals. Once you incorporate the fundamentals, you build and scale the security program to your company’s needs. Having the latest security technology is one component, but it’s not a panacea. If you don’t patch your systems or fail to implement strong authentication controls and permissions, your operations are at risk. It’s that simple.
Each business needs to know the answers to the following questions:
- What is exposed on the internet?
- What do you know about those systems?
- Are you monitoring them?
- Are you patching them?
All of these are easy to identify and work on because they’re all definable, measurable, and repeatable. Have a specific objective for each and then scale the objectives from there. As you determine your needs, you can add more controls each time. Just remember to break down each issue tactically to the basics. Don’t treat your security program as an idealistic, theoretical unit.
Always remember that it’s about the processes and building a layered approach to security. This may include software, automation, and even employees doing spot checks. Enterprise processes and functions don’t necessarily have to be complicated. They can include basic things that can help get the job done.
Security teams are struggling due to factors like rising expectations, uncertainty, and the tight job market. How can CISOs help relieve the pressure and motivate their teams?
A CISO needs to set the tone for the team. They need to remain calm, cool, and collected so that when you have to change paths, the team knows it can be done. There’s a lot of general noise in security. Companies often have a vast enterprise to protect, and there’s pressure to minimize loss from a business operations standpoint.
When you add in pressure from the tight job market, what needs to be accomplished, and ransomware and other attacks, it’s understandable why people are daunted by security and want to throw their hands up and say, “I don’t know where to begin.” By making sure changes are done tactically and without emotion, the CISO keeps the team on the right path.
The CISO needs to make sure everyone on the team is taking time off. Fresh eyes and fresh minds are key in high-level problem solving. It’s noticeable when a team member comes back from vacation and can offer a fresh perspective on an issue, one other may have missed because they’ve been looking at it only from one angle.
Finally, because so much happens in a month, or even a week, it’s important to recognize that progress is being made every day. My favorite Fortra company principle is that we get a little bit better every day. The team benefits from this mindset because it’s reasonable and practical.
If you could change one thing about the cybersecurity industry, what would it be?
I’d like to see more collaboration and less fearmongering. It'd be great to break down barriers to make it easier to collaborate seamlessly with the broader security community. Being able to share information, concepts, and ideas in real time not only would benefit organizations with limited teams or capacity but could also drive change in the industry. Building relationships at a grassroots level I think would change a business' ability to adapt and respond more effectively and efficiently.
Read more from the Fortra leadership team.