In the continuously evolving security landscape, it is imperative for organizations to have a good understanding of the business along with the risks associated with every process and find ways to mitigate those risks. Along with understanding the technology, it is equally important to make people aware of the information security needs and its significance. With more than 20 years of experience in the IT sector Steve Hendrie, Sr. Director & CISO at the Hershey Company is passionate about information security and risk management. He shares his thoughts on the importance of information security and the evolving trends in the space.
What are some of the pain points that you have seen in the information security space?
Today, digitalization, Artificial Intelligence, Machine Learning, Internet of Overwhelming Things (IoOT) are the real disrupters in the IT landscape. The major problem is all of these technologies are coming to the forefront at the same time, which makes it challenging to implement them together. These advanced technologies are not only helpful in resolving security issues but are equally threatening in instances where AI and ML are being weaponized and used against the companies. Along with the rapidly changing technology, the other primary concern in the space is the lack of skilled people who will be able to deal with the ever-evolving security issues.
How can CIOs align their companies with the evolving IT trends?
If we think from a technological perspective, we can see that a lot of different technologies are trying to keep pace with each other. But looking at the bigger picture, we will gradually realize that we need to look beyond technology to solve the security issues. We at The Hershey Company have been involved in studying culture within the organization, which helped us to scale the information security tools. These days organizations are making employees aware of the types of threats they can fall victim to. While implementing and maintaining secure platforms, our executive team must understand how even minor decisions can have a significant impact on the business. The team needs to work in partnership to drive a business strategy that is designed by security.
As the Senior Director and CIO at Hershey, what are the strategic measures that you take to secure the company?
Usually, the information security department is treated as a hidden part of an organization. Our first and foremost step is to bring the department out of the shadows and make people aware of its significance. One of the most strategic things that we are working on is to drive a risk awareness campaign into a business leadership scenario. One of the key things that we need to demonstrate as information security practitioners is an understanding of the business. This will ensure that we have an understanding of both the risk and opportunities that exist within any scenario. It also allows us to discuss risk with more business context, enabling smart and risk informed decision making. It is also required that organizations build capabilities, create processes, and frameworks to make sure they can identify the risk factors associated with the decisions in the early stages of strategy planning. Talking about Hershey’s, we are focusing our energy on developing people who can relate to our business strategies, understand the associated risks and help the company strike the right balance.
“In all these years of working in the industry, one thing that I learned and abide by is, regardless of your job title and description, you have to wear multiple hats”
Could you comment on any recent projects or technology implementation that you were part of?
As a manufacturing organization, Industry 4.0 and digitalization are the two significant phenomena that are widely impacting Hershey’s. These initiatives are changing how we work and what we must do to maintain an appropriate level of security. These technologies are introducing new challenges to how we traditionally consider things like availability, integrity and privacy. These factors are critically important for businesses and require the early involvement of the information security program. Educating all the stakeholders and making them aware of the probable risk has reaped maximum results for the company in terms of scaling up and ensuring information security at the same time.
What, according to you, does the future of enterprise IT, and information security look like?
Witnessing the convergence of all this new technology is both exciting and scary at the same time. While we are probably not staring down imminent world domination from AI, at least not yet, all of these new technologies require innovation and new ways of thinking. This isn’t just a security thing, these technologies are driving change at all levels of the organization. AI & ML can bring great opportunities like speed, automation and insights but we have also seen what can happen when bias is inadvertently built into this technology. 5G promises an even more connected world but we are already seeing things to look out for in this space. As always, we will need to adapt and find a balance between risk and opportunity. This new rate of change is likely the new normal so we will need to do this at a speed and scale that we have not had to deal with since the Internet itself. Don’t get me wrong, I am excited about all of the new tech. But it will be important for organizations to not get caught up in the hype. We need a thoughtful and balanced approach to it.
Any piece of advice that you would like to give to a peer or CISO in this particular space?
In all these years of working in the industry, one thing that I learned and abide by is, regardless of your job title and description, you have to wear multiple hats. Along with having a strong IT team by your side, you must have a good understanding of the business as well as know-how to take a balanced approach between risk and opportunity. Risk can’t be managed to zero. You need to make sure you are managing it appropriately and that you are making smart, prioritized and informed decisions. Trying to achieve zero risk will stifle innovation and growth and in the long run lead to security being viewed as an inhibitor. You want to be seen as a strategic partner and business enabler. Therefore to establish a business relationship, take time to understand the business, its objectives, associated risks, along with finding the ways with partners to manage it as well. And the only way to do that is by establishing those partnerships upfront and then leveraging them throughout the journey.