Get Involved in Security Strategy

Guest Editor Julie Cullivan talks to Profile about the evolving expectations of contemporary IT leadership, and what’s next for her at top network security company FireEye

What experiences, professional or personal, have best prepared you for your role as FireEye’s chief information officer and senior vice president of business operations?

After spending more than twenty years in the technology space in a number of marketing and sales roles, I took my first job as CIO of FireEye in 2013. I quickly learned that the CIO’s job entailed making many decisions from a business and risk perspective. It was like marrying the business perspective into what we need to do to grow in scale with our technology capabilities.

Prior to starting at FireEye, I worked at Autodesk and held executive roles at McAfee (as senior vice president of worldwide sales operations), EMC, Asera, and Oracle, where I started in the IT industry before moving up in the company to the position of vice president of sales consulting.

What skills or qualities are essential for CIOs today?

For many years, I have heard that to be an effective CIO you have to understand the business and align closely with the business imperatives. This is very true, but CIOs also have to be the chief officers of risk, security, compliance, customer assurance, integration, problem solving, and the list goes on. While the title hasn’t changed, the responsibilities and expectations of the role are definitely different.

What form of expertise do you want to add to your own repertoire?

I am very interested in joining a board so I can gain the experience of helping to guide and advise a company. Currently, I wear two hats. As CIO, my core responsibility is to deliver a broader, scaling infrastructure that supports FireEye’s enterprise goals and business capabilities. As senior vice president of business operations, I lead the go-to-market team and business operations teams. With my broad background, I think I could provide a unique perspective, which spans several disciplines and industries.

What is the biggest issue in the cybersecurity industry at the moment and what are some ways to combat it?

One of the biggest issues in the cybersecurity industry is getting your executive team, and board, on board with cybersecurity. It’s no secret that cybersecurity is now a persistent business risk and the impact has extended to the C-suite and boardroom of most companies.

A majority of boards aren’t involved in deciding security strategy, and research shows that fully three quarters of boards don’t review security and privacy risk. It’s viewed as something technical, so they turn the issue over to the CIO and assume the need for their involvement is over.

Sadly, this common misconception could have disastrous consequences. Cyber risk is an enterprise-wide issue with enterprise-wide implications—and it is far from a technical issue. It takes an average of 146 days to discover an intrusion in a network, and by the time it’s discovered, the attackers have already stolen whatever they want: data, reputation, and revenue are impacted.

We’ve got to help the C-suite executives and boards understand that they need an investment plan that matches the overall security strategy. We also need them to recognize they need to play as much of a role in that strategy as any technology we could purchase. I recommend three points to help executive teams and boards see that a security strategy is an insurance policy, of sorts:

1. Ask your executives: how secure do we need to be? How good is good enough? Is it enough to meet compliance requirements, or do we want to shore up defenses so attackers can’t get in and steal personal information? Unless we’re willing to spend enough to be 100 percent secure (and quite frankly, that’s impossible to guarantee), what trade-offs are we willing to make?

2. Talk about the evolving cybersecurity landscape. Cyberthreats are growing faster than any other category of business risk, and the gap is likely to continue to increase. Breaches are inevitable, and the areas put at risk when they happen are broad and deep: from a compromised system or supply chain to the financial implications of noncompliance and breach notification. You not only face compromised or lost data, but your brand will take a huge hit that it may not recover from. Add to that, the legal risks resulting from regulatory fines and failure to keep customer commitments, and it adds up to a game-changing argument.

3. Balance security against the other projects you manage. The solution is to separate cybersecurity from your IT budget, and ensure that the amount you’re designating matches your risk profile.

Conversations about business risk simply have to include discussions about cyber risk. They’re not separate entities, and enterprises can no longer afford to treat them that way. Ultimately, both the executive team and the board are responsible for protecting the shareholders.

How do you effectively communicate solutions to the rest of the management team?

A CIO needs to be an effective and courageous communicator. Today’s CIO has to be the voice of reason when the organization has potentially unrealistic expectations, and the CIO must be ready to communicate options and recommendations that will still align with the ultimate goal of the organization. Say your company is working on a cloud strategy and wants it implemented in three months. That simply may not be possible, and the CIO has to have the courage to speak up and say so, but also be prepared to walk through alternatives that still meet the larger goal of moving to the cloud.

Otherwise, you may put the reputational risk of the company or the executive team on the line. To be clear, this is not about wielding power and saying “no” just because you can or about not fully supporting the strategic imperatives of the organization. It’s about being a realist and making sure the company doesn’t suffer as a result of overpromising and under-delivering.

How do you evaluate the effectiveness of a potential technology?

At FireEye we evaluate and look at potential technologies that are highly secure, easy to integrate, and deploy quickly. We look for cloud first and make sure we understand the need instead of adding technology into a process or policy that may already be broken.

What is the balance between long-term and short-term strategy for IT and business operations at FireEye?

FireEye is a very dynamic and fast-growing company. In the few years that I have been at the company, we have completed seven acquisitions and opened over thirty locations around the globe, including three support call centers and six R&D [research and development] centers. We have grown to more than 3,400 employees, expanded our product portfolio to over twenty offerings, and are a $623 million (revenue) company. There isn’t a lot of time for what most would consider long-term planning, so we take the approach of trying to be nimble, minimize technical debt, and be as iterative as we can in rolling out solutions. So as the question notes, balance is the key word.

What does the next generation of IT leaders look like?

I am hopeful the IT security field will attract more and more women for the next generation of IT leaders. I believe we need to start earlier in the career lifecycle getting young women to understand that it’s a really exciting opportunity, making sure they are aware that not everyone needs to be an engineer to be in this field.

For women who’ve already started careers in the space, I encourage them to be proactive and aggressive in making their goals come to fruition. You must be clear on what it is you want to do, and you have to raise your hand and go after it because people aren’t going to do it for you.

Who has helped you most during your career?

I have had many supportive leaders throughout my career and without their sponsorship I would not have had some of the opportunities to grow and take on bigger roles. Very specifically, Dave DeWalt [FireEye’s chairman and CEO] has always pushed me to get out of my comfort zone and take risks. I also need to thank my husband and kids, as they are always cheering me on and allowing me to balance my career and family.

If you weren’t in this profession, what else would you be doing?

I have a finance degree, and I began my career at a tech company in corporate finance. I wanted, and needed, to understand the products so I learned as much as I could about the technology. Shortly after, a sales opportunity with that company opened up and I learned more about the business, leadership, and management. Little did I know, fast forward twenty years later, I would still be in the technology industry. If I really think about another career, it would be finding a way to help more women find career success in technology or teaching at the college level.

What would your colleagues be surprised to learn about you?

My “go-to” surprise is that I won the cooking award in high school—and I don’t cook!

What are you most excited about now at FireEye?

FireEye has made two very exciting acquisitions recently, allowing us to continue to differentiate our solutions in the security space. As a security practitioner, being able to leverage a global threat-management platform is critical, and Invotas supports the orchestration of incident response across web, e-mail, and endpoint, which have a very real and measurable impact on a security operations team.

Intelligence has always been an important focus for FireEye. With the addition of iSight Partners to our intelligence-led security offerings, we can offer our customers contextual security intelligence way beyond our competition by incorporating proactive intelligence and gathering and integrating it with their global threat-management platform.