TRUST - THE COMMON DENOMINATOR IN BUSINESS & SECURITY SUCCESS
Two and a half years ago Vanessa Pegueros took her background in security and technology in the banking and telecom industries to the rapidly growing eSignature software and Digital Transaction Management company, DocuSign, Inc. Pegueros was drawn to the CISO role at DocuSign because the company put a priority on trust. “Trust is a core principal of the company,” said Pegueros. “It is critical to the success of DocuSign and it is critical in the success of any security program. So there was great alignment there.” With trust as a priority, Pegueros knew she could build the program she needed to be effective.
Soon after coming on board, Pegueros announced that DocuSign would build out a “bank grade security program”, a measure that took off within the company along with sales and marketing, as customers increasingly expressed interest in understanding DocuSign’s security program and controls. This level of customer interest in her program has enabled Pegueros to carve out a role as a business enabler.
Pegueros is often brought into the sales cycle and attends prospect and customer meetings. “Our enterprise customers want to know about security. It is usually among their top three questions. They especially like our leadership in delivering ‘bank grade security’,” she said.
In the time Pegueros has been at DocuSign, the company has tripled in size, from 500 to 1,500 employees. The security team has expanded from two to 20 people. Security has become a competitive advantage for the company, but Pegueros is quick to point out that more can always be done in this regard. “I continue to emphasize the impact security can have with our product teams. Security is one of a handful of key areas where we can truly differentiate [from competitors] so that DocuSign is the only company and platform within the customer’s consideration set.” In 2016, Pegueros will work to further advance the idea that security is not a check box item, but that it must continue to be integrated overall to positively impact performance, revenue, and business goals.
TACKLING THE HARD CHALLENGES
DocuSign is experiencing tremendous growth, and the security industry is evolving at a rapid pace. Pegueros admits that the two can combine to present significant challenges. But, she has a plan in place to tackle those challenges, and has built a trustworthy team capable of meeting them.
Pegueros reminds her team that accepting risk is okay. “Security teams need to be more business-focused and not get emotional. Maybe the risk is high, but it is not the security team’s decision to make. Our role is to highlight the risk and ensure people have the facts and analysis to understand both the impact and likelihood of fruition for any given risk. For example, we might be 80% sure that an incident will happen in the next five years, but can’t pinpoint exactly when. Representing risk to the board is the most difficult thing because it is not science.” Pegueros believes the industry could be better served by more sharing of data. This would make understanding probabilities and presenting risk much easier. “In insurance they can give you a great understanding of risk. If you are 60-year-old man who smokes they can tell you exactly how likely you are to get heart disease. We don’t have that level of analytics in security. In our industry, companies do not share any more information about breaches and incidents than is required by regulations.” What is the right level of information sharing? Pegueros is asking that question of her peers and her team.
Prioritization is another challenge for Pegueros. She focuses on security projects related to revenue-impacting programs first in order to align with business goals. Non-revenue impacting programs are prioritized based on risk. To implement security effectively, Pegueros partners with other business leaders. In many ways this collaboration is made easier because Pegueros reports into the General Counsel through the Chief Risk Officer, instead of the CIO or COO.
Her team previously reported up through the Chief Operations Officer, which meant it was grouped with other departments who had different needs and priorities. It made it harder to get things done. Now as a part of the Risk Organization, reporting to the General Counsel, Pegueros partners with business units. Since the move, Pegueros reports, “My relationship has improved with many in operations because now we are allies. Now we can go to the Board as a consolidated team. I am able to help teams get the resources they need to focus on security from within their organizations.” As a result, Pegueros has stronger partners and access to dedicated security resources in other departments.
THE CISO’S OBLIGATION TO THINK STRATEGICALLY
Her other challenge for 2016 is to advance her team strategically. She is asking herself, “How do I build up the thinking capacity of my team?”
Pegueros says, “At this point, tools are an afterthought. How do I get ahead of [risks]? For example, I am thinking quite a bit about incident response. How do we build the resiliency in our team around incident response? If a team is well prepared then they will not be shocked when [an incident occurs]. This does not mean doing a few practice exercises. We need to make response second nature, so that we can react very quickly.” She is working to make incident response less of a process and more of a reflex.
“My team has tactical priorities. They are focused on the steady things we have to do. As CISO I have to build out our broader capabilities and address what is missing. The CISO’s obligation is to think strategically, and the need for strategic leadership is greater than ever. It has to be our priority.”