Billy Norwood has over 20 years’ experience working across many roles and industries. He joined FFF Enterprises in 2020 as their Chief Information Security Officer. Founded in 1988, FFF Enterprises is a leading supplier of critical-care biopharmaceuticals, plasma products and vaccines. Prior to joining FFF Enterprises full-time, Billy ran his own advisory firm focusing on fractional CISO roles for SaaS firms. He comments, “I was interested to join FFF because they offered a broad product array outside of their distribution business, including software products, SaaS-based products and IoT. So having many different types of products was compelling, along with the strong leadership they have in place.”
In his current CISO role, Billy oversees the overall cybersecurity strategy. This spans security architecture and engineering, security operations, and product security, along with shared responsibility for privacy, third party risk, and physical security.
He explains, “I’ve been here for a little over two years and we continue to mature many areas of our program. I spend a lot of time in security engineering, operations, and product security as the company develops new products. I’m also running risk assessments, doing threat modeling exercises, and focused on addressing privacy. Right now, we have a big push to become CPRA compliant in anticipation of the law going into effect. I’ve also been working with our General Counsel and outside privacy counsel on areas like our data governance program.”
BUSINESS-FOCUSED SECURITY
Speaking in business terms comes naturally to Billy, in the past he owned his own consulting firm and attained his MBA with a focus on entrepreneurship. Having an entrepreneurial spirit gives him a unique perspective that goes beyond a technical focus. He approaches security from a holistic perspective, taking into account security’s role in each department, understanding their goals and challenges and how he can leverage security to make a positive impact.
He comments, “To align security with the business I use terms like time savings. I am able to tell executives that if a developer can identify a vulnerability and remediate it before it’s in production, we save X amount of time and are less exposed in production. I try to make sure security is known as the guardrails not the gates for the business. If a developer is working on a product, security can identify critical issues up front while they’re working on the proof of concept, not once they are almost done with development. As you get closer to QA and production, you start tightening the guardrails down, but you don’t want to build a gate at the very end right before they go live, and everyone has signed off.”
Many businesses are transforming at rapid paces, not unlike FFF Enterprises, and Billy is tasked with ensuring his team keeps pace while security remains strong and continues to mature.
CONTINUING TO GROW A SUCCESSFUL PROGRAM
Billy’s first year was dedicated to building the program from a tooling and hiring perspective. He is now set on continuing to improve key processes around each security program area. Similar to many other CISOs’ focus areas, Billy is bolstering their identity and access management program. He comments, “With developers being able to use cloud native technologies and Kubernetes, we want to make sure nothing is reaching outside or reaching laterally where it shouldn’t be. We are spending more time on the QA portion for security as well as making sure we have threat modeling for new major features ahead of time. So, the focus is on both processes and tools.”
When investing in new products, Billy relies on vendors that might offer additional professionals services to help with implementation or quarterly check-ups. Ease of use in deployment is key to save his team time and ensure a smooth transition. Unique to Billy is his past experience working on the vendor-side of security where he gained exposure to how vendors productively partner with organizations and provide a multitude of benefits, especially to security teams with smaller headcounts. He explains, “I’ve been on both sides of the coin. If you’re good to your vendor, they’ll be good to you. They’ll let you know what’s coming out on their roadmap and catch you up early if there’s going to be a price increase. If you have a good relationship, they become a partner and engage with you on a regular basis, not just sell you something and leave.”
His team is also focused on leveraging automation for speed to close vulnerabilities and address incident response. And similarly, by focusing on orchestration, his team can benefit from things being done quicker with less of a drag on their time.
PARTICIPATIVE LEADERSHIP AND EDUCATION
Billy believes in participative leadership, constantly engaging with his team to build a community and encourage open dialogue. He explains, “I don’t draw a hard line that this is my stuff, and this is your stuff. I like to keep them informed. I find if you keep your teams informed about what executive management’s talking about, it keeps them very invested in the company. They can see the growth and the roadmap looking forward, and it gets them excited. I like to be collaborative and let them take the first shot even when I might think my way might be better. Worst case scenario, it’s a learning experience for them. And best case scenario, they figure out something that I didn’t know and it’s a learning experience for me. As wide of an area that security is, they might know better than me and teach me something.”
Encouraging his team to explore areas they might not be familiar with is also important to Billy. If they are interested in the cloud, they can take cloud classes and get involved in that area of learning. And it benefits the organization because the developers might be working with cloud-native technologies, so his team has broader education to help.
Billy continues, “As part of my team’s individual goals, they are given many educational opportunities. They can attend industry conferences or even get certifications if they’d like. Taking classes around their interest area is something I let them decide on. I think it’s key for every company to give people the opportunity to continue to learn. It is so easy to get caught up in the day to day tasks, but learning new stuff is important, especially in our industry.”
To personally continue to grow and learn, Billy relies on meeting with others across cybersecurity to learn what they have going on, trends they are seeing, and any challenges they are currently facing. He also believes strongly in mentorship. He comments, “I look for mentorship opportunities, both within my field and outside of it. It’s great to connect with really experienced CISOs who have been working longer than me, who have seen more. They can help you get through tricky politics you might run into and help ease your frustrations on similar things you are facing. You’d also be amazed at the things you can learn from people outside of your field as well. I’ve talk to CFOs who helped me understand risk management from their perspective because they’re guiding entire companies on risk to keep them making money. You can see with a broader vision and understand why certain things happen and decisions are made at the executive level.”
Billy also invests his time in reading, whether it is books about being an empathetic leader or how to mature your cybersecurity program. He is currently reading about building more productive remote teams to continue to evangelize for security and lower the security risk across the business.
Subscribe
Stay up to date with cyber security trends and more