Chris Lugo is currently the Global CISO of Danaher Corporation, a Fortune 500 globally diversified science and technology conglomerate. He began his career at Discover Financial Services where he held a number of technology and information security roles spanning almost fifteen years. He then moved on to Hilton Worldwide as Vice President of Information Security and Compliance for three years before joining Danaher Corporation.
Transitioning into a C-level security role allowed Lugo to look to the experiences of other CISOs and CSOs to learn from the best leaders in hopes of accelerating the programs under his leadership. He explains, “The transition to CISO for me was often met with many curvy roads and really looking at the available options following in those footsteps of many smart people who had done really phenomenal things in this day and age, while at the same time still writing the playbook or at least writing a set of instructions that other security leaders could follow. But in short, there is no playbook. And there was a lot of pounding my head against the wall to try to figure out the right solution at the right time that managed risk, but also enabled what the business was trying to accomplish, which is what we all should be doing today.”
FOCUSING ON THE CORPORATE MISSION
To ensure Lugo and his security team align to the goals of Danaher Corporation, he focuses the security program mission on embracing the differing business intentions, providing for those common services, and at the same time being able to tailor program aspects in certain areas that are meaningful in different parts of the organization.
Lugo looks at the security mission through a number of aspects including the nature of Danaher’s business as a diverse portfolio of companies. The ability to solve multiple challenges by using common solutions is paramount to Lugo. He ensures they are able to scale at an enterprise-level for common threats while adapting the security program in specific areas based on the nature of their businesses and where the threat model may be different.
He explains, “Our program and our mission really centers around how we solve for the common [risk] denominator through a services-based approach that is supporting the different business intentions we have. At the same time, we are recognizing that a one size fits all approach is not going to be as effective as something that can tailor and evolve as our businesses rapidly change.”
THE IMPORTANCE OF STRONG COMMUNICATION
Lugo believes frequent communication is critically important in making sure security teams along with directly adjacent teams like IT, keep security front and center. This is key in ensuring the intention is clearly communicated for a new security program, a new policy, or a new initiative, and how these may impact important business operations. Lugo accomplishes this through three measures including voice of the customer, translating security awareness into different languages, and branding the security organization.
He comments, “First, we build our approach with the voice of the customer in mind to minimize any disruption, avoid delays, and prevent any stumbling blocks that would prevent us from achieving our goal. Next, being a global multinational organization, and this may sound simple but really goes a long way, we translate as much of our awareness and education, our phishing simulation messages, our newsletters, into at least nine different languages to appeal to our global user base. Third, we’ve tried to make security as visible throughout the organization as we can by giving it an identity and making it real to people in their day-to-day lives. We brand the security program to show we’re really aligned to protecting our employees just as much as to protect our company’s information.”
“As I was transitioning into the security leader role, I was really looking for someone who cracked the nut of security metrics and had the template we could all follow and leverage. And we’re still today seeing that it’s a mixed bag of different metrics that we rely on,” says Lugo.
Within his team, they have a standardized set of operational and mostly activity-based metrics including vulnerability density (number of vulnerabilities divided by number of assets by severity level) to understand the density of vulnerabilities across their environment. This heat map of density allows him to focus on where threats may be shifting or where prioritization or resources are likely needed. He is able to answer questions such as where they need to spend the most time and attention. He is careful to avoid what he calls the ‘chasing zero effect’, striving to reach zero vulnerabilities, as routine software updates and system hardening should be a continuous exercise.
When Lugo starts to think about metrics presented to executives, he focuses on the critical few to tell the story of how they are performing and what good looks like within their organization, and against industry benchmarks. These include the human impact of security through education and phishing training.
CISOs: FOCUS, LEADERSHIP, AND ENTREPRENEURSHIP
Lugo says many publications discuss the difficulty of the CISO role saying it is not a career you choose, it chooses you. He says there is no playbook or off-the-shelf program that is going to work in every organization, true to the constantly evolving and ever-morphing nature of businesses and today’s threat actors.
Lugo explains, “The security function, what makes it so exciting is that threats are changing, attackers change their motives and their techniques change. And at the same time businesses are quickly becoming more and more digital, moving their on-prem solutions to cloud-based, they’re coupling analytics to their product lines or embracing technology in their products and services. All organizations nowadays are driving technology investments and creativity in one way or another. To bring all this back together, the security leader is really at a great point today to not only take programs leaps and bounds above and farther than they may have ever dreamed, but also truly bring the right focus, the right leadership, and the right level of entrepreneurship into an organization to help companies grow and thrive. For me, it’s a great time to be in the security leader role and we couldn’t have any more support nowadays than we’ve ever had. Couple those things together, it’s a great opportunity and a great time to tie security programs into the core of the business and the heart of the organization.”