Rosa Feygin began her career in the financial field, working in engineering, architecture, and developer roles, developing enterprise security solutions, which naturally compelled her to learn more about the information security side of business. Feygin says, “At certain points in my career, I decided that I wanted to go even broader into security to understand the policy, governance, risks, and risk management, and more from an organizational point of view to have that ability to grasp the bigger picture and understand how things work together between business and IT. That naturally made me think about moving into a CISO role.”
Feygin held her first CISO role while at an independent bank corporation, which was both an educational and challenging opportunity, but one that enabled her to gain an immense amount of valuable experience. She learned how to develop secure applications, enable infrastructure, and proactively respond to audits and customers. Not only did she mature her business acumen, but she had the opportunity to report to the Board of Directors and communicate openly about risk.
At the beginning of 2020, Feygin took on her current role as Head of Security at Vistaprint, a Cimpress company providing marketing products and solutions. Feygin comments, “I decided that I wanted to move away from financial organizations and see how security is done in non-financial verticals. In my mind, security is not just a technical problem, it is a cultural problem. At Vistaprint, I work to make sure security is distributed across the organization and everybody has accountability for integrating security into their daily work and their business processes.”
To date, Feygin has over twenty years of experience in information technology, information security, and risk management.
STRONG GOALS TO IMPROVE SECURITY One of Feygin’s top priorities is collaborating with their parent company Cimpress to strengthen the software development life cycle. She says to achieve this, they are focused on addressing any detected issues prior to production. Although many consider this basic security hygiene, it is vital for a functioning security program.
Feygin explains, “Right now we just introduced static code analysis to Vistaprint and it’s going to be rolled out to all other businesses with the same purpose. But obviously there is much more than just a code analysis in a software development life cycle. We’re also looking at the open source management, threat modeling and it’s not that we don’t have it, we have it, but we’re trying to get it to a more mature state where you can get to the level of consistency across all the tribes and all applications.”
Another area of focus for Feygin and her team is incident response and making sure the company is resilient to cyber attacks and cyber threats. As threats become more sophisticated, they must detect as early as possible, then contain and respond in a productive manner. This may also include the help from various technologies relevant to their incident response approach and function.
To achieve their goals, Feygin fundamentally believes a strong security culture must be woven into each department and layer of the organization. She says, “A challenge which we’ve been addressing pretty successfully, and it’s a never-ending process, is the security culture of the company. One of the most common attacks is credential stuffing that exploits and becomes easier to launch when passwords that are not complex enough or not stored securely. And this is what hackers exploit. As part of the overall security culture, to make sure that security is top of mind for every employee, if it’s a technical employee or non-technical, they have to be informed. Security culture is definitely an ongoing challenge.”
DESIGNING SECURITY BY DEFAULT AND BUILDING RELATIONSHIPS As a business, Vistaprint is moving to the cloud and in order to ensure security is brought into strategic discussions around cloud adoption, Feygin works to establish strong interdepartmental relationships and meets at a regular cadence with all leaders.
She comments, “We are trying to move as fast as possible to be completely in the cloud. We must make sure that implementations are done by designing security by default. For automation, if there are any manual processes in place, there’s always going to be an opportunity for inconsistency and it’s difficult to manage and have visibility into how things are implemented. Security by default, where we can deploy through automation and we can detect any inefficiencies or insecure configurations through automation and then remediate, will get us to a much higher level of cyber resilience.”
Feygin and her team strive to communicate regularly and proactively with other leaders to address business goals and understand the relationship between security and the business. She says, “Part of building strong relationships for me is to understand the highest business priorities each quarter. I must recognize what they need to develop or deliver to business partners and customers. And once they tell me a little bit more about what they are doing, then most of the questions are about how to make sure we meet all the security requirements and how my team can help enable them to deliver on time, but also with the appropriate security controls.”
For Feygin, it is about finding a balance between the reputational risk, security risks, and making sure the business is not slowed down.
LEADERSHIP THROUGH COACHING Feygin focuses on a coaching approach to leading and empowering her team. She tries to coach people and offer guidance while also affording them freedom to execute and explore. She tailors her leadership based on her team member’s level of seniority and level of knowledge around security in order to enable strong and open lines of communication She explains, “It’s very difficult to get the skillset of people who have knowledge in technology and security right now in the market. So I try to balance this out and also organize the teams where the more senior people can partner with less senior people and they can provide the guidance for the less senior people and help them grow as well. So it’s not just myself but the team as well.”
INSIDER THREAT Feygin says they address insider threats in many ways including through tabletop exercises and making sure Zero Trust is implemented. She comments, “Every year we have specific scenarios for red team exercises and this past year, it was an insider threat scenario. We dealt with an external consultant impersonating a newly hired internship student, who was trying to poke around, find weaknesses and exploit them in our environment. We also rely on Zero Trust, although that is not always enough. It’s not just employees, it’s also all our partners and vendors. And it’s about not just the time they’ve worked for the company, but they might have left, and we need to make sure that all the access is gone.”