ADDRESSING SECURITY IN A CREATIVE ENVIRONMENT
Shaun Belders is the new CISO at BBDO Worldwide, one of the world’s largest advertising agencies. As the agency’s CISO, he is tasked with building a mature security program to effectively support the company’s creative workforce, inspire confidence from agency clients, and improve productivity.
Belders credits his MBA with preparing him with the right mindset to achieve these objectives. He says, “There needs to be a strong tie between security and business. As an industry [information security], I think we are getting there. We are starting to see this line of thinking trickle down from CISOs to lines of business managers. Security can, and should, align with business. It can be a competitive advantage, and a productivity enabler.”
In the position of CISO at BBDO Worldwide for less than one year, Belders already understands how security plays a vital role in revenue and customer growth for the agency. As Belders explains, “BBDO relies heavily on name and brand reputation. If we do not have the security that our clients require, or if they are not confident that we can protect their marketing data, they will quickly turn to our major competitors. We can be the best advertising agency in the world - and I think we are - but if we cannot prove security effectiveness to our clients then we will not win their business.”
The importance clients place on BBDO’s security posture incited Belders to solidify security as a competitive advantage. He says, “I’ve been involved in client reviews in the past, and security controls, or lack thereof, are absolutely why a business would choose to work with you or not.”
BRINGING MATURE SECURITY TO A CREATIVE ENVIRONMENT
Before joining BBDO Worldwide, Belders met with the agency’s CIO and CFO to understand the company’s commitment to security. In those conversations, it became clear to him that the company also understood the critical importance of maturing their security program. “In those initial conversations, I tried to gauge their commitment level, and understand what their response might be to my recommendations. I came out of those meetings feeling they would be receptive to my insight.”
“My number one objective at BBDO is driving the maturity of our program. When I came onboard, the program was about two years old, and largely client-driven,” Belders comments. He says since BBDO is an advertising firm, they were not as regulated or as focused on security as his previous employers. For the first few months, Belders has focused on covering the basics - improving security hygiene, deploying basic toolsets, and updating policies.
While Belders may be a first time CISO, he is a security veteran with experience in the private sector, previously at Bloomberg, in the defense/intelligence industry, and as a security professional running the firm he started with a friend before leaving to join Bloomberg. He says one of the biggest challenges in any new role is understanding the political dynamics of the company. “I need to understand who the different players are and make sure that I am interacting appropriately with all of them. There is a learning curve to understanding the specifics of any organization.”
Process and technology also play a large role in BBDO’s security efforts. In terms of process, one of the first things Belders is looking at improving is security during the employee onboarding and off-boarding processes. With regards to technology, Belders is assessing systems already in place and identifying gaps.
“In the first few months as a new CISO, you have to understand the many aspects of information security and that there will be gaps in each domain. You cannot just focus on one. You need to make a list of observations and prioritize. For example, are there controls that are completely missing?”
MOVING TO THE CLOUD WITH SECURITY FROM THE GROUND UP
Belders says “working with the business as opposed to being an outside force” is critical to the success of his program.
For example, at BBDO there is a strong push to the cloud as the agency embraces digital transformation. He says, “The business benefits are clear, and I understand that. There is significant cost-savings and increased speed of execution. For me, it is important that I am right there at the ground floor of those conversations with the CIO and IT team. My focus is on helping them move to the cloud securely.”
Belders continues, “It is easy to get CFO buy-in for the cloud because he can plainly see the cost savings. But digital transformation requires an additional layer of security. We already have on-premise security, but the cloud is completely different.”
“At BBDO, we are such a mobile workforce. We rarely issue desktops and even then, it’s usually in addition to a mobile device. Creatives like to move around and they like their Macbooks. Because we are so mobile, we are already cloud-focused. We use collaboration tools like Slack and Microsoft Teams to drive productivity. In an ideal world, we will have nothing on premise anymore. So, the question is how do we keep track of everything and secure what we need to secure? There is no longer any trusted network.”
He explains, “At BBDO we are in a good position since we are starting our digital transformation with security in mind. It is much easier to drive effective security when you are in it from the beginning.”
Belders goes on to say the security industry in general still has work to do in regard to appropriately addressing digital transformation. “We have toolsets for basic compliance, but with regards to securing the whole domain I think that there is not yet a complete security strategy for the cloud.”
TACKLING CHALLENGES WITH THE HELP OF PEERS
Whether he is tackling the challenge of securing BBDO’s digital transformation, or identifying the best technologies to mature the agency’s security posture, Belders relies heavily on his peers inside and outside of the company for guidance.
“Internally, I have a great relationship with our Director of Infrastructure, who has been with the agency a long time. He helps me understand the technologies we have in place, and identify issues of concern,” says Belders.
Externally, Belders leans heavily on other CISOs, both those he meets at small events, and those he has known for some time. He connects with them regularly in person and on dedicated Slack groups to help keep abreast of industry innovations and to share best practices in a safe, confidential manner.