THANK YOU FOR SUBSCRIBING
As Global CISO of H&R Block, Joshua Brown tackles issues ranging from creating metrics for the security team to deploying "zero trust." He leads the teams responsible for addressing potential security risks, ultimately ensuring there is no delay in the company's progress to innovate and fulfill its ambitious Block Horizons growth strategy. Before H&R Block, Brown worked for several different entities within the Omnicom Group of companies, where he successfully deployed a global infrastructure team to drive technology and security throughout the organization.
Please inform our readers about the recent trends in the enterprise security space.
Since InfoSec became it’s own distinct practice, , the talent shortage has been a constant problem. But, I'm optimistic, as the future can be different. To achieve it, current security professionals and leaders must take a personal interest and responsibility in building the next generation of talent and leaders in the InfoSec sector. To that end, the developmentof college talent pipelines for new young talent, where they are mentored to be proficient enterprise security professionals, is critical to building a strong bench. Second-career individuals are another fruitful place to find unique perspectives and experience. Also, changes have begun in the traditional way of interviewing such talents, removing some of the historical barriers to entry in the InfoSec industry such as unrealistic expectations for experience and an overreliance on certifications.
Automation is another trend influencing the industry partially in response to the challenges around talent shortages. Companies are starting to figure out that hiring ten times as many people is not a better option when they want a team to perform more and better. Instead, automating the mundane and repetitive tasks increases productivity and gives employees more headspace for tackling bigger problems.
There has also been an increase in diversity hiring—from neuro diversity to diverse backgrounds—as companies seem to realize that the more diverse perspectives on a team, the more creative solutions to tough problems.
Apart from staffing problems, ransomware continues to be a major concern. And what can be seen as its consequence is that cyber-risk insurance costs have gone through the roof. This has priced a lot of companies out of the market. I think the basic things mandatory for sustaining secure technology environments today–good backup strategy, good cyber hygiene, basic patching, and risk management–are not yet mastered by many organizations.
Could you share some of the concerns regarding enterprise risk management in a post-pandemic scenario?
In the post-pandemic world, factors like the Great Resignation and changes in customer behavior made it clear that the businesses had to evolve both how they served their customers and how they enabled their workforce to deliver on the business strategy. To advance those changing business and employee requirements, security services had to be adaptive and laser-focused on supporting the new models of working and customer interactions.
"From A Business And Serving The Customer Perspective, The Security Of Our Customers' Data Is Paramount. And That Means We Have To Be Able To Do A Great Job Of Ensuring That We Can Authenticate Our Customers"
Also, these last couple of years has underscored the importance of broadening our understanding of risk so that we can help the business make well-informed, risk-based decisions. That's why we are always concerned not only about any potential security incidents at a macro level, but also with the notion that we can always be better. We must do a much better job redefining what better security looks like and setting the right expectations for enterprise risk management, whether we are talking about our own systems, our partners or affiliates, key suppliers and vendors, etc.
Please share a few thoughts on the approach you're taking toward risk management in H&R Block?
Like many other companies, we are on a zero-trust journey. We are helping facilitate better and more efficient ways of serving our clients while maintaining or increasing our cybersecurity posture. From a business perspective, our customer's data security is paramount. For that, we need to be adept at identity and access management from our employees' perspective, as it will prevent data from falling into the wrong hands. Also, we have to be able to do a great job of ensuring authentication of our customers, whether they're in an H&R Block office or remote, regardless of how they choose to interact with us.
Needless to say, we want to accomplish this with the least amount of friction. But additionally, we have to balance technical controls to achieve the right level of security when we detect aberrant behavior that diverges from established patterns due to security concerns. This will help customers be more secure and confident with our security stance and ensure that we are delivering the best possible experience with the right level of security. To accomplish this, we are taking a holistic view–internally and externally–when we look at authentication, authorization, trust, behavioral monitoring, and aspects that flow out of a zero-trust journey.
What are some of the trends that excite you about the future of enterprise security space?
The trends of companies going multi-cloud and multi-platform are some of the interesting things happening in the security space. We're seeing SaaS platforms upping their games by constructing their services to be secure by default. That said, I believe that no product can completely solve security issues. Tools and technology are there to instantiate and enforce policy. And that's why technology is the last thing one must reach forto solve problems. Instead, we must understand that it's the people and processes that are vital to building a strong InfoSec foundation. In this regard, presently, there is a lot more willingness among organizations to build a strong bench of talent with relative newcomers to the field.
We are seeing government entities like the SEC increasing guidance regarding the importance of information security. Also, publicly-traded companies have started adding experienced security practitioners to their boards, and in some cases change the reporting line so that their CISOs report to the CEO or the board rather than the CFO or the CIO. As a result, such companies will have the best chance of elevating security decisions to the highest level within the organization. For InfoSec, this will help us provide business-centric value to our organizations, improving the efficiency and efficacy of security solutions.