Mark Ramsey has over 30 years’ experience in software engineering and security. He initially trained as a software engineer and transitioned into the security side of Information Technology, as it became a growing area within enterprises. He has set up security teams from scratch in a handful of businesses including Assa Abloy, where he is currently Chief Information Security Officer. Alongside this, he is committed to knowledge and education around cybersecurity, and teaches masters-level students at Fairfield University where he has been a Professor for the past 33 years.
What can you share from your experience creating a security function from scratch?
I’ve done this for three companies now. I find most people are cooperative because there is a growing understanding that security is crucial for the successful running of a company. Most people want to be secure and to do things right, but it’s important to strike a balance. You must be sure to make things secure, but flexible enough so people are able to do their jobs and do them well.
For Assa Abloy, security has always been a priority; it is in our DNA given we are a security lock company. We have been building up our security profile but it is an on-going process with new challenges. We are preparing for the expansion to the Internet of Things.
What are the greatest challenges you have overcome since you have been CISO of Assa Abloy – Americas?
My biggest fear is the employees. You can put in all the technology in the world, but sometimes people will not be thinking; that is human nature. The risk is not just malicious in nature, mistakes can be unintentional. It is not just on email where this can happen, it can happen in file sharing environments. All it takes is one click.
We have set up many training sessions to help combat this, with training on secure business processes, and security awareness. I am lucky to have many years’ experience in university lecturing, so I know how to translate technical aspects into easy to learn steps. We do know people are getting better.
What is making it tougher is that there are two things accelerating. Everything is increasingly global and accessible, and everything relies on cyber. You need to know where your data is stored, who the owners are and how it is classified. We can put protection in one area, but if we find a breach in another then you have wasted time and money. It’s not a security project its a programme – a case of on-going management.
How should senior cybersecurity executives ideally work with the board?
I’ve been fortunate to work with security conscious boards, but I would advise people not to scaremonger. It’s best to communicate honestly, to make them aware of risk levels and explain what can be done. Security teams ultimately don’t make the company money, but they certainly can generate value in the long run. Security is a wise expense that can keep boards out of the news if they’re provided with the right information to make an educated decision.
We’re lucky now with GDPR and CCPA providing external standards and pressure. Most boards now know they will be held responsible, this means they are actually seeking out help from security leaders.
Do you have any advice for new CISO’s to set them up for success?
Communicate, communicate, and communicate. Keep the business leaders and employees informed of the risks and what needs to be done to mitigate them.
Be willing to compromise; there are some areas might not have all policies we want in place, but we have to find what will realistically be adopted. Security practices must still allow people to do their jobs properly and securely.