A conversation with Dawn Cappelli, vice president and chief information security officer at Rockwell Automation. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Dawn Cappelli: Dawn Cappelli is responsible for developing and executing a holistic cybersecurity strategy to ensure Rockwell Automation – a global leader in industrial automation - and its connected enterprise ecosystem of company infrastructure, products, and customers is safe, secure, and resilient. Cappelli started at Rockwell as director of insider risk. Cappelli was previously founder and director of Carnegie Mellon’s CERT Insider Threat Center and co-authored the book “The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud).”
What makes a successful security leader?
Cappelli: In my opinion the number one requirement to be successful in any security position is passion — passion for protecting the company and its customers. The role of the CISO is to balance that passion with deep understanding of the company’s business environment, clearly articulate the risks to the company, and work with the appropriate leaders across the company on risk tolerance decisions. While I look for passion in all security staff, I believe the most critical traits of a security leader are team building, collaboration, and wisdom to know when to stand your ground.
It is important that the security team is not seen as “the team of no.” Instead, an effective CISO works with the teams across the company and is viewed as a business partner. It is easiest to achieve this partnership if the CISO has instilled a strong security culture across the company, so that all employees understand why security is important to the company and are aware of actual security threats the company has faced. In that type of transparent culture all employees understand that they are critical members of the enterprise-wide security program and want to work with you.
A CISO needs to bring business value to the company. Supply chain attacks are becoming more and more prevalent – recall that NotPetya was carried out in 2017 by compromising MeDoc’s software distribution. The sophistication and breadth of the 2020 SolarWinds attack has drawn significant attention to the importance of supply chain security. Customers are paying increased attention to and imposing more stringent requirements on the security posture of their vendors and partners. Therefore, revenue facilitated by security is increasing and becoming easier to quantify.
What internal and external priorities should today's security leaders focus on?
First, security leaders running industrial control system (ICS) environments must accelerate their converged IT/OT (operational technology) cybersecurity programs if they haven’t already. The Colonial Pipeline attack showed us the major impact a cyberattack on a company running ICS can have. We have come a long way over the past few years in developing best practices for converged IT/OT security — it is imperative that they are put into practice as soon as possible. CISOs usually “grow up” in IT security. OT is foreign to them and can be quite intimidating. It is important to understand that all the principals of IT security apply to OT — but they are addressed differently. CISOs should work with their OT leaders to reach out to their trusted partners with experience in OT security to help them build their IT/OT security program.
Second, supply chain attacks and mitigation strategies should be top of mind for all security leaders. In addition to the SolarWinds compromise, we also need to consider the Accellion hack, in which information shared by organizations was compromised due to a zero-day vulnerability in the secure file sharing product they were using. The number of victims continues to grow.
The breaches of Codecov and Fujitsu's "ProjectWEB" information sharing tool further reinforce that these types of attacks will continue. We are all part of one ecosystem, and we all need to work together to strengthen the cybersecurity of the entire supply chain. These attackers are strategically targeting companies with products that can be compromised and used as a threat vector to compromise their large customer base.
Third party risk has been a foundational element of most security programs for years. But we all need to consider expanding our programs to include the following:
- Software supply chain: Any company that uses third-party software in their products needs to have a formal program to ensure that the software is developed using a secure development life cycle which includes security testing throughout the development process. In addition, technology should be used to ensure the security of open source software used in all products. The recent Executive Order requires this for any product used by the U.S. government, but hopefully this will become standard practice globally.
- Manufacturing supply chain: Manufacturing was the top sector hit by ransomware attacks in 2020, including small and medium suppliers in the manufacturing supply chain. It is important that companies confirm that the security posture of their critical suppliers is sufficiently resilient against ransomware attacks.
Third Party Incident Response: The breadth of the SolarWinds compromise — 18,000 victims — presented a complex dilemma. Most large companies have thousands of suppliers. Any of them could have been compromised through a SolarWinds update and could now pose a risk to your own company. Where do you begin in canvassing your suppliers to determine who has been impacted, and implement appropriate mitigation measures? Companies should consider creating an incident response process for handling these types of incidents using a risk-based approach.
How can cyber leaders work with corporate peers to win buy-in from c-suites and boards of directors?
It all starts with a foundation of trust. The security leader needs to build relationships with their peers, the C-suite, and the board so that they are seen as a trusted partner in supporting execution of the company’s strategic framework, reliable in understanding and managing security risk for the corporate ecosystem, technically capable, and able to handle complex, stressful situations.
I think a risk-based approach is key. It is the responsibility of the security leader to manage security risks across the enterprise. Major risks that require significant investment or impact the business should be escalated to the appropriate business leader for a risk tolerance decision, and that leader should be held accountable for that decision.
I am a strong believer in quantifying risk and using that to enable the appropriate leaders to make risk tolerance decisions. We have a network of security liaisons in every business and function that assist us in that risk analysis. This lends credibility to the risk, probability, and potential impact we present to the leaders.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
Anything related to team building is critical, for example understanding different social styles and using that knowledge to adapt interactions with individuals accordingly, and how to hire the ideal team player (one of my favorite books is The Ideal Team Player: How to Recognize and Cultivate The Three Essential Virtues [J-B Lencioni Series]).
In security, it is also very important to understand the current threat environment. Develop relationships with government partners who provide timely threat communications and take time every day to read a daily security news feed so you are aware of the latest threat groups, who is being targeted, and what you can do to avoid becoming compromised by them.
What attracted you to join the Cybersecurity Collaborative as an Executive Committee member?
What I said above, plus this: I want my team members to have the opportunity to build their own network, to actively contribute to raising the security posture of the security community, and to establish themselves as thought leaders in security.