A conversation with Sheldon Cuffie, enterprise CISO of American Family Insurance. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Sheldon Cuffie: Cuffie is vice president and enterprise chief information security officer at American Family Insurance, where he leads the cybersecurity, disaster recovery, technology risk management, and technology M&A integration functions. He previously served as vice president and global CISO of Dell Technologies, vice president and CISO of Northwestern Mutual, and held IT architecture leadership roles at Harley-Davidson and Abbott Laboratories. Cuffie is a veteran of the Wisconsin Army National Guard, earned a bachelor's degree in management from Concordia University Wisconsin, and a master's degree in organizational leadership from Quinnipiac University.
What makes a successful security leader?
Cuffie: The CISO role is often billed as an action hero — a unique mix of technical, business, and leadership capabilities combined with superior communication, negotiation, and risk management acumen and a compelling level of stress tolerance, executive presence, and charisma. While superheroes are reserved for the movies, some concepts do apply.
CISOs, over time, learn their powers, capitalizing on their strengths and continuously improving them, and understanding their physiological limits. Successful CISOs shift strategy and tactics in alignment with the situation at hand. They apply diplomacy in some cases, infusing advice into business decisions, or lead teams to targeted results. The best of the best CISOs build heterogeneous teams with broad perspectives — teams that value straight talk, believe in psychological safety, and maintain awareness of business context to drive quality and enable timely decision-making.
What internal and external priorities should today’s security leaders focus on?
Security leaders must double down on securing identities, data protection, application security, building a risk-aware culture/mindset, and cybersecurity skills transformation. Thinking just of the last two items, even today — after a decade of large-scale breaches and major shifts in computing — security teams look eerily similar to legacy patterns when it comes to on-premise perimeter protections, policy enforcement, and provisioning via forms.
Cybersecurity organizations must shift to become more agile, more skilled, and more digitally capable than their development counterparts. Building on that, the parallel path of helping the workforce understand their role in protecting data is critical — including how to identify insider risk. Creating a risk-aware culture to inform and educate is a task that the cybersecurity team must advance in concert with the protect-and-defend mission.
How can cyber leaders work with corporate peers to win buy-in from c-suites and boards of directors?
It’s important to engage them in understanding and setting a baseline. Just like buying a house, a home inspection is critical. The last home inspection may have been fine, but over time, changing building codes, and changes in how the structure is utilized all inform the baseline.
Engaging leaders to better understand their critical processes, business operations, and business outcomes can provide a baseline that structures your work and approach. All of this is mapped against credible industry standards and benchmarks to inform a potential aspirational maturity state. A map of key risks provides an overlay to determine areas of highest and most urgent investment need, with an appropriate pace and priority over several years. This is the homework and heavy lifting upfront. Take time to listen and understand the history of why certain conditions exist and then pivot to solutions; don’t assume conditions are due to bad people or negligence.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
They would benefit by taking a page from management consulting best practice, understanding the process of how decisions are developed, socialized, and “sold.” Very rarely have I built a business case that immediately received buy-in even when there was significant financial ROI and/or clear and present risks. I had to take my ideas out, bounce them off stakeholders, incorporate feedback, and sometimes convince and win over passive resisters.
It helps to maintain an unrelenting curiosity in and out of your industry vertical, and to continuously develop your interpersonal skills. I’ve had to learn about organizational behavior, emotional intelligence, legal standards and precedents, investment operations, global supply chain logistics, public speaking and more.
Why did you join Cybersecurity Collaborative?
We all face similar problems securing our companies from an evolving and growing cyber-threat landscape. Learning from peers across industries — problem-solving with them — yields better decisions and faster results. Learning from peers in other industries will help me develop pragmatic solutions that my company and our customers can benefit from.
Why did you become a member of the Collaborative’s Executive Committee?
The overwhelming constant during the past eight years in cybersecurity has been the willingness of peers to share knowledge, insights, and solutions without reservation. Over the years, several of the current Cybersecurity Collaborative Executive Committee members have provided small nuggets of advice to me that provided the catalyst or spark for a broader solution. These are people I highly respect, so I’m humbled to join them in paying it forward.