A conversation with Corey Kaemming, information security leader of The Andersons. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here. The following is based on an interview, as well as a written response to questions. It has been edited for clarity.
Corey Kaemming is the senior manager of information security at agricultural supply chain company The Andersons, and is co-chair of the Cyber Security Collaborative Detroit Chapter. He holds a bachelor's degree from The University of Toledo in computer science and a master's degree from Colorado Technical University with focus on cybersecurity management. He is also a recent graduate of the enterprise cybersecurity leadership program through the Professional Development Academy.
What makes a successful security leader?
You need to have the ability to effectively work with the business to sell security while also motivating your team members and supporting cast. You'll have a morning where you're engaging executive leadership, and then in the afternoon you're having to talk tactical strategy with your team. It's not only being able to talk technical and business, but also providing a direction and priorities to the team. This starts with effective collaboration activities, while putting the right resources (people, process and technologies) in the right areas, allowing for growth and maturity.
As a security leader you deal with daily fire drills while also being asked to grow the effectiveness of the program. This takes someone who understands what’s a true business risk while being able to balance security priorities versus operational impact. ... As as a security leader, every single day, you're making a decision that could affect the overall risk of the company. And at times those decisions may not go well in the eyes of the business. If I decide I'm going to put this control in place or lock this down, how does that affect our day-to-day operations? It's understanding the overall risk appetite of the company that allows you to make those, ideally, well-informed decisions.
What internal and external priorities should today’s security leaders focus on?
Security leaders should understand the business culture, aligning their security strategy to support the business strategy. Having those risk tolerance and appetite conversations with business unit leaders is a must, while also promoting an open security methodology. Internal resources need to understand that security is here to support and protect their efforts to modernize and grow their business by promoting an open-door communication process between security and business. Security leaders should also partner with those key subject matter experts within the business, but can also be a security champion. Aligning you maturity to a security framework is also as must, as it allows leaders to have a standard reporting method to the board, plus drives focus and priority to the tactical resources.
Externally, while we may compete with others in our industry from a business aspect, we are all facing the same day-to-day cyber threats. Engagement with peers within your industry, as well as outside of it, to share information is a must. At one point in time someone has gone through the situation(s) that you are in and provide real world input on how to work through it. Being able to speak to peers in the same position allows for you to bounce ideas off them, while also being a shoulder to rely on as this role can be stressful. I’ve participated in multiple partnerships such as Cybersecurity Collaborative, Infragard, ISACA and local networking events.
I also believe having a good relationship with the security leaders of direct suppliers and vendors that you rely on is key. Partnering with them to understand pain points and roadmaps from both sides is key. As it allows for you to both be bought into the success of the partnership which will be reflected in the growth of the services.
Outside of partnering with peers, it’s also beneficial to partner with key vendors that you rely on for services. These vendors have insight to amazing threat intel and from what I’ve seen recently are being proactive in providing this threat intel to customers. This also includes other agencies such as CISA, ICS-Cert, FBI, etc.
How can cyber leaders work with corporate peers to win buy-in from C-suites and boards of directors?
I think it starts with building that trust with business unit leaders, while effectively being able to communicate security risks in relatable business terms. Leaders need to understand that most of us started off in a technical role, where technical language is second nature. A strong cyber leader should be able to translate that through various methods such as analogies, real world examples, while being able to explain the why. I’ve learned in my career that having the ability to explain the why is key for success, while also having negotiation skills when “selling” security. When it comes executive leadership, having a consistent message identify key priorities, maturity against a framework, current risks and reporting on progress against a plan.
For all others, it's working to identify security champions within the organization, while making sure the necessary policies and standards are in place.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
You're a salesman, right? I think the big thing in my role is you have to sell security, you have to pitch why this new technology or this new control has to go in a place.
This is really based on your background and industry you sit in. There’s good training through the PDA, IANS, Carnegie-Mellon focused on training CISO’s. I would also recommend looking into getting a mentor in the industry or a career success coach that can help get you to that next level. What I’ve found is that CISO’s need to have great communication skills, business acumen and be able to be a people leader. Some of this can be taught, while others come from experience and putting yourself in challenging situations to allow you to grow.
Why did you join Cybersecurity Collaborative?
One of the goals from a professional standpoint was to get out there more — to partner with peers. ... I found value in just being able to listen in to those, initially, and then you realize that everybody's kind of fighting the same fight. Even if they're a direct competitor in the same sector, when it comes to CISO-to-CISO — that's not really competition — it's supporting.
What is most valuable about your membership with the Cybersecurity Collaborative?
It's peers to network with, to kind of grow with, to run questions by each other. It's also just the ability to to meet new people from different areas of life. For me, it was a challenge to talk in front of people. I'm an introvert — most people are in the technology field. If you want to be a leader, you're going to have to get in front of the board, town halls at your company, things like that. So this is a good way to slowly progress into that, in a sense, public speaking.
