A conversation with Kevin Morrison, Driven Brand's vice president and chief information security officer. This is one of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
Kevin Morrison is vice president and chief information security officer at Driven Brands, Inc. Driven Brands is the leading automotive services company in North America in addition to serving 14 countries, with Meineke, Maaco, Take5 Oil & CarWash, DrivenGlass, CarStar, and others comprising its portfolio of brands.
Morrison’s background includes former CISO roles at two Fortune 500 companies, including Alaska Air Group in Seattle and PulteGroup in Atlanta, as well as at Jones Day, one of the largest global law firms. His career spans 25 years in IT, with more than 19 of them in cybersecurity, responsible for building and leading teams focused on incident management, operations, mobility, forensics, compliance, policy, privacy, and business resilience across public and private industries and in highly regulated environments.
What makes a successful security leader?
The most successful security leaders I've observed are those who are approachable and seen as a trusted advisor, which not only comes from experience but also from a servant-based philosophy that is purposeful about collaboration and partnerships as the leader creates and gets buy-in on strategy. Successful security leaders also need to have a unique blend of one part cyber and technology expert, and one part diplomacy guru from soft skills that can allow the person to pass the "airport test." As security leaders increasingly present to boards, strong and concise communications with executive presence are clearly a must, as is having the support of the board, executive team, and the executive to whom the security leader reports. Finally, I don't know any security leaders who are successful without supporting and showing appreciation for his or her team, who are often the daily unsung heroes.
What are some of the external priorities and internal priorities that leaders should be focusing on?
Every business is different, but I think there are some commonalities shared among them all. Externally, understanding third-party dependency risks is a substantial undertaking but a critical endeavor that must go beyond the typical compliance-based questionnaires. Insights obtained from these efforts can bring tremendous value as to how and where the business may be affected as a result of those dependencies, which allows for remediation of risk to be prioritized. And for cyber teams responsible for facilitating those third-party risk assessments, including critical non-technology partners that can have material impact on operations, revenue or brand must be in the mix. For internal priorities, outside of the standard identity and access management, cloud, and artificial intelligence risks that most leaders are tackling, with software now acting as critical infrastructure for many organizations, supply chain/SBOM [software bill of materials] risks (i.e. Log4j) have become a top priority in DevSecOps capabilities that require engagement with a variety of stakeholders. Additionally, many organizations still struggle with one of the most basic and critical security hygiene controls, which is dynamic and centralized asset management. We've found great success with a very innovative platform that's made it easy to discover and see all assets across the environment and then quickly identify where risks exist. Happy to share that company name with any CISO who wants to reach out.
How can cyber leaders work with corporate peers to win buy-in from C-suites and boards of directors?
There are so many things that can help in this area, but I'll mention just a few. Proactively reach out and engage in conversations when you don't need or want anything. Stand up a Cyber Business Champions Group to partner across the organization and learn about each area of the business. Form steering committees of senior executives that review and provide input into roadmaps, risks and decisions that operationalize governance to where it's not a CISO making them in a bubble. Create a service-based model that emphasizes the team's desire to get to a creative "yes" on requests. Communicate in a manner that removes technical lingo from conversations with anyone outside of IT or cybersecurity. Find opportunities to play golf or some other outside-the-workplace group activities that forge stronger relationships. And finally, be honest with the board about where risks reside, but have and communicate a plan for how they can or will be mitigated. Oh, and never surprise your boss with what's being reported to or discussed with the board! Good bosses will help you navigate the best way to communicate your concerns and observations.
What kinds of non-technical training do security leaders need to be successful in leading global enterprises?
With recent SEC requirements making their way to boardrooms, any opportunity for security leaders to become more familiar with directors' responsibilities and how materials can and should best be presented is highly valuable. One such opportunity is through the Digital Directors Network and their Qualified Technology Expert class (of which I'm enrolled to take in late September), or in pursuing the NACD Directorship Certification. My first non-technical "training" (if you can call it that) was going through my two-year MBA program. That on-campus experience over a decade ago (at Pacific Lutheran University in the Seattle/Tacoma area) taught me that I knew relatively little about how a business functions and what's important to business leaders. Leading global enterprises requires security leaders to be purposeful about stretching themselves outside of their technical comfort zones.
Why did you join the Cybersecurity Collaborative?
The community built within and by CISOs in the Cybersecurity Collaborative is incredibly strong, and offers my team and I numerous opportunities to both learn from, as well as contribute to the community. With both online and in-person events, coupled with a vast repository of policies and other content that can be customized without reinventing the wheel, joining as a member was a no-brainer for the cost and value it provides.
What has been valuable to you with your membership in the Cybersecurity Collaborative?
The daily security morning report that's delivered to each of my team members and me has been quite valuable, as we no longer need to scour the plethora of cyber-related news to determine what new headline may affect our business. Attending (and even helping to determine the content at) in-person conferences with the quality of speakers and topics is well worth the out-of-office time that security leaders and their teams must consider in weighing opportunity costs against a long list of priorities and responsibilities. The ability to get plugged into various task forces and working groups with amazing thought leaders that tackle some of the most pressing concerns, as well as engage other members on confidential matters such as incidents, comparing metrics/KRIs reported to the board, etc. is also of significant value.