The Dig Leagues – Our Interview with Renee Guttmann

Sharon FarberSharon Farber
table of contents
The Dig Leagues – Our Interview with Renee Guttmann

Renee Guttmann is a Chief Information Security/IT executive with experience leading risk management programs that deliver business results. With over 30 years of experience managing technology risk for global corporations across multiple industries, Renee is passionate about the need to advance emerging better practice and retire controls that no longer serve the new threat landscape. Renee currently serves as an advisor to cybersecurity corporations and individual executives.

Tell us about your background.

I started my career managing the Office Automation program for Glaxo Wellcome, a pharmaceutical company. This was in the early 90’s, and we were the first people on the internet in pharmaceuticals. The company had a firewall and multi-factor authentication (MFA) well before firewalls and MFA were implemented at most companies. In 1995, I transitioned to Glaxo’s data security department, where I made data security and privacy a top priority ahead of most of today’s compliance laws. 

Over the past 30 years, my information security leadership career has spanned many companies and industries. I’ve served as the CISO for Coca Cola, Time Warner, Royal Caribbean, and Campbell Soup Company. In 1999, I was the head of architecture for Capital One, and my team implemented the first system to enable secure online customer access to financial statements. I managed Incident Response for AOL Time Warner, and in 2008 I was asked to establish the Enterprise Risk Management program for Time Warner.

Now my passion is to consult to smaller companies that don’t have the resources that I enjoyed when working for the Fortune 50. I am also advising startups that have innovative solutions that I believe more effectively address cybersecurity and privacy risks for small and medium-sized organizations. This includes companies that address risks of the cloud, convergence OT/IT security systems, and automation of manual, error-prone processes. 

Are there absolute musts that need to be in place for an effective cloud data security program?


Definitely. The big ones are visibility, accountability, evidence, and transparency. Some people are content with not knowing what they don’t know, but there are tools that exist today that enable security teams to have more visibility than ever on what’s being protected. I highly recommend investing in them. If your organization has data across multi-cloud environments, find a tool or platform that can play across multiple environments. No matter what, you have to be able to make decisions based on evidence and have visibility into all of your data to confidently know that your security is working and your assets are being protected. 

Sounds like not having full visibility might be a big gap for a lot of companies. Are there any other current gaps you’ve noticed in other companies’ security programs?

Two gaps come to mind. The first is how companies prioritize and address risk. This can be a problem of governance. For example, should the company allow the head of an individual business unit, such as marketing or HR, to sign off on a risk that could have a material impact on the entire business?

The second is incident response. No matter how small your company is, you need to have a process in place for managing security events and breaches. After the event is over, there should be a root cause analysis to understand what happened and what can be improved to mitigate the risk of a re-occurrence. This may involve remediation through technology. But often remediation requires process improvement and automation of manual tasks.

Lastly, organizations must practice the incident response procedures at least annually and make sure that everyone on the team—including senior leaders and third parties—understands their roles and responsibilities.

What are some of the biggest challenges you’ve faced over your extensive cybersecurity career?

Handling breaches was extremely challenging. We had a breach that happened on Thanksgiving day, with remediation happening all through the new year. As a leader, I had to handle both the breach itself, and take care of the team handling the breach over the holidays. I did what I could to ease some of the stress, like taking people's lunch orders, and understanding what important holiday events were being impacted so I could ensure that people did not miss them. I believe that a leader is only as strong as their team, so taking care of people is critical.

Wow, a very powerful message. How does that factor into your core beliefs as a security leader?


When you care enough about people to explain to them why something is important, they will care enough to listen. You have to be able to explain the why—in terms that they can understand and relate to. If you can't, people are much less likely to take anything you tell them to heart. 

You're only as strong as your team. Relationships are everything, both with your team and with other leaders in your organization. I’ve created principles for myself to keep that top of mind, like sending three thank you notes on a Friday afternoon just to show my appreciation for their support.

How should security leaders make sure that their employees are in compliance and always thinking about security?

This comes back to being able to explain the why. Nobody's going to care if you can't explain to them why they should care. More tactically, role-based training is really important. Every employee should get broad basic training and department-specific training.

I also think one of the worst things companies can do is penalize employees whenever there is an incident. Security leaders need to be the people that other departments are comfortable approaching – the first people employees think to call when they’ve made a mistake or have something to report. It always comes back to building strong relationships – everyone’s just human, after all.

What is your advice for today's security leaders?

Take a look at your governance process, define who can accept risk, and learn about emerging techniques that automate manual processes. I have never been more excited about innovation, but I worry that we’re not adopting innovative security technology and better practices as fast as we should be to keep up with evolving risks. I hope that in 2023 we focus on retiring technical debt and that we stop relying on legacy controls that are fundamentally inefficient in today’s threat landscape.

Security teams need to be seen as enablers and not the ones who are hampering digital transformation. Being an enabler means you’re seriously paying attention to everybody else’s business problems, finding ways to help them, and looking for ways to deliver the strategic imperatives of the organization. Even if some activities are not traditionally in the security wheelhouse, you might still be using a solution that can help other departments. For example, if you have a security solution that can identify data that is no longer being actively used, you can share this information with the infrastructure team so that they can better manage storage costs. At the end of the day, looking for win-win solutions across your organization and always putting relationships first will take you a really long way. 

FAQs

No items found.
Pro-Tip

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed consectetur do eiusmod tempor incididunt eiusmod.