Security is a team sport that requires leadership support, says Mandy Andress, CISO at Elastic, Investor, and Board Member.
In a conversation with Dan Haagman, CEO of Chaleit, Mandy explores the shift from a purely technical mindset to a more holistic understanding of cyber security, emphasising the need for collaboration, continuous learning, and understanding human behaviour.
How does a CISO choose between stability and the allure of change? And why pursue a law degree while working full-time in security? Watch the interview and read the article below to find out.
Tech & law: A winning combo for security
Mandy’s passion for technology, coupled with her business acumen, is the basis of her 25-year career in information security and risk management. However, this path wasn’t always clear. Ten or fifteen years ago, the job she holds now simply didn’t exist — a fact she emphasises to her children, encouraging them to embrace emerging opportunities.
Mandy has thrived as Elastic’s CISO for the past six years, exceeding the typical tenure for CISOs nowadays. She joined Elastic pre-IPO, experiencing the excitement of the IPO itself and witnessing the company’s significant growth and scaling challenges. These experiences provided learning opportunities and created a strong sense of collaboration.
The strong security culture at Elastic, which starts at the top, was also essential in her role there. It empowered the team to achieve remarkable things together, she believes.
While working full-time, Mandy pursued a law degree, which has helped her better understand the evolving legal side of technology and business. Legal expertise is valuable when tackling the security and compliance challenges organisations face, she says, while admitting that she also just loves to learn and go to school.
Her law studies have helped her to develop critical thinking and interpretation skills, which she finds invaluable in her current role. These abilities are especially crucial when dealing with complex regulations and contracts.
A CISO may spend years struggling to acquire the resources needed to execute their security plans. This prolonged resistance or lack of resources can be frustrating, leading CISOs to seek roles where they feel more empowered and less burdened by justifying investments.
The security leader's dilemma: change or stability?
While acknowledging the value of long tenure and accumulated knowledge within an organisation, Mandy also highlights the allure of change and new challenges in the dynamic security field. Some leaders may find maintaining the status quo unfulfilling, causing them to look for fresh opportunities.
Another significant challenge is getting business support and investments within organisations. A CISO may spend years struggling to acquire the resources needed to execute their security plans. This prolonged resistance or lack of resources can be frustrating, leading CISOs to seek roles where they feel more empowered and less burdened by justifying investments.
The evolving legal and liability landscape surrounding security leadership roles adds another layer of pressure, influencing their decisions.
An extensive educational background in accounting, information systems, and law, coupled with rich work experience, enables Mandy to deal with these challenges by better anticipating potential pitfalls and asking the right questions.
While technology can aid in defence, it's essential to work with human nature rather than trying to change it.
The human factor in cyber security
Mandy shared a significant shift in her journey. While she initially believed technology could solve all problems, she realised that the essence of security lies in people.
Human interaction and teamwork, aided by technology, are essential in driving successful security practices.
On the other hand, as threats like phishing and social engineering continue to exploit human vulnerabilities, it’s crucial to understand behaviours more deeply. Social engineering is essentially a con. It preys on human behaviour, and anyone is susceptible, Mandy observes.
While technology can aid in defence, it’s essential to work with human nature rather than trying to change it. As a result, security professionals should adopt a more nuanced approach incorporating psychology and behavioural science.
New technologies seem more exciting, but the consistent application of fundamentals prevents security incidents.
Why fundamentals still matter
Mandy believes in the importance of cyber security fundamentals. She argues that strong security hygiene and adherence to basic practices are critical for a robust security posture.
While new technologies might seem more exciting, consistent application of fundamentals prevents security incidents.
She also warns against relying solely on tools as a fix-all solution. Tools can be helpful, but they often mask deeper issues. Poor security hygiene or organisational resistance to addressing core weaknesses can render tools ineffective.
Furthermore, simply deploying tools isn’t enough. It’s crucial to consider the broader picture: processes for analysing tool outputs, mitigating identified gaps, and responding to security threats.
Post-deployment efforts like maintenance and maximising the tool’s capabilities are also important.
By taking this holistic approach, organisations can enhance their cyber security practices.
Trust within supply chain risk management
While traditional methods like security addendums, certifications, and compliance cycles offer a sense of assurance, Mandy argues they may no longer be sufficient.
Certifications often evolve slowly, leaving a gap between their baseline requirements and the evolving threat landscape. While DPA or a security addendum might tell you a vendor has basic measures in place, it doesn’t guarantee they’re truly prepared for sophisticated attacks.
Furthermore, Mandy highlights the challenge of cumbersome compliance processes. The industry has struggled to streamline these assessments, leading to time-consuming exercises with questionable effectiveness.
Similar to the development of financial reporting standards in accounting, there’s a need for standardised security reporting frameworks in cyber security, Mandy believes. This would facilitate a clearer understanding of security practices and outcomes across organisations.
Ultimately, aligning security standards and reporting would lead to more meaningful and actionable assessments within supply chains, allowing for a more efficient approach to security risk management.
Instead of trying to control every aspect of security, organisations are embracing the idea of anti-fragility — building systems and processes that can not only withstand disruptions but also evolve and grow stronger.
Embracing anti-fragility in cyber security
As technological change accelerates, traditional resilience approaches are no longer efficient. To truly embrace chaos in cyber security, we need a shift in mindset, Mandy believes.
It’s increasingly difficult to anticipate all the consequences of cyber security events, given today’s interconnectedness. Major disruptions, such as those caused by supply chain vulnerabilities or unexpected system failures, can have far-reaching impacts.
Instead of trying to control every aspect of security, organisations are embracing the idea of anti-fragility — building systems and processes that can not only withstand disruptions but also evolve and grow stronger.
The concept of anti-fragility offers a new perspective on cyber security. It goes beyond mere resilience to thrive in chaotic environments. Anti-fragility is about embracing uncertainty and leveraging disruptions to become stronger and more adaptable.
Instead of viewing disruptions as negative events, organisations can reframe them as opportunities for growth and innovation. This shift requires a willingness to experiment, learn from failures, and adapt quickly to changing circumstances.
At Chaleit, we support moving away from rigid security practices and embracing flexibility and resilience. We encourage organisations to shift from a reactive to a proactive stance if they want to manage today’s security complexities successfully. And we’re there to guide them every step of the way.
If you’re also a fan of continuous learning, check out our blog and YouTube channel for more interviews with top industry experts. Contact us for a meaningful conversation on how to improve your organisation’s security posture.