When Gene Zafrin started his cybersecurity journey at Goldman Sachs 20 years ago, the title of "CISO" was barely a decade old – and much of what CISOs did they learned from each other or invented with their teams. 

Today, the industry has significantly matured, with many more dedicated cybersecurity professionals, established best practices, regulations, and an infinitely deeper ecosystem of cybersecurity companies. 

That doesn’t mean the job is hugely easier: CISOs still need to keep pace with rapidly evolving threats and regulations, and must navigate the complexity of overseeing multiple, fast-changing, fundamentally different domains. 

For example Zafrin, now CISO at reinsurance heavyweight RenaissanceRe, oversees six distinct security verticals, which operate almost like a small company integrated within the larger enterprise, he suggests.

These are...

  • Security Operations
  • Security Governance, Risk, & Compliance
  • Identity and Access Management
  • Security Architecture
  • IT Business Continuity & Disaster Recovery
  • IT Risk Management

And their work, whilst driven by a common cause, varies widely.

“What our identity and access management team does is fundamentally different from the work of the security operations team. And what the security operations person does has little in common with the work of an application security specialist, and so forth. CISOs oversee a diverse group of functions, and the diversity of what we do means you just don't get bored in this industry!”

Zafrin’s career spans the gamut from highly structured, security-conscious roles at Goldman Sachs and Bridgewater Associates to building security functions from the ground up in a fast-paced HealthTech environment – a set of experiences that marries traditional institutional rigor and agile execution.

As he puts it: “You need to be really nimble to operate in a highly regulated multinational company, and at the same time to keep pace with the rapidly evolving business and threat landscape. 

Brakes, to accelerate

In many organisations, the security function is a classic blocker: for example, the business wants to use a new system, and the security team takes months to evaluate its risks

Zafrin says he wants the CISO’s office, instead, to be a business enabler. 

His metaphor of choice? "The company is a car… You wouldn’t tell a driver to slow to a crawl or stop just because driving carries some risk - doing so might reduce risk, but the destination may never be reached. Instead, you ensure that the car has the right safety mechanisms - brakes, seat belts, and so on - so the driver feels confident accelerating."

Ownership: the ultimate security control

Zafrin’s philosophy is heavily influenced by Phil Venables, who was the CISO of Goldman Sachs when Zafrin worked there. (Venables later became the CISO of Google Cloud, and now is a partner at VC firm Ballistic Ventures.)

Like many CISOs, Zafrin reads Venables’ popular blog and quotes a phrase used in one post addressing cybersecurity professionals: “It is always your fault.” 

The idea is not blame, but empowerment.

Instead of blaming a user for clicking that phishing link, a member of the cybersecurity team may ask why their email security software allowed this email to reach the user’s inbox in the first place, or why their cybersecurity training program did not educate the user well enough. This brings agency back to the cybersecurity team and empowers them to take ownership, which Zafrin considers the most important quality of a security professional.

“I think taking true ownership for your area of responsibility is the most important quality of a cybersecurity professional. Depending on seniority, this area could be large or small. Even if you are an entry-level employee, you can still take full ownership of a single process or system. And ownership means that you always work on advancing your area, not waiting for your manager, or a regulator, or auditor to ask you to do that. You always try to improve it a bit more.” Zafrin says.

Zafrin encourages his team to take ownership and make autonomous decisions. At the same time, his team is in four countries and six cities. 

To ensure that they are still aligned to the same goal, he developed a vision and a mission for his team. 

See also: The Big Interview with BAE Systems CISO Mary Haigh

“I recently read the book ‘What to ask the person in the mirror’, by Robert Kaplan. It talked about the importance of a vision for a company. I thought the same principle, on a smaller scale, is applicable to my team..." 

He explains: “It is much less common to have a vision for a team rather than a company, but I thought it could really ensure that we are all aligned to the same True North. Our vision is to ‘Enable the company to achieve its goals securely’. And this is not an empty phrase. The key word here is enable. 

Kaplin adds: “Many security teams are not focusing on this. We have already reprioritised a number of projects based on this vision”.

“But we're really aspiring to be very much a business-focused function, rather than just a risk management one, we want to be a real enabler!”

It’s a tricky balance to strike, but with what he describes as “a great team,”, a solid set of security tools, and an eye on innovation, Zafrin seems upbeat on his team’s ability to protect against cyber risks whilst empowering the business. 

Join Gene, along with a world-class cohort of speakers including JPMorgan's Global CIO and Nomura's Global CTO at The Stack Summit, April 16.

Apply to attend
The link has been copied!