The evolving industrial CISO: A chat with Fortinet's new hire
Willi Nelson recently joined the Fortinet team as CISO for operational technology, bringing more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing and life sciences.
Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with protecting the OT assets for GSK. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon).
We wanted to learn more, so we connected with the outdoorsman, cyclist, woodworker and veteran to discuss the evolving role of the CISO in the manufacturing world. Take a look…
Smart Industry: How is the role of the CISO changing as our digital transformations mature?
Willi: The scope of the CISO role is changing exponentially. Historically, the role has been focused around tangibles such as security fundamentals, the business, and the risk associated with doing business. In the world of digital transformation, our strategies need to be more nimble—quicker to implement so the business can innovate, fail fast, and pivot. This shift brings strategic and cultural changes to our teams so that digital transformation ends up evolving people and process in addition to technology, making the CISO an evangelist of change both inside and outside the security department.
Smart Industry: How accurate are manufactures in understanding where their vulnerabilities are?
Willi: Vulnerabilities aren’t a new phenomenon, and aren’t isolated to IT, OT, critical infrastructure or the supply chain. Across industries we’ve been identifying and addressing vulnerabilities for decades. We buy tools, we build teams—both operational and swat depending on the situation—and our responses tend to ebb and flow with business priorities.
Generally speaking, I’d advocate for an approach that allows teams to pivot as new vulnerabilities are uncovered, maintaining a focus around some key areas such as inventory, asset control, dynamic mitigation planning, and continuous review of the plan.
Smart Industry: How does "cloud transformation" come into play with a modern cybersecurity strategy?
Will: Cloud transformation is a catalyst that helps accelerate digital transformation, and also brings a new set of challenges. Just as OT requires a different set of technical skills than IT, cloud requires a different set of technical skills than onPrem. This means that an effective cybersecurity strategy must include provisions to grow technical skills as duties morph and expand for our teams and our businesses.
Some considerations for protecting an organization and building a “secure by design” strategy could include:
· Implementing an upskilling program within your organization
· Creating a plan to retain your best employees—this doesn’t have to be the brightest; sometimes it’s your hardest worker that goes unnoticed
· Partnering with your business to be a part of the planning, funding, implementation phases of roll-out so security is set at the beginning
Smart Industry: As you take on this new role, what most excites you about the near future of industrial cybersecurity?
Will: What excites me the most about this role and the future of industrial cybersecurity is that we have the opportunity to protect businesses, state and local governments, and critical infrastructure before having a major catastrophic incident, and that is a mission I’m honored to join.