CNME Editor Mark Forker secured an exclusive interview with cybersecurity veteran Brian Spanswick, Chief Information Security Officer at Cohesity, to find out more about the unique element of his dual-role at the company, how enterprises need to focus more on minimising the impact of a breach – and how their solution is proving to be a gamechanger in the security industry.
Brian Spanswick has revealed that he has had a lot of ‘fun’ during his distinguished and decorated professional career that has seen him work with some of the world’s biggest cybersecurity companies, but he has declared that he has had the most fun ever since moving from Splunk to Cohesity in April 2021.
It’s been a whirlwind 11 months for Spanswick, and whilst he conceded that it was a difficult decision to leave Splunk, in the end he just couldn’t reject the exciting opportunity that was being tabled by Cohesity CEO Mohit Aron.
“I joined the security team at Splunk shortly after we moved out from under IT, and we were just establishing the security function and capability inside the organisation. During my 3-year tenure working on the security side we built the team from around 7 to over 100 people, and it really was a world-class security organisation. I started working directly for the CISO and took on more and more responsibilities, and I was really enjoying the challenges that we were taking on, especially as we were a security product company. When the opportunity came around for Cohesity, I wasn’t really looking, so it was going to take something special to prize me away from Splunk, and that something special was firstly I really believed in the product, and how our CEO Mohit Aron has built the company,” said Spanswick.
However, the aspect of the new job that was really compelling for Spanswick was the position itself.
“My role at Cohesity is to be the CISO, but I am also the head of IT, so essentially, I have got responsibility for the infrastructure team as well as the business applications team. Now, when you think about it, historically from a security perspective quite often companies work hard to break up those roles because they believe there is a conflict of interest, but really that is coming more from a compliance view of security as opposed to really thinking about security as a core function. We are not in the business to do infosec, we are the in the business of conducting business securely, so having responsibility for the IT services and ensuring those services are secure really makes a lot of sense. We are seeing more and more of this happening in the industry, but it is still quite unique,” said Spanswick.
Spanswick expanded further on the nuanced nature of his new role and highlighted how both the CEO and CFO of Cohesity, really appreciated the importance of merging and aligning the IT and security operations within the organisation.
“Cohesity really started to think about it as a CIO role fused with security responsibilities. Now remember, this was only 12 months ago, and it was around the time we started to launch our SaaS product, and we were looking for use-cases for our core product that were more tied to infosec use-cases. From the conversations that I had with our CEO Mohit Aron and our CFO Robert O’Donovan, it became clear to me that they really understood the importance of switching that emphasis, so that security wasn’t a secondary thought, but instead was a primary objective of the IT organisation,” said Spanswick.
With that increased level of responsibility, it undoubtedly brings pressure, but Spanswick is unfazed by that, and admitted he relishes both the responsibility and pressure that naturally comes with the job.
“It is extremely exciting for me, now it certainly is a challenge, and the stakes are very high, but when I am accountable for both it’s a better conversation when I speak to the executive staff, or the board, because I am not talking about investing in security, instead I am talking about investing in securely running the business and that’s a whole different kind of conversation,” said Spanswick.
Over the last 18 months, there has been an exponential increase in cyberattacks, with ransomware emerging as the preferred method of attack.
High-profile ransomware attacks such as Colonial Pipeline and JBS in the United States, have had severe economic ramifications for those impacted, and the nature of these attacks carry the potential of putting enterprises completely out of business.
According to Spanswick, he believes there has been a mindset shift from some businesses – but has called for a greater emphasis to be placed on mitigating the impact of a breach, as opposed to focusing all attention and efforts on prevention.
“We are seeing a lot of companies invest in protect controls, which are obviously tools to try and prevent your business becoming the victim of a breach, and you should absolutely do that, but you also need to make sure that you make it as difficult as possible for these attackers to get access to your systems and your environments. However, let’s be clear about it, nobody can be 100%. However, where this mindset shift really comes into play is not just thinking about the protect controls and trying to prevent the breach, which again you should continue to do, but instead how do you minimise the impact if you are breached? One of the things that companies should be thinking about is how quickly can they recover from backup. If you think about it on those terms, and certainly we should still try to prevent the attack, but if we can take the potential impact of that attack down to its closest zero then the threat, or the leverage that the ransomware attacker has goes down considerably as a direct result. Companies are investing a lot of focus on protect controls, but I believe they need to apply the same level of focus on the controls that minimise the impact if they are breached,” said Spanswick.
Spanswick then brought the conversation forward and highlighted the impact its solutions were having for its customers in terms of empowering them with the cyber resilience they need to thrive and survive in the complex digital economy that we find ourselves immersed in.
He described their solution in the context of mitigating the impact of breaches as a ‘gamechanger’ in the cybersecurity ecosystem.
“We have a great solution that people who are responsible for infrastructure would consider. We have a brilliant data management back-up solution, but when you apply it to the use-case that I am describing then it really is a gamechanger. Historically, getting investments from the company in things like IT infrastructure such as backup solutions was a challenge, now you would get those investments, but they were not compelling. If the business is making decision between that and increasing quota carrying sales reps’, then it’s hard to compete. When we talk about how that backup mitigates the impact of a ransomware attack then again it is a different conversation at the board level. The value proposition that my organisation brings to the company changes considerably – when you talk about the infrastructure investments that are enabling that kind of business impact, and that really is powerful,” said Spanswick.
We concluded a wonderfully candid and wide-ranging interview, by discussing how the role of a CISO has evolved over the years.
“I think the position of a CISO is really becoming a business enablement role, and you have got to make sure that the business owns the risk and is comfortable with how the security posture aligns with their business outcomes. Security professionals have been talking about this for years, and with the urgency that now exists in this environment then it is quicker for those business partners to see,” said Spanswick.
In terms of how the role compared to that of non-tech related jobs, the Cohesity CISO believes the main difference is how you position products.
“I have worked for both a non-tech company and a tech company, so I’m well positioned to comment on the nuances between the roles. I worked for a product distributor and a tech company, but one key difference especially between Cohesity and my role at Splunk is that we position products for security use-cases. One of the things that is critically important within my organisation is to be an aggressive user of our product and provide that feedback and input into the product management organisation. I have got a full-time senior Cohesity solution architect working for me and his responsibility is how do we deploy Cohesity here that meets the use-cases that we are positioning in the field, just the way our customers would and that’s another differentiator for us as a company,” concluded Spanswick.