Editor’s note: This is the second in a series of interviews with the session leaders of the upcoming GSO 2025 event being held Nov. 2-3, 2022 at VariSpace Las Colinas, in Irving, Texas. The event is named with a future date because it takes a three- to five-year look ahead at where security leadership and security technology are going. Registration is open now.
SecurityInfoWatch.com Editor-in-Chief Joel Griffin recently sat down with Sulev Suvari, a security veteran who has worked the security space for quite some time and across all aspects of the field, from supply chain security to critical infrastructure, executive protection, and intelligence. Not only that, Suvari has worked at the national level of government, the corporate Fortune 100, and now as a consultant CSO.
SIW: What do you see as a key challenge for physical security leaders today?
Suvari: Ownership of security. Often, I see that the senior business leaders to whom security reports are not fully involved – they tend to be disconnected and place all the ownership on the head of security and security team. Rarely is the head of security part of the C-suite; often they are two to four levels down. There needs to be more true collaboration. Everyone needs to be invested and aware. To make it a partnership – as it should be – security leaders need to know how talk to C-suite leaders. We can take a lesson from our cybersecurity cousins in that regard. Many CISOs today are having C-suite and board-level conversations about business cybersecurity risk.
At the same time, C-level management needs to recognize that they don't have the expertise, insight, and knowledge to truly understand what's going on risk-wise in the complex world environment we find ourselves in now. We are the ones with the insight and knowledge, which puts it on our shoulders to explain it in terms that are meaningful to senior management. We’ll discuss this in detail at the event.
SIW: Building off that, what skill or capability should a security leader be focusing on to better lead and also communicate with the C-suite?
Suvari: Security leaders need to be able to think. That probably comes across a bit glib – what I mean is, security leaders need to ensure that they have the time to think critically, and they need to hone and perfect the tools and methods that will allow them to think critically about the business environment and the direction that the world and technology are moving in, along with some frameworks to provide perspective.
SIW: I agree critical thinking is so important nowadays, so what can help to facilitate that thinking or make one’s thinking better?
Suvari: Diversity of thought – true diversity of thought – can help with critical thinking. Diversity for all the right reasons is front and center for many organizations. It needs to be more than a difference in a person’s appearance or age. Ensuring that you have a difference in ideas and a difference in experiences, and not only that, but once you have diverse people either on your staff or on your teams or in your companies – you really need to make sure that they are involved and include them. They're the ones who are going to be able to challenge your assumptions, help you develop a better product and help you think newer thoughts. It’s a situation of untapped thoughts and creativity, and novel ways to go about things. There is a very great potential to increase the individual value of the people working in the business. Leading companies have discovered this, and we’ll touch on that, and how security practitioners can help with that. Most current-day (i.e., traditional) thinking doesn’t help connect the dots on this, and we’ll explore that in more than one session.
SIW: Alright final question, we haven't really talked much about security tools, technology and products that are on the market, what would you say we need to be considering or thinking about in that space?
Suvari: I think this kind of goes back to what we've already talked about earlier in our conversation. What we’ve talked about so far is really getting back to the basics. I’m reminded about an interview with Herbert Lin from Stanford University that I recently attended. Essentially, he points out that there is a push for more functionality, which in turn creates more complexity, and complexity is not good for security. Regretfully, I see functionality winning over security every time – but sometimes for the right reasons.
The point being that all these tools and the new functionality they bring can often be overwhelming. That shouldn’t keep us from taking advantage of new capabilities, but it’s challenging. I mean, I use my iPhone for calls and music and just a few other things, even though it is filled with other possibilities. It would take me a weeks to learn everything and then that’s all I would be doing. It can seem that way with today’s exponentially advancing technologies, especially those with an AI component. Security teams who are bound by complex tools and are caught up in managing the systems only have time to react. How can we get out of react mode?
Well, back to basics. Know what the corporate assets are and know their value. Security’s job is not to identify critical assets and assign their worth, but to discover it through those responsible in various areas, based on what the business is currently producing and how it’s operating. With that known, we can then apply security perspectives and principles and determine business risk – that’s really what is meant by business alignment.
From this basic work all else flows – does that new security tool being pushed address that asset’s aligned risk? If not, pass on it. If yes, now you can build that business case with ROI and TCO much easier as everything is tied to the business and assets. Sounds easy, however, often when I work with a company it can take three to four weeks to generate such an asset list and capture the associated value . . . because the security team was never very closely aligned with the enterprise. A common situation given the rate of business and risk change nowadays.
SIW: Sulev, it was a pleasure to chat with you today. Best of luck and we look forward to hearing more from you at GSO 2025 this fall.
Suvari: Thank you, my pleasure. I am passionate about security and love the field, as you could probably tell from my answers. Best wishes… cheers.
