CISO Trends. PHOTO: Cybercrime Magazine.

What’s On The Minds Of CISOs? More Than COVID-19 And Remote Workers

Cyberinsurance, recruiting, and planning are priorities. Sponsored by SecurityScorecard

Steve Morgan, Editor-in-Chief

Northport, N.Y. – Feb. 9, 2021

Every CISO (chief information security officer) on the planet is challenged around securing remote employees during the pandemic. So what else are security leaders devoting think cycles to? Cybercrime Magazine recently caught up with three Fortune 500 CISOs on our podcast in order to find out.

The CISO’s Role

Paul Connelly, the first ever information security officer (ISO) at The White House – before the CISO title was coined – noodles over three mission-critical disciplines: Information security; Privacy; and Physical Security. What sets him aside from most CISOs is that responsibility for all of those fall under one security and risk leader.

Connelly, now vice president and CISO at HCA Healthcare, a Fortune 100 healthcare provider, had privacy bolted onto his information security duties in 2012. Physical security was added more recently. “It’s a big leap,” says Connelly, but he highly recommends it. The three-headed monster stretched and turned him into a much more strategic CISO.

Paying it forward is as important to Connelly as getting his security job done. 28 people who have worked for him over the years have gone on to become CISOs.


Deneen DeFiore, vice president and CISO at United, one of the world’s largest airlines, studied biology in college before teaching herself to code and then launching an IT career. Recruiting is always on her mind — it has to be for a successful CISO.

Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity positions this year. While that number may temporarily contract during the COVID-19 pandemic, it will surely expand when business returns to normal. Regardless, cybersecurity is a hot market and there’s always the chance that an experienced staff member will suddenly depart for a new opportunity.

Someone once took a chance on DeFiore, and she’s done the same with candidates during her tenure as a CISO — which included many years at GE Aviation prior to her current role. “If you’re hiring for an application security position, then someone with a software development background could be a good fit,” says DeFiore. She’s willing to teach them more about threat modeling and cybersecurity.


Keith O’Sullivan wants more than a cyberinsurance policy. The SVP and global CISO at Standard Industries, a major industrial company, wants an insurance provider who will help assess the risk of third parties.

The way O’Sullivan sees it, cyberinsurance doesn’t prevent data breaches or cyberattacks, it pays for some of the damage afterward. The insurance is necessary, but he’s focused on being proactive and having the best possible cybersecurity posture. A byproduct may be a lower premium.

“Look no further than the Solarwinds hack,” says O’Sullivan, on the importance of rating the security of third parties — especially vendors — you work with.

Monitor Employee Training

Where do vendors think CISOs should focus? The opinions will vary of course based on the products and services a company provides.

SecurityScorecard, a security ratings vendor based in New York, encourages CISOs to monitor their security awareness training programs for employees. This type of training teaches employees to spot and defend against phishing emails and social engineering attacks which have spiked during the COVID-19 pandemic. Unfortunately, the programs are all too often delayed or canceled due to busy schedules.

By monitoring the percentage of employees who show up for cybersecurity class, security leaders will have a better indication of their risk around intrusions, ransomware, and other cyber threats.

Where else should enterprise CISOs be investing their time? Only the CISOs know. To find out what’s on their mind, tune into the CISO 500 series on the Cybercrime Magazine podcast.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Sponsored by SecurityScorecard

SecurityScorecard is the global leader in cybersecurity ratings and the only service with over a million companies continuously rated.

SecurityScorecard’s patented rating technology is used by over 1,000 organizations for self-monitoring, third-party risk management, board reporting, and cyber insurance underwriting; making all organizations more resilient by allowing them to easily find and fix cybersecurity risks across their externally facing digital footprint.

SecurityScorecard is the only provider of instant risk ratings that automatically map to vendor cybersecurity questionnaire responses – providing a true 360 degree view of risk.