Aaron's CISO on Forging Strong C-Suite RelationshipsDavid Nolan Urges Security Heads to Focus on Business Value, Not Technical Details
CISOs need to focus on the business value they're providing rather than the technical details of their work when interacting with the C-Suite and board, says David Nolan, CISO of The Aaron's Company, a specialty retailer that sells and leases furniture, consumer electronics, computers, home appliances and accessories across 1,500 stores.
Security leaders tend to focus too narrowly on protection dangers and technical requirements and miss the broader context of what the business is trying to achieve, Nolan says, adding that security organizations run the risk of being seen as the "Department of No," rather than the department of "Knowing." CISOs must instead understand their organization's tolerance for risk and help business leaders understand the level of risk associated with the decisions they make (see: CISA's Kiersten Todt on Heading Off Russia-Ukraine Fallout).
"Like the portion of your organization that's doing business intel to figure out what your competitors are doing, we're doing the same," Nolan says. "We're trying to figure out what the cybercriminals are potentially going to do and get in front of that. It's about helping the business understand how you're identifying threats and increasing the continuity of the business. In some cases, it's really a differentiator."
In this video interview with Information Security Media Group, Nolan also discusses:
- How to find and retain stellar talent in a tough market;
- Unconventional worker backgrounds that boost security;
- How CISOs can help with making risk-informed decisions.
Nolan leads information security and risk, strategy, budgeting and operational excellence for The Aaron’s Co. and BrandsMart USA businesses. He is a mentor to a robust team of information security professionals and managers covering application security, incident response, governance, risk and compliance, privacy, emerging technology security, endpoint protection, and information protection. He has more than 20 years in the IT industry in various roles. He previously served as a manager of the threat, attack and penetration testing services team, application security architect, deployment manager, and various lead developer roles for Caterpillar. He also held positions at organizations including State Farm Insurance and the Central Intelligence Agency. Nolan is a regular speaker at colleges, corporations and industry conferences including the (ISC)2 Security Congress, ISSA and ISACA conferences, and he active serves on various industry, college and nonprofit advisory boards.