The San Diego Zoo Wildlife Alliance got its start with the roar of a lion. Legend has it that the sound caught the attention of Dr. Harry Wegeforth as he drove past the animals housed in the recently shuttered Panama-California Exposition, and he set out to create a permanent home for them. That proved easier said than done, but Wegeforth pressed on for years, finding solutions to obstacles ranging from securing funding to finding a home for the zoo.
Today, a little more than a century after opening day, five million people per year visit the more than 15,000 animals and millions of plants at the San Diego Zoo and San Diego Zoo Safari Park, and it’s Joshua Barons’ job to keep the global conservation organization secure.
A year after starting as Head of Information Security at the San Diego Zoo Wildlife Alliance, Barons was met with the unprecedented challenges posed by the COVID-19 pandemic. Drawing upon his prior experience as a security leader at organizations including Zocdoc, Abacus Group, Sony and Condé Nast, Barons has not only protected the world-renowned nonprofit from the evolving threats of the past few years, he’s also led it through a series of transformative initiatives. Like the zoo’s founder, Barons has systematically developed solutions to the zoo’s most daunting challenges by keeping his sights set on the future.
HMG Strategy recently spoke with Barons about the evolving threat landscape, his strategies for overcoming hiring challenges amid the Great Resignation and his predictions for the future role of security leaders.
HMG Strategy: The transition to a remote work environment has altered the threat landscape for organizations. What risks are you and the leadership team at the San Diego Zoo Wildlife Alliance most concerned about, and what strategic moves have you made to address the evolving threat landscape?
Joshua Barons: The shift to remote work was dramatic for our organization. We had to quickly move from supporting remote work in a limited capacity to allowing a large number of employees to work from anywhere. As a conservation organization, our first concerns were for our employees and wildlife in our care. We had to support a hybrid workforce with people on site to care for our wildlife, plants and grounds at both the San Diego Zoo and Safari Park and to enable and protect our employees at home.
We initially saw a huge spike in pandemic-related phishing campaigns targeting our employees, so we worked to provide additional security awareness programs and phishing exercises to train our employees to spot these types of attacks without making them feel like they were being tested. We also invested in solutions to provide more visibility and protection for our remote employees. Another shift during the pandemic was in the targets themselves. In addition to directly targeting individuals or our infrastructure, we saw more of a focus on our third parties.
We often talk with members of the HMG community of technology executives about the need to place a fresh lens on security strategies as the threat landscape evolves. What recommendations would you offer fellow security leaders and organizational executives, including how evolving security strategies should be communicated to the CEO and the Board?
JB: I am a firm proponent of discussing security in terms that are appropriate for the audience. Over the last several years, many security leaders have come to embrace business terms and
language. At the same time, the business has become more aware of security terms and language as its coverage in the media, especially around major events, has increased. This move to a more common language and understanding has greatly improved many of the communication challenges we have seen in the past and, perhaps, added new challenges. That being said, we still have a long way to go.
Time with the CEO and Board is very limited. I highly recommend breaking down security matters specifically to the business. Work to truly understand your business and align your program to enable your business to operate more securely. Another recommendation is to break down your strategies to a more personal level. It has been my experience that once someone better understands the concept or risk, they will be more supportive of the solution.
The global war for cybersecurity talent is more intense than ever. What are some alternative approaches to recruiting and developing talent, particularly as the skillsets you’re looking for continue to change?
JB: I think one of the biggest challenges regarding cybersecurity talent and recruiting is that in many organizations the human resources information system/recruiting modules weed out many candidates before they ever make it into the system because they are not a perfect match for the job description. Many candidates are never seen by the hiring manager or team. Much like in policy writing, it’s really important to use `should’ vs. `must’ where appropriate and understand the hiring process at your organization.
I have also seen many roles go unfilled because of a tendency to wait for the ideal candidate. However, if we keep holding out for candidates that can be a little better, we risk missing out on the best candidates—or even fail to fill roles because they remain vacant for far too long. One area where I have been very successful is in building a healthy internship program through which we invest in the interns and stay engaged with a possibility of being able to bring them on full time after graduation.
SaaS security and visibility into SaaS security in the workplace has also become a critical challenge facing CISOs and security teams. This includes the risks posed by shadow IT. How do you view this?
JB: SaaS security and visibility are key areas of interest right now. I think especially with a large remote workforce, if someone is not fully enabled to perform their job, they will seek help from tools and services that the company does not provide. This has traditionally been called shadow IT, but it’s really just business enablement. If the internal technology team is not enabling the business, the business will seek alternative solutions.
Now more than ever, these solutions are everywhere. This is where SaaS visibility comes into play.
Currently, most of the tools we leverage for SaaS are based on network discovery or authentication, and these may not see many of the services our employees are actually using. Now is the time to explore alternate means of identifying these services that may be in place. One of the many things we are doing is actively reaching out to some services and asking them to provide reports on users who may have registered for their services with one of our email domains. Pending review, we add these companies to our third-party risk-management process. This is a really interesting space right now, and I think we are going to see a lot of new companies and solutions to help address not only the visibility but also the control and management of these SaaS solutions.
How is the role of security leaders evolving? Specifically, what new responsibilities do you see security taking on now and in the future?
JB: That is a great question and one that I think is very much on everyone’s minds lately. One of the things that drew me to information security initially was that it’s always changing and evolving, whether it’s the attack surface, the adversary, technology, processes, compliance or the approaches to solving issues. I have seen the role evolving both from a tactical and a strategic perspective.
The role of security leader has taken on many additional responsibilities depending on the organization, whether that’s technology, development, privacy, compliance, physical security, etc. But also in recent years, I have seen more transformational initiatives being driven primarily by security leaders, especially in regard to major initiatives such as moving to cloud-based workloads and solutions or significant business shifts. This is especially true in organizations where information security has visible support and is known as the team that gets things done. As security leaders, we don’t shy away from questioning things that have `always been done this way,’ and that opens the doors to new projects and responsibilities. A renewed focus on third-party risk management is underway at many organizations with an emphasis on supply chain risk.
Looking forward, our roles will continue to evolve to meet the respective business needs with a responsibility to enable the business to operate more securely.
- Make security personal. Business and security leaders have in the past several years developed a shared understanding and language around business and security needs, but there’s still a long way to go. In order to rally business leaders around security solutions, CISOs must break them down in personal terms so that they can grasp the risks to the business
- Switch from `must’ to `should’ when hiring. Too often, strict requirements in HR systems weed out potentially good candidates while critical jobs remain vacant. Understand and get involved in the hiring process, including creating an internship program to build a talent pipeline from within
- Address shadow IT’s impetus as opposed to fighting it. If IT doesn’t enable employees to do their jobs, they’ll find the tools they need on their own. Instead of prohibiting these solutions, find out what services users are adopting and, if appropriate, add them to your third-party risk-management process
- Prepare to lead increasingly transformational initiatives. Effective security leaders inherently question the way things have `always been done,’ so it’s only natural for the organization to look to the CISO for new opportunities and processes