Secret CSO: Brian Spanswick, Cohesity

Cybersecurity is constantly changing – how do you keep learning? “There are several ways to keep learning; one of the best has been tapping into my peers in the CISO community.”

Headshot of Brian Spanswick, CISO and Head of IT at Cohesity

Name: Brian Spanswick

Organisation: Cohesity

Job title: Chief Information Security Officer and Head of IT

Date started current role: March 2021

Location: San Jose, CA

Brian Spanswick brings 20 years of experience managing IT and cybersecurity organisations within high-growth companies, while also providing consulting services for large, globally dispersed blue-chip enterprises. His leadership is pivotal in advancing core business operations, accelerating digital transformations, and building cybersecurity protocols that secure company, customer, and employee data. Prior to Cohesity, Spanswick managed Risk and Information Protection at Splunk, leading and rapidly expanding the organisation responsible for managing cyber risk across the company.

What was your first job? My first job was working as a projectionist at a movie theatre when I was in high school and college. It didn’t pay well but I got to see free movies, have all the popcorn I could eat, and had time to study since I only “worked” 10 minutes every two hours when starting the film. 

How did you get involved in cybersecurity? Most of my career was spent on business application teams delivering large enterprise resource planning (ERP) solutions where we applied technology to automate business processes. During that time, I worked closely with cyber security / internal audit functions and was often frustrated with the traditional, compliance driven approach to cyber security that met the letter of the certification but often missed the objective of ensuring that our systems were secure. I was convinced that security should be an aspect of how we deliver and maintain our business process solutions - not a separate consideration.

What was your education? Do you hold any certifications? What are they? I have a degree in economics from the University of Colorado and have security certifications including GIAC Critical Controls Certification and GIAC Security Leadership Certification. 

Explain your career path. Did you take any detours? If so, discuss. Most of my career was spent on the business applications side of IT working with the business to apply technology to automate business processes. Later I moved to a hyper-growth SaaS product company and the need to have an integrated approach to security was critical, so I made the transition from IT to cyber security.

Was there anyone who has inspired or mentored you in your career? Yes, one of the big reasons I made the transition to cyber security had to do with the CISO that we had at the time – Joel Fulton. Having the opportunity to work for him, supporting his efforts to build the cyber security team and establish the cyber security capabilities for a hyper growth SaaS company, was incredible. I can’t overstate how valuable that experience was and I still lean on his coaching and guidance to this day.

What do you feel is the most important aspect of your job? Ensuring my business partners have an accurate understanding of our current security posture and how that security posture supports their business objectives. Nothing is more critical than positioning an organisation's security posture with business leaders and having them participate in the decisions that impact the level of security required to meet their business objectives.

What metrics or KPIs do you use to measure security effectiveness? When representing the security posture we use the NIST control framework and we establish KPI’s with targeted service levels that measure the effectiveness of the security controls. In addition, we measure cyber risk by likelihood * impact. In that risk formula, instead of assessing the “likelihood” of a breach (or of a control failure) we assess the likelihood that the impact will be realised in the next 12 months. This approach puts the risk rating in a business context that makes it easier for business owners to make prioritisation decisions and recognise their risk tolerance.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We have been fortunate enough to continue to grow our security team and ensure we have the right talent with the right skill sets to get the job done. However, I do believe there is a trend emerging that directly ties into this question. I think today, many organisations are finding that there is a lack of collaboration between the IT and security teams. While one group may be focused on things like prevention, the other group may be focused on backup and recovery. But, in an ideal setting, a holistic security strategy includes elements of both. In my role, I lead both security and IT and look for qualified talent that can collaborate effectively and, in turn, help the company continue to enhance its overall security posture.

Cybersecurity is constantly changing – how do you keep learning? There are several ways to keep learning; one of the best has been tapping into my peers in the CISO community. There are several groups that I'm engaged with where InfoSec professionals discuss current challenges, approaches to address cyber threats, along with tools and techniques. In addition, I’ve gotten valuable information and insight from security conferences – both the formal sessions and the networking opportunities where we can discuss the latest trends in cyber security including things like ransomware attack techniques and approaches to not only protect from these attacks but to also minimise the potential impacts. Lastly, I make an effort to research current trends, techniques, and threats. 

What conferences are on your must-attend list? I have found the Gartner Security and Risk Summit to be highly informative and educational as – there’s an emphasis on strategy and approach that I find valuable.  I also get a lot out of RSA that, in addition to trends in security tooling, the “unofficial” networking events are great – it seems like everyone shows up for RSA.

What is the best current trend in cybersecurity? The worst? The Best: The concept of cyber resilience being the primary objective of InfoSec teams. Cyber resilience is the ability to continuously deliver the intended business outcomes, despite adverse cyber events. This continues the evolution of IT organisations that started first with having a compliance focus, followed by a risk-based approach to security that is now moving towards aligning our security posture with our business objectives. 

The Worst: There is a trend out there where solution vendors brand solutions that repurpose security terms that misrepresent the solution. One example of this is repurposing the term “airgap” when they are describing data isolation solutions as “virtual air gapping”. It misrepresents the scope of the control and confuses the level of security provided. 

What's the best career advice you ever received? It’s not surprising based on the content of this interview; the best advice I received was to take my IT and business experience and move into cyber security. It is such an exciting, young field that values critical thinking along with technical acumen and there is a huge need to be able to represent cyber risk at a C-Suite / board level alongside other potential business investments. I can’t think of a field more dynamic and critical to organisations today than InfoSec. 

What advice would you give to aspiring security leaders? Don’t be afraid to have a point of view. Security professionals are often reluctant to make strong statements or provide their point of view because they know there are no guarantees in security, that you can never be 100% certain. Security professionals often work hard to provide the facts and leave it to their partners to draw their own conclusions. The challenge with this approach is that their partners don’t have the same level of security acumen or context.  Strong security leaders aren't afraid to have a point of view, they state their assumptions and describe the context within which they draw their conclusions. And when / if things change they update their point of view and move forward. This increases their value to their business partners, accelerates their security posture progress, and builds their credibility with leadership.   

What has been your greatest career achievement? I'm really proud of what the InfoSec team achieved at Splunk growing from a small group within IT to an organisation that managed the security posture for both Corporate and for Customer SaaS environments. The work we’ve done at Cohesity, bringing together InfoSec, ProdSec, and IT to have an even more comprehensive security posture and approach has also been great. Seeing these teams working together to achieve our targeted security posture has been a blast and so important in today’s climate.

Looking back with 20:20 hindsight, what would you have done differently? Created stronger partnerships with IT and product organisations. It’s common for InfoSec to write policies and standards and then work with those organisations to drive compliance.That top down approach takes a lot of effort and you never get real commitment or the best solutions. Establishing a shared ownership of the security posture and collaborating on security targets & controls is a whole lot easier, more effective and a lot more fun. 

What is your favourite quote? You can observe a lot of things just by watching – Yogi Berra

What are you reading now? The book I'm reading now (for a second time) is: The God Equation: The quest for a theory of everything by Michio Kaku. I know for sure that I'm not smart enough for this book but I get satisfaction in the attempt. It forces you to read and think critically – good practice.

In my spare time, I like to… I’m a huge live music fan – I have been to over 700 rock shows, spend countless hours in vinyl record shops, try to play guitar and have a small vinyl record label where we publish independent rock bands.

Most people don't know that I… Played bass guitar in a punk band that did a few gigs in San Francisco.

Ask me to do anything but… Misrepresent / go back on my word. Integrity is a critical character trait, you compromise your integrity even just once and it is difficult to recover it.