Photo of Shelly Sack
Written by
Shelly Sack
Shelly is a regular Contributor to AOTMP®

What is the new world order within technology roles and responsibilities? Typically, a chief information security officer’s (CISO) responsibilities lie with overall security and differ frommanaging IT day-to-day functions and strategic transformations. Traditionally, they have reported to the chief information officer, but situations vary depending on company size. Let’s dig in a little with Ben Carr who recently took on not only the responsibilities of the CISO, but those of privacy and IT as well when joining Cradlepoint as its Chief Security & Trust Officer. Carr said his appointment highlights the importance of not only security within the company, but the role trust plays for its customers. Cradlepoint is a Boise, Idaho-based technology company that develops cloud-managed 4G LTE and 5G edge networking solutions for businesses.

“Security really needs to have an unfiltered viewpoint of the entire organization,” Carr said. “These roles must be able to have transparency, not only internally but externally as well. While I was initially hired to lead the security organization, we realized that the alignment of security, privacy, and IT really allows us to think about the issues in a fundamentally different way. It’s really what the industry and our customers are asking for; these areas aren’t siloed they are intertwined. Considering the issues we have seen in the industry in the last several years around third-party risk, it became clear it really is an issue of trust.

“In the past, the CISO has traditionally reported into the CIO; the security officer is becoming a key business leader and the trend is that the CISO should be reporting directly to the CEO. Some forward-thinking companies are transitioning from the traditional security structure where security was reporting into IT, to a more risk aligned structure, where IT is reporting into the security leader. This can be a more business aligned structure, and one that supports customer concerns. This can be an enabler for CISOs who have responsibility for the IT side; an immediate benefit can be the reduction in conflicts of interest when addressing security issues.”

Cradlepoint was acquired for $1.1 billion by Ericsson in 2020 and operates as a standalone subsidiary. Carr said his appointment highlights the importance of not only security within the company, but the role trust plays for its customers.

Photo of Ben Carr
Ben Carr is Chief Security & Trust Officer at Cradlepoint

“You have to trust your leaders and enable them to drive success in their individual areas. Hire good people, It’s the most important decision you can make as a leader. Taking responsibility for large spans of control, both Security and IT can present a challenge in itself, if not managed. I think three to eight direct reports is a good span of control. More than that, it can become unscalable. I think it’s important to be managing from a people perspective; ultimately, it’s the people that drive change and growth in the business. If you’re sitting with your direct reports and realize you have too many people to feed with two pizzas, that’s too many, you won’t have the time to both think strategically and give your directs the attention they need to grow,” he said.

Carr admittedly said he learned this axiom from a prior mentor but that it proven to be a good guide. In the months since assuming his new role, Carr has a specific viewpoint to how he would like to see his impact upon the organization, specifically.

Security responsibilities should include the following scope:

Ensuring companywide secure connectivity with cloud transition at a scalable rate that still promotes effective collaboration and growth.

Security needs to have full visibility across the organization including both corporate IT and product levels; insight into data privacy and protection for all customers, this should include domestic, and international; as well as technical controls and assessments.

“For any CISO, the effectiveness of the security program depends on the support they have from the board of directors, CEO, and the rest of the executive staff. You need to build relationships, but you need to have a seat at the table. If you aren’t in the meeting when decisions are being made, then you can really make the right decisions and influence the best outcome for the company. It is critically important for CISOs considering a new role to understand if they are really going to be invited into the decision process; are they really being hired at a C level or is it title only?”

Build corporate culture in a significant, safe space: “Burnout has been real in the pandemic, with people working more because they were now working from home,” Carr said. “Now, the challenge we are seeing is to see what works best for the people and the company. We’re Boise based but we have a global approach for building the right team. And as a leader and CISO, I encourage people to get a good work/life balance. Leaders need to demonstrate it too, by taking time and showing balance, or their people won’t.”

Security awareness companywide: “Security should be everybody’s job. If you’re not helping to build a positive security culture, you’re missing out on a big part of the role of the CISO,” Carr said. “You can’t just say, ‘NO,’ or deliver once a year security “training” and expect change to happen, you need to deliver an effective and engaging program to turn it into something that motivates people. This is where real culture change happens.”

“Build a culture where security is seen part of everyone’s day to-day role. You’ll see more engagement and people will bring activity to you. Annual security training that takes an hour at the end of the year is not getting through to your employees. Instead, use a slow-drip campaign. I have even used trainings based on live-action comedy. Bring different voices to security discussions and consider the psychology of it. Ultimately, it needs to be automated to scale but you can definitely flavor the training with something engaging to mask the tedious perception and deliver it in a more palatable way.”