Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 9: Shamla Naidoo, Managing Partner, IBM Security

Atul:

Hi everyone. Welcome to a new episode of CRO Wisdom, the voice of risk leaders. I’m really delighted to have a well-known cyber and technology leader, Shamla Naidoo, to this episode. Welcome, Shamla.

Shamla:

Thank you so much, Atul. It’s a pleasure to be here.

Atul:

Shamla comes to us with significant experience as a managing partner of IBM’s Security practice, a former CISO also, and is also an independent director of QBE Insurance. Shamla, the first question I always ask our guests is how did your career start in risk management? Because often I talk to people and that’s not where they started. So how did you start?

Shamla:

You know Atul, that’s really an interesting question because to put that in perspective, I think we have to go back 38 years. So I was a technologist, and just hands on, operator, engineer, database administrator, programmer, network design engineer. And so for me, I really come to this field from a practitioner perspective having been hands-on behind the keyboard. And what you actually find over long decades of career like I have had is that managing risk is always about: what’s your primary role? And in that primary role, you’re going to have to be able to identify the risks that would limit or be an obstacle to getting your job done. And then when you actually look at it, when you take that executive view, and you take that holistic view, and you pick yourself outside of your role, you start to see the bigger risk picture emerging. So I think that we come to these roles as risk managers and risk leaders by being subject matter experts.

Atul:

Well, what a great place to start and bring that knowledge to the risk field. So let’s move to 2021 and our risk environment today. What would you say are your, or what should be the priorities of risk leaders today?

Shamla:

You’ll read this and you’ll hear this all over the place: executives, especially CEOs and other corporate executives are looking at cybersecurity risk as a key and strategic risk, but really I think when you look at it underneath the covers, this is not just about the cybersecurity risk. The cybersecurity risk lends itself to existential risk of digital organizations; and so as your company digitizes, and serves customers and consumers in more ways that use technology, you’re just creating a larger digital and technology footprint. When you do that, your room for exposure, your room for threats, and your room for attacks become larger, and so that creates existential risk because if your technology doesn’t work and it doesn’t work reliably, then there’s a good chance you don’t serve your customers in that reliable way that they have come to expect. So I think when you think about the risk picture, for me, it’s about companies recognizing that the digital risk creates an existential risk, it also creates a market confidence risk, because if your consumers don’t have confidence in your business, in your business model, or in how they’re going to receive services or products, then that erodes your revenue. And so I think that when you think about risk, we have to think about it in terms of revenue, success, product, consumers, et cetera. And the digital risk, while it’s a really key and important risk, actually I think serves and fills in the gaps as opposed to it standing on its own.

Atul:

Right, I think it’s a great way where you connected risk to revenues and outcomes. I think it’s a good way to do that. So Shamla, just to focus on that specific discussion around digital risk, cyber risk – COVID proved a story that companies were looking at a very limited set of risk. So one of the questions I always ask the guests is what other risks should risk leaders be looking at beyond financial risk and cyber risk of the third parties and themselves? What should be some of the other risk domains?

Shamla:

I think that today ESG has become a big conversation, but if we break that down, there’s the environmental risk. And it’s not just about climate change, it’s the environment in which we all operate and run our businesses. So I think that’s an important consideration. But beyond that, I think just the social issues that we’re facing globally requires a lot more analysis and a lot more discussion. Today, we talk about it as one giant, we talk about social, but the fact is that underneath the social, there’s a number of smaller topics that need to make up that big topic of social. So you think about social justice around the world, you think about whether that’s racial, or whether that’s gender, or whether that’s sexual orientation, whether that’s talking about inclusion and the whole idea of diversity. So to me, I think that topic of social needs to be broken down and we ought to focus on each one separately because they do introduce different challenges to the business model, but most importantly, they introduce huge amounts of opportunity into the business model. You just think about it, when you’re an exclusive organization, suddenly you reflect the community you want to sell your products and services in, you create new opportunities for consumers and customers. So I do think that when you talk about it as a risk, we have to correlate that with the opportunities that it introduces into our business.

Atul:

That’s great insight. Too often when we talk about expanded risk domains like ESG, people start relating that to simply reputation risk. The reality is just like you said, it, well done, can attract employees, can attract investors and the right set of talent, which has a direct result on outcomes. So it’s not just about reputation, but all the other returns that could come to that company.

Shamla:

I agree. And the other thing I keep thinking about on the governance front, it’s really important for us to be cognizant of how we measure, and how we report, and how we communicate about these issues and topics, and how we’re making progress in corporations. But it should not be seen as a checklist exercise. This shouldn’t be seen as something that’s done to us, it should be something that we embrace, it’s something that we sign on voluntarily because it’s good for our business.

I think the idea of continuous monitoring, again, needs to move from this idea of I am watching over you, and it means we need to move beyond this idea that someone’s watching us and someone’s reporting on us, and we’re going to get a scorecard or a report card. I think this has to be an exercise that organizations undertake to shift culture. We need to make this part of our psyche, things that we do that comes naturally because it’s in line with our corporate values, it’s in line with our standards of conduct within our organizations.

Atul:

Right, not to see it as compliance, but actually a good, sound business practice, right?

Shamla:

That’s right.

Atul:

So Shamla, one of the other things that, when I talk to risk leaders, we’re all seeing is that as your risk domain, risk exposure you cover expands, the old model of static point in time assessments no longer works today. Risk is extremely dynamic. So there’s this movement that’s starting to happen to move from point in time assessments to also add in continuous monitoring. What is your point of view on that? And then how can companies accelerate the adoption of continuous monitoring?

Shamla:

I think the idea of continuous monitoring, again, needs to move from this idea of I am watching over you, and it means we need to move beyond this idea that someone’s watching us and someone’s reporting on us, and we’re going to get a scorecard or a report card. I think this has to be an exercise that organizations undertake to shift culture. We need to make this part of our psyche, things that we do that comes naturally because it’s in line with our corporate values, it’s in line with our standards of conduct within our organizations. And when I think about continuous monitoring, I almost think about it as a way to self-regulate, to watch what you say, to watch what you do, to be aware your environment, to be aware of the surrounding, to be aware of current events, and the things that we need to adopt and embrace in order to co-exist with the rest of the world around us. And so when I think about that continuous monitoring, I really think about that as individuals coming together, self-regulating, that creates a self-regulating culture, and that creates self-regulating organizations. And really that’s going to end up with a much better, healthier world and society that we can all co-exist in.

Atul:

Right. Shamla, that’s really well said, because when I think about it, the way you said it, you think of this as these two parties, which is the customer and the third party, collaborating to ensure resilience for each other.

Shamla:

That’s a really important point. That each other concept is something that sometimes gets lost in the larger corporate activities that we have to do every day. We have to keep our companies running, we have to be profitable, we have to make sure our products work, et cetera. But I think that whole idea of how do we start to think about ourselves as part of an ecosystem, and where everyone is playing their positions in the right way that actually will take care of the entire ecosystem and our collective results. So I think that it’s, again, that self-regulating culture where we have to think about how do we create outcomes for the greater good? How do we do our roles and perform our duties in ways that are good for others as well as ourselves?

Atul:

Right. So just pulling the thread on this each other, one of the things you notice in organizations is as they expand their risk domain intelligence and risk actions, that often they stand as silos. So their financial risk of third parties may be monitored by Procurement, Cyber is monitoring cyber risk, Compliance is looking at compliance, and then you might have a Corporate Social Responsibility that’s now looking at ESG. And so often there’s a lack of an integrated point of view of an overall risk of this third party. What do you think about that and what direction do you see that going as a potential solution?

Shamla:

I talk about this a lot, that fragmented view. While everyone is doing what they need to do to manage their risk, are we really seeing the collective risk picture? Again, more importantly, are we seeing the opportunities that come from leveraging this holistic risk view? And so when I think about that fragmented risk management, it might work in those silos, but it works at a lower level in an organization. When you think about the larger risk picture, now you’re engaging the C-suite, now you’re engaging the CEO, now you’re engaging the board because you’re talking about strategic risk that have material impacts to an organization, and that have really exponential opportunity for growth and revenue, et cetera. So, I do think that when we look at that as a holistic risk picture, we get more benefits. And again, my experience is it doesn’t take more investment, it actually takes conversations that happen in a more structured way, in a more collaborative way. And I think that you get more efficiencies, but you also get that big picture view and you get the right people having the right conversations versus subject matter experts talking about their risks that others don’t necessarily understand. So that combined, collective conversation needs to happen for the business benefit. When you do it in silos, you’re doing it for the benefit of your department, of your function, of your role, not for the benefit of the entire organization.

Atul:

Right. So Shamla, let’s talk about you. You’ve been a global CISO for IBM, you’re a Managing Partner now in Security, you’ve had a 38-plus year career in technology and security. What advice would you give to CISOs today about this continuous monitoring, wide risk aperture, integrated view? What would you say to them?

Shamla:

For everyone who sits in the CISO chair, we think that our risk is the only risk, or the biggest risk, or the most important risk for the organization. And while that actually contributes to the risk posture of the entire corporation, it’s important to recognize that we don’t exist on our own and that our concerns, and our risk, and our challenges may not be the only ones the organization faces. So it’s really important to collaborate with others and it’s important to put the cybersecurity risk in perspective. And what I mean by that is it has to have its right place, it has to have the right attention, the right investment, but we have to recognize that not all of us are cybersecurity companies. Companies don’t exist for the purpose of being secure, they are secure because they run businesses. They need to be secure because it makes their businesses successful, not the other way around. And the way I describe that is I like to think about the security function walking in the footprints of the business strategy function as opposed to the security function leading and dragging the business strategy functions along, because it’s really important for us that we support, that we act as thought leaders in our field, but that we support the business for the purpose for which they exist.

Atul:

Right. I always talk about how these risks are not independent and separate. Think of these as cascading risks. Often it’s a financial, it’s an operations, people, location risk that migrates into a cyber risk. So really important to think about that cascading chain. So Shamla, recently Bloomberg called risk manager a hot job. What do you think about that take from Bloomberg?

Shamla:

I think it’s very accurate and I support that position, and the way I think about it though is that every organization requires risk management, but I don’t think risk management should be a freestanding, independent function in any organization. Risk management should be a function that exists as a portion or a part of everyone’s role. So if you’re a developer, you should have a risk management portion of your role that says what are the risks to you not doing your job properly or well? If you’re the CFO, what are the risks to you not doing your job properly or well? And so when you have that kind of culture threaded through the entire organization, then you have risk leaders who are supposed to then pull each of those pieces, and put them together, and construct the larger global picture on what does risk management look like or need to look like for this organization. So I think that risk management role is important. At the same time, it’s not a freestanding function, and it cannot exist and be successful on its own, it does need to be threaded through the entire organization. And so I agree it’s a hot topic, but it’s going to take everyone in the organization thinking about risk in their role to bring that risk forward to help the risk manager in this hot job to do their job well.

The single piece of advice I would give to every person who’s trying to go into risk is be a subject matter expert. Not just a subject matter expert and knowledgeable in risk, but be knowledgeable about the subject that you’re trying to manage risk for, because if you don’t understand the subject matter, you can talk about risk management all day long, but you’ll become a checklist manager.

Atul:

I think that’s a great way to put it is everybody should reflect on their role and say what is the risk of not doing a good job. That’s a great perspective. So Shamla, what resources do you use to make yourself a better risk leader? What do you rely on?

Shamla:

I’m a big news junkie, so I love to know what happens around the world. I continuously read publications, newspapers, articles, things that come out of global organizations but also local. There are some places that I will go to actually enhance my knowledge of world events, because I think that world events give us the first view into where the world is headed to. Because usually these topics and these conversations start with one person, two people, four people, and eventually becomes a movement. And so I like to keep my ear to the ground on world events, what things are happening that are challenging the status quo, because those topics often become movements and they become local movements, and then they become global movements. And so I like to keep myself informed about where are people challenging the status quo? How are they challenging it? And then what’s the merits that they’re using to challenge it at that point in time? Because that helps me then to think about at what point is that going to land at my front door? At what point is that going to land into my role? And how will I then do my job differently? How will I engage with my CEO and C-suite customers in a different way? How will I inform them about the things that they may want to think about and consider as they make these big decisions? It’s really important to know where the detractors are, it’s important to know when people disagree, how they disagree or why they disagree, because that helps inform that position in terms of how we make decisions going forward. So short answer to your question would be world events. I think it’s really important to take a global perspective and to know what’s happening around the world in addition to knowing what’s happening around you.

Atul:

That really resonates with me, reminds me of a technologist approach now that it’s had a lot of business experience too. So thank you for that. Shamla, my final question, I know with the attention to risk, a number of young business leaders looking at making careers in risk, what advice would you have for them?

Shamla:

The single piece of advice I would give to every person who’s trying to go into risk is be a subject matter expert. Not just a subject matter expert and knowledgeable in risk, but be knowledgeable about the subject that you’re trying to manage risk for, because if you don’t understand the subject matter, you can talk about risk management all day long, but you’ll become a checklist manager. If you’re a subject matter expert, you can engage in very rich and rewarding dialogue about managing risk. And so I would say become a subject matter in something and then figure out how your subject matter applies to, and can help and enhance other roles in the organization. If you’re not a subject matter expert, you’ll have limited value to the risk conversation.

Atul:

Shamla, great advice. Thank you so much for joining us today. And to the listeners, please keep an eye out for the next episode of CRO Wisdom. And if you have any recommendation on speakers, please reach out to us. Shamla, thank you again.

Shamla:

Absolutely.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Shamla Naidoo


Managing Partner

IBM Security

Shamla has spent 37 years in technology from an engineer to an executive, including 20 years as a CISO. With her deep technical and industry knowledge in the digital and cyber fields, she is sought after by public and private sectors, and is often invited to speak in venues around the world. She is fluent in technical, business and regulatory topics. Working and speaking in over twenty countries on six continents has helped her distinguish herself in overcoming cultural barriers. She is currently Managing Partner, IBM Security, where she advises CEOs, Board Directors and other C-suite executives on how to converge business strategy with security and privacy practices in their digital and business transformation journeys.

Atul Vashistha


Chairman and CEO

Supply Wisdom

Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. Atul pioneered the global sourcing advisory space in 1999 when he founded Neo Group and is also the founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented real-time and continuous risk intelligence and monitoring solution. Atul serves on the boards of the US Department of Defense Business Board (Vice Chair), IAOP, Shared Assessments, and Zemoga.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker