Brian Spanswick, CISO and Head of IT, Cohesity, saw the future in San Francisco during thefirst .com boom. He swapped sales for tech – and hasn’t looked back.
What would you describe as your most memorable achievement?
Most memorable? Obtaining the SANS security certifications as I was preparing for my transition into a cybersecurity role. I definitely studied harder for those tests than I did when I was in college. The feeling I had during the 90 seconds between completing the exam and waiting for the “pass” / “fail” notice on the screen seemed like hours.
What first made you think of a career in technology?
I started my career in Sales for an Industrial wholesaler and I was living in San Francisco at the time. This was the early ‘90s when the first .com boom occurred. Living in the center of the digital economy it was easy to see where the future opportunities were. I was offered the chance to represent the sales processes on an SAP ERP implementation – that started my career in technology.
What style of management philosophy do you employ with your current position?
Empowerment and accountability. This is commonly stated, often as two separate things, but when these two principles are combined it puts folks in a position to be both successful and to do their best work. Empowerment includes having the capability (skills and resources) to deliver the outcomes they need in order to be held accountable to deliver. As a manager you then focus on enabling and supporting both.
What do you think is the current hot technology talking point?
Easily the anticipated potential and anticipated impact of Chat GPT and large language models. In my 30+ years in the industry I haven’t seen a change in technology that is going to have this level of impact. Because of that there are such strong reactions on both the positive and negative that go beyond what this technology is capable of – and what it is capable of is huge. We have a responsibility to understand its potential, both positive and negative, and manage its application accordingly.
How do you deal with stress and unwind outside the office?
I’m an introvert and although I love my work it takes a lot of energy out of me. In order to recharge I spend a lot of quiet time playing golf, going to rock shows, reading – it keeps me engaged as I recharge.
If you could go back and change one career decision what would it be?
I am fortunate that the few big career decisions that I’ve made have turned out well. I made the decision to move into IT just as the digital economy exploded, I made the decision to move from traditional IT to cybersecurity just as that discipline became so critical and urgent. I count myself lucky that my career decisions have brought me to my current opportunity.
What do you currently identify as the major areas of investment in your industry?
There are two areas of investment that I would prioritize. The first is in cybersecurity basics – as attackers get more and more sophisticated the best defense is getting the basics right including aggressive patch management program, network segmentation, accurate asset inventory, and least privileged access. Getting these things right goes a long way in protecting your organization. The second area is investing in cyber controls that minimize the impact if breached. Preventing the breach will continue to be an arms race but if, in addition, we invest in minimizing the impact, reducing the incentives for the attacker and the risk to the organization.
What are the region-specific challenges when implementing new technologies in APAC?
Although not isolated to this region, a very real challenge is implementing and managing new technology securely. The need for IT and InfoSec organizations to not just work closely together but to have shared objectives that focus on cyber-resilience – which can only be achieved with close collaboration.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
The biggest change I’ve seen is in the responsibilities of the role(s) itself. Traditionally the CISO role has been focused on auditing the organization’s security posture and getting the IT functions to comply with security policies and standards and the CIO role has been focused on the delivery of IT services to the business. This often creates conflict between these two roles trying to balance security and service. I’m seeing a shift that will gain momentum in the next 12 months where the line between these two roles disappears and the shared objective will be delivering outcomes securely in alignment with the business objectives of the organization.
What advice would you offer somebody aspiring to obtain a C-level position in your industry?
Have a strong, informed point of view that drives direction and alignment but don’t be afraid to evolve that point of view as new information presents itself or as situations change. To be successful in a C-level position you need to have the strength of your convictions and the humility to evolve that position as situations change – and they always do.Click below to share this article