As the Chief Information Security Officer at Finning, Catherine Mendonsa is responsible for establishing and maintaining the global Information Security Management Program to ensure Finning’s information assets are adequately protected, along with a focus towards preventing cyber disruption to business functions. She sees the role as an advisor to Finning’s business leaders for not only technology risk review, but towards supporting business outcomes through process improvement and innovation initiatives.

She and her team have worked to develop a culture where security is an inherent part of business development, ultimately enabling a competitive edge within the industry. These efforts are supported by a team of dedicated security operations, architecture, engineering, identity &access management, and risk &compliance professionals.

Following is the conversation that we had with Catherine Mendonsa.

What are some of the challenges existing for the leaders looking to establish key cybersecurity programs at their organizations?

As a CISO, there are a myriad of enterprise-wide challenges to consider; here are just a few.

Cybersecurity talent search and retention will continue to be a challenge for the foreseeable future. The demand for skilled security talent has surpassed the supply. I have been fortunate to assemble a strong team of security professionals, globally.

Advocating to empower sufficient tools and visibility into data movementsupporting active monitoring and incident response capabilities should always be top of mind. With the ongoing growth of our digital footprint through the use of cloud, mobile devices, IoT, remote and work from home activity; the global attack surface continues to expand with new emerging threats, creating new challenges.

“Communication and collaboration will facilitate and encourage security advocates within your organization, building a culture of security will ultimately support your ability to be successful in this role.”

Digital supply chain risks have introduced the need for deliberate risk-based vendor/partner security reviews, onboarding processesand monitoring. This includes responding to requests for evidence of security controls, practices and alignment to various global regulations. Thorough review of contracts and service level agreements is important for staying ahead of threats.

Digitizing our environments has introduced new complexity towards ensuring that system, identity management configurations, and integration points are well designed, managed and monitored. The simplest change can have a negative impact on an organization’s security posture. Compliance to the Change Management process is highly regarded. Peer review often identifies possible concerns one might not have insight towards as we typically focus on delivery of solutions first.

Organizations need protection and resiliency against the significant increase in the volume of attacks on their networks. Government and private organizations are gaining insights about vulnerabilities in their network infrastructure and taking necessary measures to ensure security. What are the new trends which this changing security scenario is bringing about?

With the increased ransomware activity and other cyber disruption volatility in play, vulnerability management will remain persistent.From Log4J to Apple Devices, our teams have been hypervigilant at keeping everyone’s data safeguarded by remediating major vulnerabilities in record time. We have heard the phrase “security is everyone’s responsibility,” and so it must be. This is not a new trend; it is a core competency requirement of employees today. Threat actors’ creativity to find new ways to cause disruption will never end.Industry will provide new tools to thwart the threats, but I strongly believe it is still the community of security minded humans that remain watchful that will ultimately persevere this never-ending challenge.

What would be your piece of advice for your fellow peers and leaders?

Remain vigilant. Threat actors have no scruples, therefore a CISO must engage with every facet of the business to understand where security can add value without invoking unnecessary controls. Take the time to listen and understand what drives the leaders within your organization, and then articulate how security can support their goals. Through communication, collaboration and encouraging security advocates within our organization, we have ultimately increased employee engagement with IT, improved awareness, and built a culture of security.