In a recent interview with CloudTweaks, James Beeson discusses his new role at Cloud Communications Group (CCG) and his strategic vision for enhancing the firm’s cybersecurity capabilities. Beeson, currently serving as the Senior Vice President and Global Chief Information Officer at The Cigna Group, brings extensive experience in cybersecurity, infrastructure, governance, and risk management from his 20-year tenure at General Electric. His decision to join CCG stems from a longstanding professional relationship with the founders, formed during their MBA studies at Southern Methodist University. In his new role, Beeson aims to understand CCG’s existing client base and leverage his expertise to expand the company’s cybersecurity offerings, complementing its established strengths in networking and cloud computing.
Congratulations on your new role at Cloud Communications Group. What drew you to this position, and what are your initial goals?
I’ve known the founders of Cloud Communications since 2007 when we all completed our MBA studies together at SMU. I’ve long admired the transparency and effectiveness of their business model. By bringing in experienced and tenured counsel to help create IT strategies from an independent perspective, coupled with the empathy that comes from having walked in the shoes of IT leaders, CCG creates real relationships based upon trust and shared goals.
When I announced plans to retire from CIGNA, they reached out as they were working to expand the cybersecurity part of their practice. We realized enhancing our cybersecurity offerings really filled out the full advisory services that CCG could offer.
Initially, my goals are to understand the existing client base and how we can best utilize the firm’s approach so we can best leverage my expertise. CCG’s larger expertise has been in the networking and cloud computing space. However, we hope to really expand offerings within cybersecurity to complement the overall business model.
With your extensive background in cybersecurity, what do you see as the most pressing challenges facing organizations today?
While real challenges vary by industry, there are several major challenges that are more universal. These include:
- Generative AI – this new, large language model capability presents a real challenge from two perspectives. First, how can we leverage this technology from within our company to improve our efficiency? Second, how are the bad guys leveraging generative AI and how can we mitigate that risk?
- Supply Chain – Everybody’s ecosystem has become more complex, especially since the pandemic. This pandemic accelerated the development of digital landscapes exponentially to create in essence a Frankenstein technology ecosystem. In a rush to move to the digital space, everything became a web-driven platform. There is a lot of risk with that. This has also caused a shift in the incident management landscape as many of the “managed incidents” for companies are now related to external, 3rd, 4th, sometime 5th parties versus being related to internal events.
- Ramsomware – You must talk about ransomware preparedness. While preparedness helps mitigate the propensity for an attack, you also have to be prepared with strong policies and procedures to manage ransomware attacks when they inevitably occur. Nothing beats table-top exercises and practice to ensure processes work smoothly when an event occurs.
- Securing code development – We are generating new code at an amazing rate today, and most new code development is not as secure as it should be as it is put into production. Furthermore, utilizing generative AI to speed code production exacerbates this problem.
- Talent Gap – The increasing talent gap remains a huge problem. Some of the latest statistics indicate there are more than three million unfilled cyber jobs open now, of which 600,000-700,000 are here in the United States. It is important to address what we can do to encourage and incentivize young people to seek out information on careers in cybersecurity. While the coding capacity of generative AI can address some of those shortcomings, we still have a serious need for human leadership to step forward.
- End User Education – At the end of the day, if you look at the statistics, 80%-85% of all cybersecurity breaches occur because someone does something they shouldn’t have whether or not it was malicious. It is incumbent upon us to create a cyber-savvy workforce.
- Authentication and Authorization – We’ve been having the same discussion on this topic for the past 25 years and the problems are the same. How do we authenticate a person, a device and content? That continues to be a struggle today. There is so much progression in technology. We shouldn’t even be using passwords anymore but we’re so mired in password-centric technology. Educating people on that change is very difficult, as most business leaders are scared to step into the unknown.
How do you plan to leverage your experience from your tenure at CIGNA and General Electric in your new role?
I think that one of my strong suits is helping to simplify the strategy and the road map. I have 25 years in the cybersecurity space and have reported to many types of leaders, and the skill I’ve honed is simplifying geek-speak into a simple road map or business case on how to improve the security of any given company. As I further work with CCG clients, I look forward to helping existing security leaders on how to craft a comprehensive security message that is easily understood by the corporate leadership team.
Cybersecurity is a constantly evolving field. How do you stay updated with the latest trends and threats?
First and foremost, I stay heavily involved in the technology and cyber community. I serve as a part of the governing body for Evanta, which is a part of Gartner. They are a remarkable information base, and they create events and conferences designed by CISOs for CISOs. I recommend that everyone in the industry get involved with their appropriate industry community with the National Council of ISACs (Information Sharing and Analysis Centers). These specialized groups allow for peer-to-peer interaction to stay ahead of bad actors. HMG Strategy also offers a great digital platform designed specifically for C-Suite Leaders including CISOs and CIOs.
Additionally, I sit on a few advisory boards. For example, I work with Zscaler and a few other boards. In this capacity, I can stay abreast of industry issues and help advise companies on where to invest in technology solutions and where the industry is going.
Finally, I keep on top of as much daily news and intel as possible. I love the Wall Street Journal’s daily cybersecurity newsfeed, Gartner’s daily newsletters and World and Security 50.
What strategic initiatives do you believe are essential for strengthening a company’s cybersecurity posture?
All organizations must first pick a framework such as ISO (International Organization for Standardization) or NIST (National Institute of Standards and Technology). Once you’ve done that, set standards based upon that framework, using your industry standards as a guide. Then, it’s easy to measure yourself against that framework and those standards to set your road map for improvement. Further key initiatives include:
- Endpoint and device protection
- End user protection and education
- Increase in telemetry so you understand what is happening across your environment and network to recognize patterns of security issues.
- Work to improve your speed to detect and contain incursions. Everyone has security incidents, but being prepared to quickly detect and contain them makes the difference.
- Understanding where you have fragility within your technology ecosystem so if an incident occurs you can more quickly respond and recover.
Can you share some insights on how you approach risk management and governance in complex IT environments?
There is a real struggle within IT leadership to effectively translate between geek-speak and business-speak, and this limits the successes in building buy-in for a strong risk-management program. A lot of people in the security role have been pulled up too fast, so they lack the needed business acumen or experience to communicate the necessary initiatives with C-suite leadership about the business case for security.
The key is making it easy for everyone. Use simple language and understandable metrics.
For effective governance, it is important to have a diverse set of individuals have a voice in the governing body overviewing the risk posture. It is important to hear from operations, legal, privacy, sales and human resources and other critical business functions. Each of these have functions impacted by risk mitigation and governance. This helps to clarify real cybersecurity risk and to determine where to deploy dollars and resources.
How important is it for companies to have a clear and simplified cybersecurity strategy, and how can they achieve this?
People try to make this far too complicated.
As the adage says, “If I’d had more time I’d have written a shorter novel.
It is easy to have a complicated mission, but it is challenging to simplify it. But the elegance of a simple cybersecurity strategy is that is easy to explain and to execute. You should be able to make the risk case for your plan in four minutes or less.
In your opinion, what role does cybersecurity play in a company’s overall business strategy and success?
At this point, someone with cybersecurity knowledge should be at the table as the company makes decisions about their strategy and their road map. Most businesses in the world are moving toward a very digitally facing environment, and therefore cybersecurity must be a part of that discussion.
It has been said that the world is being eaten by software. Everything we do in our life is digital. You can’t get away from the fact that anything digital has a cybersecurity risk. Therefore, every business process has some digital risk. It is the role of the cybersecurity leader to make sure key executives are aware of the risk case.
Leadership should think of their cybersecurity leaders as advisors, much like you’d treat an attorney. Just as a lawyer is in the room to share the likely legal ramifications, the IT professional is there to share the risk ramifications. That allows businesses to identify their risk tolerance as relates to their revenue model.
What advice would you give to aspiring cybersecurity professionals looking to make a significant impact in their careers?
I’ve always told young people that certifications such as the CISSP are important. They get you in the door and provide your basic competencies, but if you don’t know about business, such as accounting, finance and economics, you need to add that to your talent stack. Even if you just pick up a few classes at a local community college, you need to understand how businesses make decisions. Whether you are running a $200 billion company or an ice-cream stand, the language of business is the same.
Get yourself connected and involved in internal and external communities to drive your brand and to strengthen your knowledge and experience. Sign up for the ISSA (Information Systems Security Association) chapter in your area. Find mentors in your company and take their counsel.
More generically, as a leader, I’ve found two foolproof strategies. First, always try to work yourself out of a job. The more you do that, the more others will try to elevate you to your next position. Second, always volunteer to do that project no one wants. I know it is a risk, but several things happen when you do that. You get immediate credit for stepping up. You always learn by taking on the hard jobs. And, even if you fail, you’ll receive kudos for stepping up.
Looking ahead, what do you envision for the future of cybersecurity, and how can organizations prepare for upcoming challenges?
In the security world, most companies have spent the past 10 years throwing money at the problem but that’s about to end. After a decade of spending money on a parade of security tools, most companies are nearing the IT spend they should be at. The money tree is drying up. Now, security leaders will be required to justify any inefficiencies in their tools.
The security team of the future will mostly be code in the form of automated software utilizing generative AI. We’re reaching the point that a human cannot feasibly react fast enough to the speed of bad actors. We must automate those tools to speed reactivity to security incursions.
All companies must keep that front of mind as they lay out a strategy and road map. What resources and talent do they need to bring in to automate processes in the future? This is a key reason to seek cybersecurity counsel and partners with firms such as Cloud Communications Group, who can help them understand how to be more efficient and effective.
By Randy Ferguson
