In October, Niall Browne will celebrate his third anniversary as Domo’s Chief Information Security Officer (CISO), a job that has become increasingly important as companies wonder who they can trust with their data in an era in which we regularly hear of cyberattacks.
Recently, I caught up with Niall to discuss his thoughts on a number of topics, including the origins of his interest in cybersecurity and how he personally uses Domo.
To learn exactly how Domo tackles security and trust, check back for part two of the interview next month. In the meantime, read on to discover what makes Domo such a powerful tool for CSOs.
Q: Where did your interest in cybersecurity originate?
I studied engineering in college. My first job after college was working as an engineer in the computer center of a large bank. They were just starting to consider online banking and were looking for a security webmaster to manage cybersecurity. I didn’t even know what a webmaster was at that time! But I did know that the future was online. It was an easy decision for me.
Q: Most of your cybersecurity career has been focused on cloud.
It has. I have been the CSO for cloud providers in Silicon Valley for the past 15 years. Prior to Domo, I was the CSO & CTO (Chief Trust Officer) at Workday. The enterprise journey to the cloud has always resonated with me, as cloud can—and does—offer far better security than can be provided by legacy, on-premise providers. As such, cloud is an opportunity to start afresh for cybersecurity, to rip out the legacy systems and make the right agile decisions based on the latest technology.
Q: What was it about Domo that intrigued you?
A: What drew me to Domo was what they were building: a data cloud platform for everybody, accessible from anywhere, be it laptop or mobile device, capable of giving you the information you need, when you need it, in order to run your business better. I had worked with various data platforms, but the issue with them was that the data was siloed, and you only had access to a finite amount of data, so you could never really gain deep insights. Domo was the opportunity to build an industry leading cybersecurity program for a cloud platform, which stores the most sensitive data for many of the largest global companies.
What’s your “elevator pitch” to fellow CSOs about Domo? When you’ve got two
minutes to tell the person standing next to you why you think they should use
it, what do you say?
A: One way to gauge a CSO’s future success is by asking, “Can you make data-driven decisions like your executive peers do?” Most CSOs can’t. They don’t have access to the distributed business data that they need. Other executives, such as the CFO or CTO, do, which allows them to build consensus in the company and drive change. CSOs, on the other hand, often operate in a vacuum. How can they justify a budget increase or a new control requirement when they don’t know their numbers? They can’t back up their request with business data, so they then fall back on “because I said so,” or FUD (fear, uncertainty and doubt). This is the No. 1 reason many CSOs fail.
One of the first security initiatives I orchestrated was building “security dashboards” on the Domo cloud. These dashboards allow me to measure all my core security controls and share them with my executive peers, and to back up every request with business data in real time. If we want to launch a project or get an increased budget, I focus on the business data in Domo. This makes all the difference.
Q: What kind of data do you personally measure and track in Domo, and why?
A: Every CSO should have a set of core cybersecurity controls that they use to measure how secure they are and that they leverage to support business decisions. Core controls are those security business metrics that are most important to the company. For most CSOs, gathering this data is a long, manual process. Their team needs to retrieve this information from dozens of diverse tools. This can take your team days or even weeks. Once they have finally gathered all the information, it is out of date.
I have defined a set of core controls for Domo, which are the foundation of the security dashboards. This allows me to track all-important security events and trends at any time, from my mobile phone, and be alerted to any significant events.
Events that I track daily in Domo security dashboards include operational risks, compliance gaps, laptop, mobile, and server compliance, user requests and terminations, security bugs, penetration tests, and infrastructure changes.
Q: Why is that such a powerful and important thing?
A: With Domo’s 1,000-plus connectors, we’re able to connect to all the core services we use daily. So, for engineers who are working on entering bugs into, say, Jira, ServiceNow or Confluence, Domo automatically gathers this data from these tools.
All of that information is now part of the security dashboards. It’s basically a single pane of glass that allows you to look into everything that’s happening out there. It audits thousands of internal and external services. I can go to my mobile device at any time and ask a question—anything from how many bugs do we have and how many bug bounty payments are we paying, to what are the core projects and what are the core risks?
One of the primary benefits of Domo is it was built in the cloud and for mobile. All the functionality is mobile-enabled. And if I’ve got alerts set up, anytime something interesting happens, I’ll know right away. I’ll get an alert on my phone saying that somebody has logged a new vulnerability, or that there’s more risk in corporate endpoints than there was before, and I can take direct action through that Domo app on my phone.
In other words, by using those security dashboards, not only do I have an integrated cloud with all of the core security services, I can look at the common trends that I should be thinking about as a CSO. Your average industry CSO doesn’t have access to tools like that. They’re still working off a model that constantly makes them question what they should be doing.
Q: What about getting up to speed with the product and how to use it? How easy was it for you, and when you talk to people, such as fellow CSOs, what do you say?
A: It was very easy to get up to speed. Nobody needs to be a programmer to use Domo. All the integrations are built into the platform, so I didn’t even need to think a lot about what the dashboards would look like, because for the most part, it was simply a case of getting a team together, getting around a whiteboard, and asking, “If we had access to the data, what are the things we’d want to look at?” For most CSOs, it’s very easy to come up with such a list and create their own security dashboard.