Governance & Risk Management , Video

Aaron's CISO on Forging Strong C-Suite Relationships

David Nolan Urges Security Heads to Focus on Business Value, Not Technical Details
David Nolan, chief information security officer, Aaron's

CISOs need to focus on the business value they're providing rather than the technical details of their work when interacting with the C-Suite and board, says David Nolan, CISO of The Aaron's Company, a specialty retailer that sells and leases furniture, consumer electronics, computers, home appliances and accessories across 1,500 stores.

See Also: From Epidemic to Opportunity: Defend Against Authorized Transfer Scams

Security leaders tend to focus too narrowly on protection dangers and technical requirements and miss the broader context of what the business is trying to achieve, Nolan says, adding that security organizations run the risk of being seen as the "Department of No," rather than the department of "Knowing." CISOs must instead understand their organization's tolerance for risk and help business leaders understand the level of risk associated with the decisions they make (see: CISA's Kiersten Todt on Heading Off Russia-Ukraine Fallout).

"Like the portion of your organization that's doing business intel to figure out what your competitors are doing, we're doing the same," Nolan says. "We're trying to figure out what the cybercriminals are potentially going to do and get in front of that. It's about helping the business understand how you're identifying threats and increasing the continuity of the business. In some cases, it's really a differentiator."

In this video interview with Information Security Media Group, Nolan also discusses:

  • How to find and retain stellar talent in a tough market;
  • Unconventional worker backgrounds that boost security;
  • How CISOs can help with making risk-informed decisions.

Nolan leads information security and risk, strategy, budgeting and operational excellence for The Aaron’s Co. and BrandsMart USA businesses. He is a mentor to a robust team of information security professionals and managers covering application security, incident response, governance, risk and compliance, privacy, emerging technology security, endpoint protection, and information protection. He has more than 20 years in the IT industry in various roles. He previously served as a manager of the threat, attack and penetration testing services team, application security architect, deployment manager, and various lead developer roles for Caterpillar. He also held positions at organizations including State Farm Insurance and the Central Intelligence Agency. Nolan is a regular speaker at colleges, corporations and industry conferences including the (ISC)2 Security Congress, ISSA and ISACA conferences, and he active serves on various industry, college and nonprofit advisory boards.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.