The enterprise view of cybersecurity and its teams has begun to evolve within the context of rapid global growth. We spoke with Dwayne Smith, Global Director of Security Engineering at Cummins about that evolution.
Dwayne Smith joined Cummins in May of 2016, as the Director, Global Cybersecurity Engineering. In this role, Smith established and directed the strategic definition, design, and implementation of the next generation cybersecurity technologies and infrastructure protecting Cummins global and regional networks, systems, and data. Columbus, Indiana-based Cummins is a global power leader that designs, manufactures, sells and services diesel and alternative fuel engines, as well as related components and technology.
A native of Kentucky, Smith possesses more than 20 years of experience supporting commercial, defense, and intelligence organizations.
What are the trends that you’re seeing that are impacting Cummins and other companies like yours?
Smith: We’re seeing three significant shifts. Of course, work from anywhere is a trend and we hear this regularly in our recruiting and retention.
We’re also seeing the adoption of a multi-cloud environment, and teams like mine must monitor this. Not just for packet analysis, but also for system hardening and confirmation as well as data analysis. System hardening is a preferred approach to minimizing vulnerabilities in the cloud now.
The third shift is moving cyber analysts into roles more like data scientists. There’s a high demand for this type of talent for building algorithms. With AWS, Google Chronicle, and Azure, there’s no shortage of platforms. As a chief information security officer (CISO), you’ve got to make selections and switch quickly, and you’ve got to have a team that is pretty flexible and will keep your processes in place. There is a tempo in reacting and be efficiency.
Are certifications, like CISSP, important in team building?
Smith: I received my CISSP (Certified Information Systems Security Professional) back in 2005. It’s one of the most rigid credentials because you have to understand the concepts. About 50% of my team members have gotten it. We sponsor them to get credentials. Because of shifts in our roles as cybersecurity professionals, we are looking for more cloud certifications and, thus, cloud security professionals. We take all the free trainings possible from our cloud vendors.
What’s the latest development internally to how you attack cybersecurity planning?
Smith: We have two different groups—one is more technically focused on cyber-engineering and they provide oversight and compliance for product or project teams to ensure compliance with all of our cyber standards. We also have a second group that’s more focused on building our own cybersecurity-specific products. We’re looking to leverage more back-end services to understand risk.
How do you evaluate cybersecurity tooling?
Smith: Cost is an important part of cyber tooling. You’ve got to take a look at risk and base selections on the data in your environment on a bi-weekly basis. We’re always looking at our portfolio of tools and how they work together. In cybersecurity planning, you try not to overlap with something you already have.
I would suggest that prioritizing capacity planning is important in the scope of what the team is doing next. As well as DevSecOps (development, security & operations).
With the buzz about zero trust, what can a CISO do?
Smith: We focus on identity. Trust, but verify. This can be great for a security team, but it can also be disruptive. There’s a cost associated with it. Every company has to look at not just user identity, but device identity and application identity. It’s a journey that never ends.
At Cummins, what is your biggest tech challenge?
Smith: The rate of change in today’s companies is the biggest challenge. The pressures in business are to act globally, including looking at competition with China and others internationally. How great is a company’s appetite for risk in order to achieve something else? In technology choices at the corporate level, it can be security versus getting another new feature to market first. Is the rate of speed sustainable when you need to maintain security? Incremental wins need to be discerning and cyber professionals need to be generalists in other spaces of tech.
I encourage my team to seek out business podcasts to understand today’s executive critical thinking. There’s a military saying, ‘Don’t walk into a room you’re not prepared to walk out of.’ Know what you want to accomplish, but realize that even the best laid plans aren’t always successful.