Megan Samford

Get a third-party independent report.

If you're coming into a company, new to a program, new to a role, you want to make a big splash in the first six months, get a third-party report to baseline where your program's at.

And that's something that you can immediately hand off and present to your board.

And that's going to add a lot of credibility to whatever strategy you're trying to form.

Thank you so much.

It's awesome to be here with you all.

Yeah, I think it's really more about achieving the balance between high alignment and high autonomy, right?

And for large organizations, what I've seen work successfully is this concept of a three lines of defense strategy.

So the first line of defense needs to be where the risk actually originates.

So if you're a company like mine that develops products and sells them to global markets, our first line of defense is typically considered developers and divisions and individual P&Ls unto themselves.

And so that's really where the risk originates.

It's the best opportunity you have to mitigate that risk directly.

The key thing with the first line of defense is that

Anyone in the first line of defense, just like a factory floor from the 1970s, they should be empowered to have what's called stop the line capability.

If anyone observes behavior that is out of bounds for the company's values, for their policies, what it clearly says we're going to do with our secure development lifecycle and the way that we make products,

anyone should be empowered to raise their hand and say, I don't agree with this behavior and this needs to be looked at more thoroughly.

That being said, there's also the second line of defense.

That's really where CISOs sit is the second line of defense.

We are risk overseers.

And so our job is to set policies, set successful governance structures, empower that first line of defense, make their lives easier, create clear escalation paths when we're not seeing behavior that we wanna see