Kraft Heinz dishes up security transformation

Ricardo Lafosse walked into the CISO post at Kraft Heinz Co. in February 2020 with a mission to modernize. And he had a plan.

Lafosse envisioned transforming the company’s security program through a four-pillared initiative focused on visibility, team structure, innovation, and lifecycle. When taken all together, this initiative sought to reinvent the way the company manages, operates, and perceives the security function.

“I’m known for challenging the status quo,” he says. “So, coming in after conversations [with the executive team], I had the sense of the organization, where the business as a whole was heading, and what changes they were looking for. Then, after assessing the program, I had a better idea of where the program needed to go, how to flip the whole program upside-down and be a catalyst for change.”

Building a program for change

After speaking with the company’s leadership and conducting an analysis of the security program, Lafosse devised a detailed plan and laid out specific roadmaps for each of the four pillars within his modernization initiative.

To deliver more visibility, he called for the implementation of a new, cloud-based security information and event management (SIEM) system. The idea was to get real-time analytics based on data from the company’s security tools and systems and generate that “single pane of glass” into what was happening, thus enabling the company to make data-driven decisions as quickly as the needs arise. Also, he wanted to identify all the company’s assets and controls within the public cloud. Additionally, he sought continuous and modular penetration testing against the company’s public-facing information systems, to enable agility, flexibility, and speed in assessing assets that could be targets.

“There is a core tenant of any security program that you cannot protect or control what you don’t know exists, so visibility was absolutely key,” Lafosse says.

Meanwhile, his plans for a team structure overall centered on enabling workers to do the right thing. He sought to remove the risk for employees taking such action while also promoting diversity and inclusivity within the security function.

“I wanted our team members to own security,” he explains. “So we pushed the agenda of having great people on the team, being accountable and cross-collaboration, and owning the outcomes of the program.”

The next pillar focused on innovation over business as usual, or as Lafosse branded it, Innovation > BAU. Here, he adopted new technologies such as automation and new processes while shedding legacy elements and a sense of complacency (both of which added risk). He also cultivated in his security team a mindset focused on enabling the business teams’ go-to-market strategies, “so we’re a partner with them, instead of closing the door.”

He adds: “I want our employees working on value-add and creativity versus opening and closing tickets.”

The last pillar was about stability lifecycle. This involved cleaning up legacy technologies and legacy data as well as overhauling processes such as patching. “It was very strategically picked based on the direction of the business and the areas for improvement that I saw across the program,” Lafosse says.

Taking an Agile approach

Lafosse’s modernization plan identified options for short wins and places requiring larger programmatic changes for sustainable long-term improvements. Lafosse says he sought to move quickly on both those opportunities.

“I was able to highlight the program in modular chunks, saying ‘This is my quick-wins roadmap.’ and then I overlaid information as I did deeper dives,” he explains.

Lafosse created work plans under each of his four pillars. He listed what to tackle weekly or monthly, articulating goals to achieve and milestones to hit while also building in flexibility so that work didn’t have to happen in a perfect sequential line but rather in what order made most sense—as long as the steps were all moving toward the end objectives.

“We had an idea when key outcomes would be done across the four pillars,” he says, noting some work (such as goals within the team pillar) had less specific target dates than others (e.g., identifying assets).

To accomplish all this, Lafosse brought principles from the Agile software development method into his security department. “I’m a huge advocate of failing fast,” he says. He sees benefits in pursuing smaller, iterative achievements than one big monolithic project “so if it doesn’t work, you can revert back and use lessons learned.”

Lafosse also believes Agile brings needed accountability, clarity, and transparency to security work. “Agile lets us know what others are doing, it breaks down work into small chunks and quick wins, and having those wins energizes your employees,” he says.

He adds: “Agile is undervalued in security.”

Lafosse acknowledges that he had to work through the cultural shift needed to get his security department fully onboard. But once he got past that, “people realized that Agile was just a to-do list that provides more visibility” while also giving the security function the agility and nimbleness needed to adapt and respond as the business shifts and new risks emerge.

Another critical component to his modernization efforts: levity and laughter.

“It is part of my personality,” Lafosse says.

He explains that these elements are not about being a jokester nor diminishing the importance of cybersecurity and the hard work security teams put in. Rather, they help humanize those points.

“I’ve been in security for 18, 19 years now. I’ve seen doom and gloom and been through security situations and when I take a step back, laughter and levity allow me to adapt a very serious and technical discussion with multiple different audiences and make it more relatable, and make them feel comfortable with our program.”

Security as business enabler

The modernization initiative has been moving forward since the start of Lafosse’s tenure, with work continuing now. As Lafosse reminds: “Security is a continuous process,” with never-ending opportunities to improve, mature, and adapt as the threat landscape changes.

However, Lafosse says some transformations do reach stable states, allowing for the newly transformed areas to become operationalized and optimized to enable business-side efforts and strategies.

“I think where we’ve really set security up for success is for being a strategic partner with business, being an enabler,” he says. “We’re opening new opportunities for the business by enabling them to operate safely and securely. They know security is helping them push the agenda forward and helping the organization through growth.”