Disciplines in Cybersecurity in the New Market

Paul Suarez, Chief Information Security Officer, Caseys

Paul Suarez, a seasoned professional in risk management, information security, and strategic planning with over three decades of experience, stands as a true leader in the industry. Suarez’s decades of experience have set him apart as a true partner across all cybersecurity disciplines where he collaborates with internal and external stakeholders to drive improvement and innovation in the cybersecurity and cyber operations fields.

Please share with our readers your current roles and responsibilities.

In my role as CISO for Casey's, a leading convenience store chain in the Midwest and the third largest in the U.S., my primary responsibilities revolve around cybersecurity. This encompasses overseeing our security infrastructure, security operations, identity and access management, data security (to include privacy-related requirements and obligations) and engineering enablement, a new initiative managed by my team. Engineering enablement provides a secure environment for creating applications, scripts, and tools, aligning with our goal of enhancing the effectiveness of our convenience store software lifecycle.

In reflecting on my role as CISO, I’ve come to realize two key responsibilities define my position: first, critical decision making and second, resource allocation. My role in making critical decisions spans beyond just choosing technology…although that’s a big part of the job.  I work with the team to determine the frequency and tone of information sharing within internal and external technology groups, as well as across the broader company. Being the head spokesperson for cybersecurity, I help set the tone of the security culture of the entire organization. These decisions truly reflect the weight of the CISO role and impact the company's cybersecurity posture. In resource allocation, I have learned how time, money, and personnel should be distributed. These decisions are pivotal in guiding the security program's development and ongoing maturity. Balancing these two responsibilities is, I believe, at the core of the CISO role.

What, according to you, are some of the do’s and don’ts to be done by sales?

Having worked in business development (BD) in the early part of my career, I do feel like I have more empathy than other CISOs may have regarding how difficult sales jobs can be. However, there are certain saleshabits that I’d like to discourage sales teams from using, especially cybersecurity/technology providers. First, the steady stream of unsolicited offers is both surprising and relentless. It underscores the importance of vendors first doing their homework. While I do engage in purchasing tools and solutions, I am more inclined to collaborate with vendors who have researched Casey’s, understood our company's strategy, and identified how their offerings align with our needs. Second, cold calls. Cold calls requesting time to understand our challenges without any prior understanding of the context are not productive. Vendors who demonstrate an awareness of the needs and industry trends are more likely to capture my attention. Third, unrequested calendar invites. Asking me to “schedule time on your Calendly” will never be successful and blindly sent invites to my calendar will always be declined. These behaviours are not only inconsiderate, but they also do not take into account any commitments I already have and are not the markers of a true partner who values my time.

"Cultivating curiosity, both individually and collectively within our community, is key to staying ahead of hacker groups and evolving threats."

Can you share some of the challenges you faced?

Being a CISO, one of the ongoing challenges I face is the expectation to have informed opinions on a wide range of technologies, whether they are currently in use or not. This entails staying abreast of the latest industry trends, emerging technologies, and any consolidations within the cybersecurity space. To navigate this, in addition to publications such as this one, I find immense value in having a trusted forum with fellow CISOs where we candidly discuss technology choices, integrations, and industry directions such as the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) and, more locally, like the Technology Association of Iowa (TAI).

How do you envision the future of this industry?

I often find myself resorting to an analogy that accurately reflects the reality of our situation—the cybersecurity landscape is akin to a continuing arms race against hackers. The challenges have evolved, and I see the need for tools that can adapt and flex to defend against new and enhanced threats. While generative artificial intelligence (AI) and machine learning (ML), in general, haven’t introduced anything entirely new, they have elevated the precision and frequency of attacks, making them more challenging to combat. Companies that understand this evolving landscape recognize that budgets cannot endlessly expand. There’s a need for innovative features that address these challenges without imposing prohibitive costs on organizations. This forward-thinking approach aligns with the idea that, as a customer, we want our cybersecurity partners to help protect us, enhancing their reputation in the process. The future, in my opinion, lies in cybersecurity companies not waiting for threats to materialize but actively collaborating with clients to build pre-emptive solutions.

What is your piece of advice to your fellow peers?

Maintaining a sense of curiosity is paramount in our field. We should never find comfort in thinking we possess all the intelligence, information, or insights. There’s always more to learn. Cultivating curiosity, both individually and collectively within our community, is key to staying ahead of hacker groups and evolving threats. I firmly believe in the concept that a “rising tide lifts all boats”. In cybersecurity, our goal shouldn't be to create market divisions but to foster a collaborative environment where sharing knowledge makes it tougher for malicious entities to thrive. The constant curiosity, the habit of peering around the corner, anticipating what lies over the horizon, and learning from how others tackle challenges differently—all contribute to our collective strength. So, be curious, stay inquisitive, and remain vigilant.