Cybersecurity challenges in manufacturing: Insights from Church & Dwight's Global CISO

David Ortiz: Technology is getting more and more complex every single day. You know, what we may have viewed years ago as a simple firewall rule has become much more complex, with our connected ecosystems across multiple cloud, multiple sites, multiple networks. So, the complexity is going to continue to grow, but our mission hasn't really changed with what we need to do to protect it. We just need to, adapt and keep up with that changing threat landscape.

Andy Schneider: Hello and welcome to Code to Cloud. I'm Andy Schneider, Field CSO at Lacework. And I'm excited to chat with the global CISO at Church and Dwight, David Ortiz. You know Church and Dwight as the parent company of brands like Arm & Hammer and OxiClean. And at Church and Dwight, David transformed the global enterprise wide information security program key areas of strategy, risk management, and compliance, among others. Prior to joining the company in 2020, David spent over 22 years in security at Bed, Bath & Beyond. David, welcome to the show.

David Ortiz: Hi, Andy. Thank you, and thank you for having me.

Andy Schneider: So David, let's start with some questions around transforming the cloud. So what are the primary cyber threats facing the manufacturing sector today?

David Ortiz: Easy question, easy answer. Ransomware. So, everybody is faced with how to defend against ransomware attacks and how to respond when that attack may happen.

Andy Schneider: how did that change, over the past years from your perspective?

David Ortiz: It was amplified. Over the last four years, I'm pretty sure everyone remembers Colonial Pipeline and what happened. And for me and the journey Church and Dwight is on. The idea of ransomware attack impacting our operations amplified, the potential impact, and how we needed to respond to that.

Andy Schneider: And, what's your take on supply chain as this is also some, like, increasing over the years? did that change over the years for you?

David Ortiz: So over the years, we've created a robust third party vendor assessment process that allows us to really understand a third party cybersecurity posture and handling of any sensitive data.

Andy Schneider: And if you look at those, vendors, are there other things that you do? For example, if you use, products from others, so is it, the third party vendor assessment that you do, or do you also technically do something on that?

David Ortiz: It's generally the third party vendor assessment, so if we are considering moving forward with a vendor, we evaluate them, kind of give them a t shirt size depending on what type of data they handle. How critical their, services are to our business, and we go from there and take a look at, again, their cybersecurity posture and how an outage on their side could impact Church Dwight and make a decision to move forward or not.

Andy Schneider: I often talk to companies that, are more like, white collar worker companies. So looking at manufacturing companies is, for me, very interesting. I worked in one a couple of years ago. so if you move to the cloud, what is special about, about a manufacturing enterprise? What is the difference from your perspective?

David Ortiz: So Church Dwight, we're a cloud first company. So we typically use applications that are software as a service based in the cloud. From a manufacturing standpoint, we protect manufacturing and that manufacturing network, but still use cloud based applications, right? The necessary Controls and security measures are in place for us to use cloud applications reaching out to the internet. It's not directly connected, but it allows us to use applications in a secure manner through our firewalls.

Andy Schneider: So let's assume, there is a ransomware attack and, it would affect one of your services. So we would detect that it might be a potential ransomware gang trying to infiltrate your network or one of your services. How does like a response plan look like in a manufacturing company?

David Ortiz: Sure, so we have a robust, Cybersecurity Incident Response Plan that focuses on both our corporate and our manufacturing sites. We have specific playbooks, for manufacturing, for ransomware, and all of that interacts with, I'd say, our business continuity planning, our disaster recovery planning, and crisis management, to ensure that we can respond, should we have some form of threat.

Andy Schneider: and. If you look at yourself, so, or let's say your whole company, how do you keep up to date? Especially if you look at that more manufacturing side of the business, what threats are there? So how do you do that? How do you keep up?

David Ortiz: Yeah, we're continuously updating our incident response planning. We're drilling all the time. We do tabletop exercises. We're out there talking to people, making sure they are aware of our cyber incident response process. We have really good partnership with everyone within our IT department and our business areas to make sure that everyone understands, how we would react and, respond to any type of event.

Andy Schneider: So for me, there is a practical that. So, I remember that working with, let's say, the people that, really do the work, the hands on work, so in the manufacturing, that it's very different to, let's say, the ones sitting in front of the computer. So, Is there like a difference if you have a response plan for the ones like inside the IT as an example and the one inside like a manufacturing side?

David Ortiz: Our approach for corporate and manufacturing is really no different. So, I work in the team, the cybersecurity team works directly with the manufacturing folks, on the floor for testing our plans. And preparing them, should something arise.

Andy Schneider: Okay, I think that's, great because I've seen very often in other companies, some kind of disconnect there from, let's say, the IT world and then the, I wouldn't say OT world, but you could say the OT world and production world as well.let's move over to another topic. So, we've talked about it when we last talked. So, from your perspective, what makes a good leader when it comes to cyber security?

David Ortiz: a number of things. I'll focus in on empathy, accountability, and urgency. So from an empathy perspective, I'd say, I really want people to understand why I'm asking them to do what we're asking them to do. Really reduce risk and protect our company. And making sure that, They understand it's a bit more of a time commitment, but I understand that they have a full schedule as well, and just being empathetic to making sure that we're planning appropriately. In terms of accountability, I'm going to say it. Everybody has a role in cyber and protecting our people, our technology, our processes. I want to instill that mindset of accountability and ownership so that everybody understands that they have a part reducing cyber risk. And then lastly, I would say urgency, right? Making sure that we're moving fast to keep up with the changing threat landscape and we're reacting to business conditions and being responsive. So I would say, you know, in our short time together, those three things, empathy, accountability, and urgency, are really what's helping form that, leadership perspective.

Andy Schneider: I like that. Especially the empathy one. It's something that many leaders in general, it's not limited to security leaders, but many leaders, sometimes forget in. the speed of their business, but especially in that, Topic of cyber security. I think it's essential that security leaders have more empathy and understand the business and explain why people have to do that. 

The next question is more around if you look at your team that you have. So do you make sure that there is trust between each one of them and that the business trusts you? How do you do that?

David Ortiz: Yeah, I'd say I want to make sure people understand that, you know, practice what you preach, right? For what we just talked about, make sure that it's seen that I practice these things. And I would say for my direct team, it's really being an advocate for them professionally and making sure that they understand that I'm here to support them and help them, you know, further their careers as well as support them in their daily day for anything that they may need.

Andy Schneider: Practice what you preach. I really like that. I mean, I have two kids. So, it's also as a parent practice what you preach is usually the best way.

David Ortiz: Yes.

Andy Schneider: We touched around that but is there a difference between if you talk to leadership, so to your C level, to the board, and the employees? Is there some kind of difference how you have to approach them?

David Ortiz: Yes, you have to prepare for each conversation a little differently to make sure that you're engaging with that person and talking in, I would say, either a business language or a technical language or a language that they would understand. And for us in our role for cyber, it's really breaking that down simply. So that they understand the risk, they understand why you're asking for what you're asking for, because generally we're an ask organization and really making sure that they understand that there's a partnership.

Andy Schneider: That's great. And mentioned that one important pillar, the accountability. How do you create accountability? So not, just yourself, so the others, how can you create that intrinsic motivation to do security?

David Ortiz: Yeah, look, we're mission oriented, right? For a public company, you want to help move the company's mission forward and show you're a trusted partner and you're accountable for your role and you're accountable for helping them do their role as well. So it's just building that. Relationship and that partnership and being very collaborative along the way. And at that point, I believe you're setting the stage so that people understand that you're a trusted partner.

Andy Schneider: if you achieve that, you are a trusted partner, so you're seen by the business leaders as a trusted partner, What does that change once you achieve that? so there is that certain point. So if you start somewhere and you, build that trust, what is happening once you gain that trust?

David Ortiz: One develops a sense of credibility and that's just credibility within your role and credibility that. You know, for the plan that you set out to help with the company, and for instance, again, reducing cyber risk or helping move a business project forward, everyone understands that there's a credible person at the other end of the line and a credible team that's going to help them drive their individual department mission forward.

Andy Schneider: if we look at, the technology part, what are you doing, to protect your company? So you don't have to go into the details, but what are like the core pillars of your technologies that you have in place?

David Ortiz: I say it starts with the right, you know, Partnerships. And, you know, before I jump into any tools or anything like that, it's really establishing the right partnerships with the right cyber leaders in the industry. You know, it's, our teams internally are very important, but it's making sure that I'm working with the right external partners to help us move things forward. You know, and, We work obviously with security operation teams and that could be with someone like SecureWorks or Rockwell Automation or on the, I'd say the risk or the governance risk and compliance side with E& Y as well. And that eventually gets into a tools conversation, right, of how we protect our company. And, you know, like, Most public companies out there, we've got a collection of different solutions that help us protect our people, our processes, our technology. we're a Microsoft security shop first and foremost. We obviously have a lot of other vendors that we work with. You know, we are starting to work with, more on the identity side with a lot of different vendors. One that's, we're having a lot of success with is a privilege access management vendor, Archon, we're doing a lot of great work with them. And then there's a number of vendors, I would say, on the network security side, from Fortinet to Palo Alto, and then A lot of our trusted partnerships are with our cybersecurity forensic partners, Surefire Cyber, Dragos. So those are some of the few, partners that we have, and within that is the tooling that comes with it.

Andy Schneider: Great. So you mentioned Rockwell Automation. so how has working with, Rockwell Automation shaped your cybersecurity approach?

David Ortiz: Yeah, it's really accelerated our maturity for operational technology and manufacturing cybersecurity. So we set out years ago to really assess and then determine what the best solution is for Church and Dwight and then implement that solution. So Rockwell was mainstay in many years worth of work to get us to the point we're at now where we're really operating the environment. we are. Looking at threats, we are responding accordingly. So they've been, as I mentioned, a mainstay in what we do for cybersecurity manufacturing.

Andy Schneider: how do you ensure an effective collaboration between the teams, your cyber security team, the manufacturing team, and the other stakeholders?

David Ortiz: Yeah, I would say it's making sure there's a level of awareness to have them understand how we're approaching and how we're approaching risk reduction and responding to the threat landscape and keeping them abreast of everything that we're doing.

Andy Schneider: So if you look back at your whole career, what is, from your perspective, the biggest learning of your career?

David Ortiz: I'm going to say being adaptable. you know, At one part of the day, it's rolling up your sleeves and being technical, and then another part of the day, it's really preparing to do a business update and talk about risk. So, I would say in my career over the many years, it's just being adaptable to, you know, Anything that could come your way, but also being ready to be technical and then being ready to be, forward facing and not technical at the same time.

Andy Schneider: I've been in that shoes, so for me, it sometimes felt challenging being that all rounder, like the specialist and the generalist. So how do you feel about that? Is that challenging? 

David Ortiz: It is very challenging. Some days are tougher than others. And, you know, we talk about this quite a bit, simplifying the message and making sure that it's understandable at many different levels and unpacking it into the details. when they need to get unpacked into the details, but yes, it makes for an active day each day.

Andy Schneider: so being adaptable is a really a very good learning, I'd say. We, we as security professionals, we have to keep. Adaptable, being adaptable also in the future. I don't believe that this will change much, but maybe that's a good question. So if you would look into the future, do you think that that will change in the future?

David Ortiz: Things are getting more complex every day. So, I don't think it's going to change. I think it's going to get tougher, day after day, week after week. and it's just something we have to respond to.

Andy Schneider: If you think about the whole cybersecurity industry, what do you think the industry should change? That the future gets better from a security perspective. If we look at ransomware attacks, I wouldn't say that we have improved over the last decade. So it doesn't seem to look like that. So if you look forward, what's your ask for the industry? What needs to change?

David Ortiz: I think the industry as a whole has gotten better. Responding and preparing for a ransomware attack. We talk about foundational principles all the time, but right now, if there's one thing I could stop, I would stop hype around things like AI and. Just plainly say that, you know, AI is a chess game for the, good guys and the bad guys, but from the vendor community, my ask would be, look, help us install foundational cybersecurity, help us, understand where we're potentially oversharing data. And let's have a little less hype on AI in general and let's, really surface all the good that's going to come out of AI and derive it from that conversation versus a hype conversation and I think that would really benefit everybody substantially so that we could it. Get ahead of the bad actors out there and really use AI to its full potential for good.

Andy Schneider: Just as a follow up question, do you use any AI tools?

David Ortiz: Yeah. So as I mentioned, right, we're a Microsoft shop. So we are, right now, in the beginning stages of developing Microsoft co pilot and really seeing. In terms of not just with M365, but with use cases as well of how it's going to make our business more efficient. So, we are immersed in it like most companies are right now. And from where my focus is on making sure, as I mentioned, we have our data protected. And we're one step ahead, um, from AI in general.

Andy Schneider: I actually use it all day, for example, for my camera. So I think it's the tiny things where I really, Will help a lot, and we will see the big changes if we look back, like what happened in the last 10 years is massive, but if you just look month by month, you don't realize how big the changes actually are, so

David Ortiz: Yeah, there's going to be incremental, gains month over month, and the benefits should far outweigh, the costs. Anything else?

Andy Schneider: yeah. it's funny because before we started, we mentioned mainframes. If I look back my career, like around 25 years ago, so I started in mainframes.they're still there. So even if AI is there, mainframes are still there, but that's where my career started actually. my question would be, did your career start with mainframes Or how did your career start?

David Ortiz: Oh, wow. So my career started with really learning assembler language, C and Unix, the mainframe, JCL. So all those good things, right? learning how to count and things like hexadecimal. those are what we were all taught on many, many years ago. But yes, I spent considerable time on the mainframe, learning how to operate it. And learning databases and that really moved our industry right forward to, kind of where we are now.

Andy Schneider: Yeah, it's funny. Yeah, JCL. I learned that as well. These 80 characters.

David Ortiz: yes.

Andy Schneider: So was that time where you also got involved with security or when did that happen?

David Ortiz: So I volunteered for security. So many years ago, as things like compliance regulations like Sarbanes Oxley and The payment card, industry standard were really taking shape. That's when I got involved when the original, not original, but some of the early breaches, data breaches that people heard about from, Home Depot to Target really started, becoming mainstream. I was working on the infrastructure side and always involved in security. But at one point I decided to raise my hand and get involved and really Get the current company I was working for prepared, right? Prepared with security operations and prepared with incident response and really getting prepared to have cyber become a business, risk conversation versus an IT problem.

Andy Schneider: I like that. Yeah, it's really linking it to business objectives and business risk is the main task that you have to do as a CISO. That's really good. so you volunteered. Was the role of a CISO known at that time when you volunteered? Did that exist

David Ortiz: No, it really wasn't a mainstream role. It was like any other leadership role in the organization that security rolled up into. in my travels, I was on the infrastructure and operations side as well as on the security side as well. But the CISO role became more prominent, was it five, six, seven years ago? And it's really been developing more into that business leader outside of technology ever since.

Andy Schneider: So if you look back at the time when you started, so like from the infrastructure perspective, now if we look at the cloud and when you move services to the cloud, did anything change from a security perspective while moving into the cloud?

David Ortiz: It's six in one hand, half a dozen in the other, right? it depends what the scenario is. I would say for moving to the cloud for a SAS based solution, if the security is set up and configured and managed correctly, That's a pro, that's a benefit, for, I would say, platform type cloud implementations early on many years ago. companies were still responsible for security and they weren't sure about that. And they needed to make sure that they put the right focus, the right people, and the right resources around that. But, as the years have gone by, I would say, yeah, there is a benefit to being in the cloud. As I mentioned, Church and Dwight is a cloud first company and that's how we operate, predominantly in the cloud. And there's a lot of benefits to that and a lot of, benefits of scale, I would say, for our cybersecurity protections that we take advantage of,

Andy Schneider: Yeah, absolutely. I, I see that. especially like if I look back over the years. So if you now move to the cloud, for me, it's very often the basics are usually done right by the cloud vendors. So you don't have to take care of that anymore. But drawing that line between where you are responsible and where the cloud service provider is responsible, sometimes it's tricky depending, which service you consume. Yeah. I mean, you volunteered for security, would there be any advice to someone who wants to start in cyber security from your perspective?

David Ortiz: early on in your career, I would say immerse yourself in understanding what cyber is and what it could be for you. And at that point, really partnering with people and getting involved in groups to help you understand a role, a potential role. And really, I would say at some point connecting with somebody who could mentor you through the whole process. You know, I talk to people from time to time and they just don't know where to get started. And a lot of times when people, you know, they say, I want to get started in cyber, they're really leaning towards doing something in that cybersecurity operation space. They start out with some coding and then they ask, hey, where can I go from here? And, you know, my advice always to them is, talk to some of the bigger companies, see if you want to do some form of cyber security operations. consider things like penetration testing, threat hunting, those things are fun for people early on in their careers. So, that's generally where I'll start, you know, from a recommendation standpoint with getting involved in, groups to help you understand what a career could look like, and then, you know, getting involved in that security operations space.

Andy Schneider: And for the one later in his career.

David Ortiz: later on in your career,, people are coming with a lot of experience and a lot of potential, to really engage, I would say, with cyber teams and help out and look at things through a different lens. So, you know, I'm generally, bumping into people that, are a bit more inclined to work on the risk management side, work on the governance side, the policy side, and really help out there and put that together with likely a technical background that they had. So, you know, my advice to them would be. You've had a great career so far, decide where you want to go next, but I would say focus on the business of cyber as a business risk.

Andy Schneider: I like that. So bringing more talented people from different ages, different career stages,can really help. and is there something where you would have an advice for organizations or companies, if you look at cyber talent, what they could do?

David Ortiz: Yeah, I would say focus on the person, right? People have drive and I like to use the word moxie, right? People have moxie at times. And you can teach technical skills. You can't teach drive and passion. And that sense of urgency that I mentioned early on, right? that's some of the characteristics that you need, I believe in this field. So, as a company is interviewing and looking for people, in the cyber or the IT risk management field. Look past the certifications, look past, some of those requirement bullet points that you may see on a job description and really get to know the person and explain the role that they're interviewing for to them and, see if they're really a fit for that role. and again, knowing that you could teach people technical skills, but you want to really hire the person, not what's on their resume.

Andy Schneider: Yeah, you can't teach passion. So you have it or you don't have it. That's right. All the rest can be learned. Yeah, absolutely. if you look, back in your career,what do you believe, the manufacturing will change from a cybersecurity perspective in the future? Is there something that will? change. So from an attack perspective and from the defender's perspective, or is it just like, speeding up the threats and keeping up with it?

David Ortiz: I believe it's the latter. I believe it's keeping up with the changing threat landscape. Look, technology is getting more and more complex every single day. You know, what we may have viewed years ago as a simple firewall rule has become much more complex, with our connected ecosystems across multiple cloud, multiple sites, multiple networks. So, the complexity is going to continue to grow, but our mission hasn't really changed with what we need to do to protect it. We just need to, adapt and keep up with that. Changing threat landscape,

Andy Schneider: I still like that adaptability, and that's really brilliant. The same like adaptability and what you mentioned about what a leader has to have, so the empathy, accountability, and urgency. right? we should sum that up.We're almost approaching the end, so I have still some questions that are not directly related to cyber security. If you think about the tools you use today, what's the one tool you can't live without?

David Ortiz: So, I use news aggregators because I want to make sure that I'm staying on top of open source, intelligence, I'm staying on top of the news cycle, I'm staying on top of what business leaders are seeing in terms of market, in terms of risk, and that's globally. So, I would say, any kind of. News aggregator that's bringing in all that data so that we're not reading, many emails, many articles, and just really prioritizing, what we're looking at every single day and making sure that we've got that cadence down. But that also, works in concert with who I talk to in a given day, right? I'm prioritizing my conversations, with people, my trusted partners in the industry and my trusted partners at the company. at Church and Dwight to make sure that I'm getting all the right information so I can make decisions every day.

Andy Schneider: So cutting through the noise more or less a bit. next question. What's the most important habit an IT leader can have?

David Ortiz: I would say knowing how to have some downtime. As well, you know, we put a lot of effort and a lot of focus, into our job and our profession, but it's also knowing how to have that downtime, right? So as an IT leader or as a cyber security leader, we're very focused, right? We'd spend 25 hours a day if there was 25 hours to put into it, but, knowing how to have that downtime and how to decompress, is really important.

Andy Schneider: yeah, absolutely. Is there someone you look up to in the space?

David Ortiz: Wow, there's so many, In my travels every day, you know, some of those trusted partners that I mentioned earlier, the people that I talk to on a given basis. So I can't really identify one person, but, across many of those companies, there's a lot of people that I come in contact with that are helpful for me personally and professionally.

Andy Schneider: Wonderful. So, for everyone out there, look for good partners. They might really help you. What's the one tip from you for your listeners today to increase their cyber security?

David Ortiz: I would say, focusing on identity, preparedness, and being able to respond, right? As we talk in the cyber industry, a lot of our incidents happen as people are attacked and identity. We want to make sure we're prepared. For that. And we want to make sure we've got a response to it. So my advice is kind of threefold, right? Focus on protecting your people. focus on having a level of preparedness and know how to respond, quickly. Yeah,

Andy Schneider: and identities might be the first vector that attackers will get in. Thank you. Most likely, love that.so we are reaching the end. for our listeners out there, how can they get in contact with you?

David Ortiz: Sure thing. I'm available on LinkedIn. Send me a message and I'll happily respond to it.

Andy Schneider: Wonderful. So for our listeners, LinkedIn is the place to go. And. That's all for us today. So thanks for our listeners for tuning in. If you have a minute, it would be great if you could leave a rating or a few. It helps others to find the podcast. And thank you, David, for your time. It was wonderful speaking to you and especially speaking to someone who knows JCL, so still knows JCL, so if I find a mainframe, I will reach out to you so that we can try it out again,

David Ortiz: Please, we can have an interesting conversation, but thank you, Andy. And thank you to the team at Code to Cloud. I greatly appreciate the opportunity today.

Andy Schneider: Wonderful. So we'll see you next time on Code to Cloud. Thank you very much.