Transforming cybersecurity into a strategic business enabler

In this Help Net Security interview, Kevin Serafin, CISO at Ecolab, discusses aligning security strategy with long-term business goals, building strong partnerships across the organization, and approaching third-party risk with agility.

How do you define cyber risk within your organization’s overall enterprise risk framework?

At Ecolab, we don’t approach cyber risk in isolation. Instead, it’s positioned as an integral component of our overall enterprise risk management framework. We define cyber risk as the potential for loss or harm related to technical infrastructure, use of technology, or management of information and, generally, we evaluate risk in a few different ways.

First, we look at operational risks which includes risks that could disrupt our ability to deliver products or services including system outages, data corruption, or impact to critical infrastructure that could affect business continuity. Second, we look at financial risks which include potential monetary losses from cyber incidents such as fraud, regulatory fines, remediation costs, or revenue impacts from service disruptions. The final prong in our framework is reputational risk.

We view these are risks that that might be more difficult to quantify but could ultimately have an outsized impact such as an incident that erodes customer trust, devalues our brand, and could even create longer-term market disadvantages.

How do you ensure cybersecurity strategy aligns with your organization’s core mission and long-term business goals?

Around the world, everything we do is rooted in our more than 100-year history helping customers drive growth through operational efficiencies while conserving natural resources. It’s our north star and core to who we are. By ensuring our cybersecurity strategy is aligned with our mission helps us deliver on key business goals – both within our own organization and for our customers. It’s foundational to delivering a successful cybersecurity program.

As Ecolab’s CISO, I chair a steering committee that regularly convenes a cross-functional group of executives including our Chief Operating Officer (COO), Chief Financial Officer (CFO), General Counsel and key business leaders. Together, we discuss how our cyber initiatives can most effectively support the company’s strategic business objectives.

We’ve been sure to position the security team as consultative partners, rather than gatekeepers. We’re at the table to help find solutions not stifle new ideas. When new business initiatives are proposed, we participate from inception, collaborating on solutions that meet business needs while managing the risk appropriately.

This partnership mentality has transformed the conversations from “Can we do this securely?” to “How can we do this securely?”. The difference is subtle but important – it positions security as an enabler of innovation rather than a barrier.

How do you strike the right balance between enforcing security standards and enabling business agility with third parties?

To get this balance right, we’ve evolved from a binary “approved/denied” mentality to a more nuanced risk-based framework that considers both security requirements as well as business value. We’ve implemented a tiered assessment program that scales the assessment according to risk exposure. Critical suppliers handling sensitive data or business process undergo comprehensive assessments, while lower-risk providers may encounter a more streamlined review. This prevents unnecessary friction for business-critical relationships while allowing us to focus on reducing risk to the organization. We have also standardized our security requirements across our suppliers to create clear expectations that suppliers understand from the start.

For strategic partnerships, we’ve adopted a continuous monitoring approach rather than point-in-time assessments. This real-time visibility allows us to quickly reassess changes in a supplier’s risk profile and react accordingly. To do this we blend our own internal monitoring with various cyber risk intelligence services to provide that dynamic view of our supplier cybersecurity posture.

What has been your biggest takeaway about embedding cybersecurity into enterprise strategy?

As cybersecurity professionals, we can help shift some of the more challenging legacy perceptions of the function. It requires demonstrating how cybersecurity is more than a cost center – instead, it’s a driver of tangible business value.

Moving beyond compliance driven security to risk informed business enablement. This can be accomplished by speaking in terms of business risk, not just technical vulnerabilities. When security is positioned as an accelerator of digital transformation rather than a roadblock, it gains the strategic importance and resource support needed for optimized effectiveness. That doesn’t happen overnight, it requires intentional change management and consistent demonstration of how security investments directly support business objectives, protect revenue, maintain customer trust and create competitive differentiation.

What trends are you watching most closely when it comes to the future of cyber risk at the business level?

The global regulatory landscape continues to change rapidly. It’s something we’ve adapted to by tracking much more consistency and it’s sure to remain top of mind. This highly fluid external environment demands a shift towards continuous monitoring and a much more comprehensive compliance management program. We must be ready to adapt quickly as new laws come into play as well as ensuring our suppliers are compliant where relevant.

Adoption of agentic artificial intelligence is a significant shift in how business processes will be executed. Ensuring a AI governance framework that is integrated into the cybersecurity program is becoming essential for managing emerging risks. As autonomous systems begin making decisions for organizations that affect sensitive data, critical infrastructure, and business operations, our traditional view of security controls must evolve.