Leading information security executives gathered at the 10th Annual Pratum Secure Iowa Conference during one of the breakout sessions to discuss the corporate and technical role of the Chief Information Security Officer (CISO) and the challenges of balancing risk management with nimble strategic information security decision-making.
CISO Panel Members:
A CISO’s Role: Fostering a Security Culture
The panel was asked by moderator David Cotton what first steps a new CISO should take in approaching security and business interests, and the panel was quick to point out that the advice is the same, whether a CISO is new to the role, whether the role itself is new or even if the CISO has been in the position for a long time: fostering a security culture is the key.
Anderson identified that corporate security policy was not mature when she first became a CISO, but even as company policies have matured, security culture does not necessarily follow suit. Thus, one of the objectives of any CISO should be to identify and foster a healthy security culture. That means speaking to the technical and business sides of the company. Making ongoing comprehensive discussions with both helps to identify pain points, opportunities for improvement, and clarifying questions regarding budget.
Johnson emphasized the need to read, understand and act on reports and audits, both ones that precede a new CISO and ones conducted under a CISO’s watch. Knowing how predecessors handled and addressed reports can not only give guidance for current results, but can also provide better understanding to the overall security culture at the company.
Schmitt believes strongly in a CISO building – or building on existing – business and client relationships. As a former product manager, Schmitt gained invaluable insights into the client experience. In his current role as a CISO in healthcare, he takes advantage of a clinical mentor – a person who serves as a bridge connecting him to the patients of the medical center. In order to become an organization’s trusted advisor on security issues, a CISO must first learn the business before making big splash technical changes. A good CISO will master controls, understanding vulnerabilities and operations, but in addition to that, must also be trusted in those areas, and the way to do that is through understanding the business.
Corporate Mistakes to Avoid and Correct
There are a number of mistakes that can be made in Information Security, but there are also a lot of misconceptions that corporations have about security. According to Johnson, it is still not uncommon to find a deeply held belief that “security is security’s problem” in many organizations. He views the CISO as having a unique opportunity to humbly educate engineers and leadership. When an organization begins to understand that the security department should not be the only line of defense and that security begins at the cultural level, it – as an organization – can then be positioned to be active in its own defense and growth.
Anderson concurred. A common frustration the CISO faces is when the Security department or team as the computer police at an organization. “It is not about following Security’s rules so they can check a box. It is really about establishing a secure environment for the clients and employees to freely conduct business.”
Schmitt approached the problem from a philosophical angle. “If you can implement ‘guardrails over gates’ you can help your organization and its people go where they want to go with the protection of guardrails with less temptation to circumvent a lot of gates. “Technically this includes mastering the basics and implementing them consistently and not becoming distracted by chasing the latest “shiny object” to pre-empt innovations at the cost of ignoring fundamentals.
Balancing Risk and Building Business
The balance between risk management and business growth is delicate, and according to the entire panel, has no perfect model or silver bullet. All three CISOs agreed: knowing the risks is key and weighing the probability of those risks (especially when they are measurable) needs to be deliberate, consistent, but also fast. As Anderson put it, it is a “continuous dynamic decision process.” Johnson emphasized hiring “great people that you can trust…and then trust them!” Schmitt drilled down into the measurables in some detail and emphasized the importance of trusting those measurements when performing trade-offs.
However, there is ample opportunity to take advantage of fostering a security culture in order to build the business as well. The CISO can engage leadership across departments, learn the business and simultaneously communicate technical opportunities in non-technical ways. Johnson put it this way: despite the technical aspect of security decision-making, there is still a lot of “what does our gut tell us? And how do we approach that experience?” By having trustworthy staff and good relationships across the security culture, the CISO can focus less on persuading for “buy-in” because the non-technical leadership already feels invested and connected. Anderson strongly recommends regularly connecting with leadership outside of security, and communicating wins, losses and opportunities in a non-technical way. She also believes that the security team – not just security leadership – needs to know where the business is going. “From a security team point of view, where is the business going?,” she said, “How does that impact the team today? How do we resource those initiatives?” Then, it is the CISO’s job to ensure that the alignment with business goes all the way up through the hierarchy of the organization. Don’t assume the organization knows what security is doing it and why. Tell them.
So, You Want to Be a CISO?
The panel of CISOs found worthwhile certifications to be those credentials that symbolized passion, interest and curiosity, but saw little value in pursuing a certification unless an employer required it. In fact, one CISO held no certifications, one held many, and yet another had a few. They all said that the far more important attribute of a good CISO was adaptability and an undying curiosity. In fact, Johnson mentioned that it was possible to be overcertified to such a degree that he might question whether or not you even had the time to exercise practical skills in a CISO capacity. A passion-based approach might be better. “Certification can show that you have a desire to be in this space,” he said.
Schmitt said that certifications are useful as long as you actually have an interest in the certified subject, but that the key is to be engaged in the security community, to participate in tabletop exercises and capture-the-flag-style events, and to be an evangelist for security culture. For the CISO who really wants to target a high-value certification, Anderson recommends cloud security certifications, as there is currently a high and growing demand for cloud security expertise, and a certification can distinguish candidates.
As the session wrapped up, David asked the panelists to share any last words of wisdom for the working or aspiring CISO:
Schmitt: “Is your team moving the needle and if they are, are they getting positive feedback every day? Make small improvements every day, and ask yourself, are you better every day, just a little bit? And do you know how you measure that?”
Anderson: “Back in 2008, it [Information Security expertise] wasn’t daily news. Today it is. Cybersecurity opens the door. Don’t ask to be invited. Meet with leadership.”
Johnson: “Fundamentals – a business should invest in talent – basic controls, MFA, patching, security should matter when you are buying products of course but what is critical is that you hire trusted advisors.”
Meg Anderson of Principal Financial has been with the company for 35 years. She began her career in the Insurance Division as a COBOL programmer and advanced through the corporate ranks to lead a variety of network architecture, SASS, data warehouse and other data leadership roles. In 2008, she took the opportunity to become Principal’s CISO, a move she described to be at the time – technically – a “lateral move.” Driven more by career growth and an interest in learning more about infrastructure than in promotion, she found the new role – which she initially believed would be a relatively short-lived one for her – to be ideally suited to her natural curiosity, technical expertise and interest in fostering culture.
James Johnson’s background as IT manager at Pella Windows, pen tester, engineer and CISO at Honeywell provided the path for him to become global CISO at John Deere.
Ben Schmitt, CISO for Mary Greeley Medical Center has recently ascended to his position with a diverse background in product management, telecommunications and forensics at TDS Telecom, Danfoss and Dwolla, all of which he believes contributes to his “client-centered” approach to his duties at CISO.