Measuring the CISO's Evolving Sphere of Influence
They are the executives who control information security issues in an enterprise and are responsible for securing anything related to data.
They are the executives who control information security issues in an enterprise and are responsible for securing anything related to data. The Chief Information Security Officer (CISO) not only protects IT systems with special hardware, software and secure business processes, but he or she also creates, implements and communicates the organization’s digital information security policies and procedures. In the event of a confidentiality breach, CISOs are the ones who handle the situation with an established business continuity plan.
How well do you know your CISO and what they do?
Jeff Wright, vice president and CISO at Allstate, knows well his physical security counterpart – Joe Sparks – and takes pride in the relationship that they formed. “Our relationship is important and is a constant evolution,” Wright explains. “It started with corporate investigative services, which is a separate group from Joe’s. This group gets involved with an internal investigation. While keeping the bad guys out remains a top priority, the increasing sophistication of the attacks means that eventually unauthorized parties may get in. We are shifting our attention inwards and looking at our internal network; who is transferring data where. In doing so we see things that warrant internal investigation, and that’s where the relationship has matured. We identify activity and then we triage that to Joe’s team and our partners in internal investigations.”
As CISO of Allstate, the largest publicly held personal lines property and casualty insurer in America, Wright is responsible for establishing and maintaining Allstate’s vision, strategy and program to ensure information assets and technologies are protected. He and his teams identify, develop, implement and maintain processes across the enterprise to reduce data and information technology (IT) risks, in addition to establishing appropriate standards and controls, managing security technologies, and directing the implementation of policies and procedures.
Founded in 1931, the Allstate Corporation encompasses more than 70,000 professionals made up of employees, agency owners and staff. It’s also known for a famous slogan: “We say ‘You’re in good hands with Allstate.’ That’s our company message and brand, and I take that very seriously,” Wright says.
He has a technical team of firewall engineers; intrusion detection and IT specialists; a team that handles governance; and people who write the IT security policies and help establish the rules of the road for Allstate’s end-user community. Whether it’s PCI or other regulations that govern the Allstate business, the team collects and tests data in support of Allstate’s regulatory obligations.
Showing security’s value is one area where Wright increasingly spends much of his time. “We have standard metrics, such as the number of cases open, the average time to close a case, the number of compliant accounts in our active directory – all of the usual metrics that we track and publish. We are working on an outcomes-based program, including measuring the things we do internally to lessen the likelihood of our users being susceptible to a phishing attack. For example, what was the most effective thing that we did to drive the reduction of a phishing email? We have always been technically focused on the information security side of things, but my sense is that our physical security team has played a larger role in education. We are encouraging people to report something that looks out of place and try to change user behavior.”
Changing the CISO Function
Wright’s vision on how a CISO should work with other enterprise functions is one that The Security for Business Innovation Council (SBIC), which is affiliated with RSA, The Security Division of EMC, argues needs to be done, as well. The report suggests that information security needs to become a cross-organizational function, with security functions embedded into business processes, and security teams working closely with other business units, such as physical security.
The report, Transforming Information Security: Designing a State-of-the Art Extended Team, argues that information security teams must evolve to encompass skill sets such as business risk management, law, marketing, mathematics and purchasing. The information security discipline must also embrace a joint accountability model in which responsibility for securing information assets is shared with the organization’s line of business managers and executives who are beginning to understand that they ultimately own their own cyber risks as a part of business risk, it says. Many of the advanced technical and business-centric skills needed for security teams to fulfill their expanded responsibilities are in short supply and will require new strategies for cultivating and educating talent, as well as leveraging the specialized expertise of outside service providers.
To help enterprises build a state-of-the-art extended security team, the Council offers several recommendations, including for particular specializations: augmenting the core team with experts from within and outside of the organization; have people on the IT security team with experience and certifications in quality, project or program management, process optimization, and service delivery; developing trust and influence with other enterprise key players and outsourced service providers; and, given the lack of readily available expertise, developing talent is the only true long-term solution for most organizations.
“We do work on building trust with all enterprise stakeholders,” notes Wright of Allstate. “You have to put yourself in the shoes of your counterparts, and explain to them the risks and how it can impact your brand. One of the things I believe is that 80 percent of the people will make the right choice 90 percent of the time, so we design controls and metrics and education to inform the good choices and prevent the bad ones.”
“IT security has this reputation as the people who say ‘no.’ I hate that reputation, and I refuse to do it,” adds Dave Frymier, CISO of Unisys. The worldwide information technology company provides a portfolio of IT services, software and technology for its clients.
As CISO, Frymier oversees the development and implementation of security polices used across the company. “I have a series of dotted lines across business units and the day-to-day execution of the information security function,” he explains. “I have a team of 22 global security specialists who work on identity and access management, run malware systems, issue our own certificates, and run a vulnerability assessment program, conduct incident response and more.”
He believes in educating all stakeholders, as the RSA report suggests, because he notes that “People need to understand how IT works. If you are at the executive level, you also need to be able to explain it to your peers.”
Frymier also spends much time on third-party audits. “We do our own audit and evaluation of any third party that we engage with or that hosts data for us or provides critical services for us. We integrate specific contractual language into our agreements with them, showing due care of the data.
“This is where the physical and compliance world have become more integrated,” he adds. “We have ISO certification, which shows our high level of security. That had to be an integral approach with all business units. Specifically, physical security had to be involved, so that took a large level of collaboration. Increasingly, our role is about relationships with all business units, and knowing when to reach out and to ask questions to ensure the right procedures are followed.”
Jeff Lolley echoes Frymier’s sentiments. No longer is IT just handing out policies, he notes. Lolley is Head of Global Information Security for Hogan Lovells, one of the largest law firms in the world, with more than 2,500 lawyers operating out of more than 40 offices in the United States, Europe, Latin America, the Middle East and Asia. His team has responsibility for security operations, information risk management, governance and compliance.
“Our primary focus outside of technology is education, awareness and engagement with the rest of the business to ensure that we have a relationship with them,” he explains. “They need to know who to reach out to. They need to understand the policies and procedures in place and the underlying reasons why they are in place. If you just are handing out policies around security, you won’t get good buy in, so we spend much effort to engage all members of the firm in this area.”
“Traditionally, law firms have made security a part of their operation teams,” Lolley explains. “Now we increasingly see information security becoming much less technology-centric and much more of a balance between technologies, processes, people. It’s more of a holistic approach at the larger firms. Our clients all demand that we do it that that way.”
The CISO role is much more of a journey, adds Lorna Koppel, CISO at Iron Mountain, a provider of storage and information management solutions. The company has more than 1,000 facilities in 36 countries. Data security is critical, as the company’s solutions include records management, data management, document management and secure shredding. They also store and protect some of the world’s most valuable historical artifacts and cultural treasures. Founded in 1951, Iron Mountain stores and protects billions of information assets, including business documents, backup tapes, electronic files and medical data.
“As CISO, I need to be an advisor to the decision making process,” Koppel explains. “I want each business unit to understand the threats and the possible choices on addressing risks. My job is not to say 'no;' it's to help the units do things in a business-
reasonable secure way. The risks to companies today are very diverse. We all face complex threats, such as organized crime, hacktivists, espionage, cyber-warfare, and even simply people out there having fun. Business tools require complex IT environments that are often riddled with vulnerabilities, and complying with multiple laws and regulations adds even more risk. Trying to mitigate all this is where many IT Security people get into trouble. They don’t understand the business environment and try to lock everything down without sufficiently considering the impact to business processes and users,” she says.
Similar to Wright’s situation, Koppel and her CSO have a shared goal. “I actually report into the CSO, and we combine security into one organization,” she says. “We work on a global view of security, to drive global results in a cost-effective way. Many of the things that affect IT affect physical security, as well, so how we view risk is very similar. We leverage resources by doing one risk assessment instead of two, which reduces the time involved for our internal customers. We present a single vision, and we strategize as a team. Access control in the physical space includes badges and gates, and in my world it’s the user IDs, passwords and the IT technical gates. Keep in mind that physical controls now depend on IT systems. Based on all this, it’s best to look at security programs holistically.”
As with Lolley, Frymier and Wright, Koppel increasingly spends more time on metrics. “When I look at setting up metrics, I focus on the audience and what I want them to do with that information,” she says. “Metrics depend on the company culture, and I keep in mind that many metrics have a life cycle. At Iron Mountain, we use a dashboard approach and not one golden metric. Sometimes metrics are included around addressing a curiosity or managing a hot topic. I try to include newsworthy items in my metrics to help put some context into why we do what we do and give validity to the program. Also, there’s multiple ways to understand a number, so you need to be careful and think about how your audience will interpret it. In reality, the journey to get the metric is as valuable as the metric itself. People assume that their program is working as planned, so if you don’t go back and measure it they are often working under false assumptions.”
Iron Mountain has grown quickly through a large number of acquisitions, so metrics have to cover all parts of the business globally, Koppel says. “Our dashboards help us to manage the projects so that overall, we can prioritize where the money gets spent and also not try to let the weakest link affect us. As we have gone forward with new acquisitions, we use the metrics as examples of how and why we need to do the integrations differently. Our metrics are a great way to show the actual facts of how things are working versus what people perceive.”
“Everyone, including CISOs, should understand the culture of the company and what resonates with the people that they work with,” Koppel notes. “Know the business language,” she advises.
The increasing trend toward BYOD – bring your own device – is causing companies to explore new approaches for solving support, management, and security challenges.
BYOD isn’t necessarily new – IT departments have been supporting mobile “road warriors” since the 1980s – but the rising tide of users seeking the use and support of their own consumer devices is different.
“BYOD is the latest challenge,” says Koppel of Iron Mountain. “Where does the data go and how do we handle it? I think that all companies are trying to find their way in this area. Many companies are playing catch-up.”
“We have a healthy BYOD program here,” says Wright of Allstate. “We have a wireless network that’s not part of our corporate network, and that’s the only place where employees can get online. And we do basic monitoring and control on that network.
“In addition, when it comes to accessing corporate data from a non-managed device, we take them into a virtual environment where I can control what gets in and out of that desktop. I can turn off USB devices, for example, and it gives me controls to better secure our data. If the individual’s personal device is compromised, I can better determine what, if any, data may be at risk. Multi-factor authentication helps mitigate the risk of password disclosure. If someone brings a conventional device or an iPhone to a place where malware runs rampant and it’s compromised, what data is on that device? So we have begun to develop a clean device policy for travel to certain geographies. The intent is to prevent corporate data from being exposed in hostile environments.”
Frymier and his team increased focus on BYOD three years ago, he says. “We consider it to be a consumerization of an IT problem with three parts, so we developed an ‘if you can’t beat them join them’ strategy that consists of identifying our most critical assets and protect them accordingly. We established smaller perimeters and drew a wall around the stuff that we really care about and hardened access to it. So we allow some employees to bring their own PC to work, but they won’t be able it to use to get near the corporate jewels.”
For Lolley, the BYOD plan included implementing technical controls around the enterprise’s mobile device platforms environment, in addition to policies and procedures for users. “They have to understand why we are asking them to do certain things, so we educate our community about the risk and when they need to be more diligent than normal. We help them to make decisions about what device to take to certain client locations. For us, educating the why and how is key to effectively implementing the policies.”
‘Perfect’ Information Security
According to the 2013 IBM Chief Information Security Officer Assessment, some CISOs are thinking the wrong way with their job descriptions. Despite CISOs having the words “information security” in their title, their role should not be that of the company’s defender against hackers and online attacks, according to Gartner vice president and security and risk management chief of research Paul Proctor.
Proctor says that, too often, the CISO is seen by a company’s board as the one responsible for ensuring that the business is protected against attacks. However, he argues that when this happens, the board isolates itself from business risks with the excuse that they are IT problems.
“CISOs are their own worst enemy when they position themselves as the defenders of the organization, because it lets the executives skate on accountability,” he says.
As a result, Proctor says that CISOs find themselves arguing for more money from the board, and the board itself doesn’t see information security as a risk-mitigating exercise, but rather as a continual payment for “perfect” security.
Although no system can ever be considered perfectly secure, Proctor says the board doesn’t often see it that way and, separated from the business risks, doesn’t realize that cost savings can be made if an acceptable level of risk is established.
By simply asking for money, Proctor says that CISOs are “faced with a board that looks at past performance, sees that no or few security breaches happened in the previous year, and assumes this means that the CISO is using their existing budget accordingly, even if it’s woefully inadequate.”
Proctor notes that CISOs need to change the narrative by not asking for money, but instead asking for decisions on how much risk the business is willing to take, and providing the right defenses accordingly.
This means that the CISO also has to reach out to the board in terms they understand. He provides the example of an automotive manufacturer, where production rates for vehicles were well known. Rather than telling the board that an IT incident might cause several hours of downtime, Proctor says that the CISO quantified the risk in terms of actual lost inventory.
Proctor’s other suggestions for changing how the CISO performs in his or her role included ditching the use of fear, uncertainty and doubt (FUD) as a tactic to convince the board of the need to spend. He says that it has limited value, as the CISO has no control over the threat itself – only the company’s readiness, which is a much more positive viewpoint.
He also says that even though it has been drilled into organizations far and wide, he still sees too many CISOs using tech-laden presentations in an attempt to communicate with the board. Technology should be abstracted out of these conversations, he says. But conversely, he says that these sorts of discussions should also be used as an opportunity to re-educate the board that information security is not just a technology-based problem.
“They believe security is a technical discipline handled by technical people buried inside of IT. You need to instruct them that there is no such thing as perfect security. They don’t understand this. Introduce them to their choice to spend more to lower their risk, or spend less and accept more risk. Trust me, it makes them think.”
Are Your Road Warriors Ready for Battle?
By Rama Kolappan, Director,
Product Marketing and Product Management at Accellion
Enterprises need to prepare their mobile-enabled workforce for success. One of the best ways to do so is to provide a secure solution for sharing, syncing, creating and editing business-sensitive material via a mobile device, letting employees be productive while on the go. When choosing a solution to enable employees to securely access and share mobile content, be sure that it has the following capabilities:
1. Centralized IT Control and Management
Ensure that IT admins have visibility into all data activities, as well as the ability to create content retention policies, provision new users with access and pull reports of file and user updates. They should also manage password policies to ensure strong authentication, so only authorized users can access content.
2. Secure Project and Team Collaboration
Easy-to-use tools that enable collaboration are a must, so employees don’t work around IT-provided solutions. Make sure that there are places for teams to create workspaces where they can add, edit and sync business content. Tools should also allow for simple collaboration with external team members, such as partners or vendors.
3. Variety of Cloud Deployment Options
Different companies need different types of cloud deployment for their data, based on company preference and its industry regulations. Enterprises should use a solution that allows them to utilize public or private cloud models.
4. Secure Access to Enterprise Data without VPN
Businesses need secure mobile access to data stored in already established enterprise content management (ECM) systems, such as Microsoft SharePoint. Invest in a solution that integrates with employees’ current workflow, so as to improve security without impacting productivity.
5. A Flexible, Scalable Solution
Any company worth its brand reputation is always looking towards future growth. So when investing in security and productivity solutions, make sure they’re able to support that increase, whether it’s in number of employees, types of devices used, or regions where business is done.
6. Plug-ins for Standard Business Solutions
Companies need methods of securely sharing files through existing workflow tools with internal and external users. Enterprise-grade solutions should provide plug-ins, so that data is not duplicated when it’s sent, no matter the recipient.
7. Native Mobile and Desktop Offerings
Employees need to be able to access, edit and sync enterprise content whenever and wherever they are. To ensure these functions are working smoothly, companies should invest in solutions that were built to function seamlessly on all devices and networks.
8. Proven Enterprise Experience
Go where the industry titans are going – those companies are bound to be using a solution that meets the strictest security requirements, and be compliant with the latest industry and government regulations.
Getting a handle on how mobile workers are interacting with company data is a simple way to boost company security and productivity. Aligning solutions with the above functionality will ensure that employees are off and running, mobile device in hand.