2014 Security Leadership Issue: Building Security's Brand for Better Buy-in
In a wired world that is also full of risk, an enterprise’s reputation can be destroyed in hours.
Two CSOs – both with many years of experience – but both in relatively new roles with established enterprises. Both might need some time to get acclimated, check out the waters and see how things “work,” right?
Not exactly. While Keri Glitch, CSO at Iberdrola USA and Tim Dillon, Vice President of Global Physical Security for Oracle, didn’t exactly plunge in to their new roles and make uninformed and rash changes, both did use the first year in their new roles to firmly establish security’s role within their enterprises.
In a wired world that is also full of risk, an enterprise’s reputation can be destroyed in hours. There’s hacking and viruses, security controls that are compromised, workplace protection threats and more. When a company’s brand is compromised due to a lack or breakdown in security, the responsibility will invariably fall at the feet of the CSO or CISO, particularly when the value of the company’s stock collapses.
Glitch is well aware of those ever-present threats. She’s CSO at Iberdrola USA, responsible for Iberdrola’s physical, cyber and NERC compliance. The group has a presence in 24 U.S. states and in Canada and consists of Iberdrola USA Networks, Inc., Iberdrola Renewables and Iberdrola Energy Holdings.
Glitch, whose background is in information technology, became Iberdrola CSO in August 2013, but held both the CSO and CIO role until February of this year.
“As CSO, my team and I provide programs, guidance, processes and assessments to the Iberdrola businesses,” she explains. “The businesses then adapt the technology accordingly. We also have a threat management group, and we provide information to them to enable a unified response. We share threat information throughout all areas of the organization, we coordinate response events, mitigating controls and we also report to our executive staff and regulatory group on incidents and events. My organization was formed to reduce reputational, financial, operational, and compliance related risks.”
“My background is in supply chain and information technology,” she adds. “Three months into my CIO role we had an unauthorized incident that provided me firsthand experience with customer breach notifications. That became the catalyst for my increased interest in a CSO role. I love technology but I am also cognizant about the need to balance technology benefits with potential security risks.”
“I became an active proponent for increasing security’s presence within the organization and I was asked to lead the team,” Glitch notes. “The CSO role was a newly created position and it was a huge opportunity for me. And with a great team, we have done a lot in a short period of time.”
In the 10 months that she’s been in the newly created CSO role, Glitch has implemented a number of initiatives to enhance and communicate security’s brand within the enterprise. For example, her team has recently launched a program to manage third-party vendor risk. “Through this program, we work with the business and procurement to understand the risks associated with the vendor and ensure security related protections are in place such as a data security rider and cyber insurance. As a result, we have Iberdrola business units coming to us to help us vet their vendors. We have measurable metrics that we communicate to management, who have been very supportive of our programs.”
Glitch is also increasing awareness of the security program to all business units. “Our challenge is to get in front of the organization and explain what we are doing. We are doing a corporate security road show where we meet with business units for 30 minutes to explain our objectives and areas where we can provide support. We are reinforcing main messages to enhance our brand: why we were formed, our programs and how employees can contact us. We have one phone number for all cyber or physical security calls.”
Yet another initiative: Glitch recently launched a business security liaison program. “I have great executive support and understanding, but I am trying to increase awareness from other levels of the enterprise. So we are looking for employees who have an interest in security. They self-identify and work with us four to six hours a month and become our eyes and ears in the organization. We provide them with safety- and security-related training. We hope to expand the program throughout the entire Iberdrola business.”
As enterprise security is relatively new to the organization, trust has to be built, Glitch notes. “By embedding these liaisons, they can be an additional source of information for us, and we train them on when to raise the alarm, when to say something and when to react. As the program develops, we will be embedding these people not only in the corporate offices but in the field as well.”
“My team’s role is to partner and guide the business and protect our assets, and our people are our biggest assets,” Glitch adds. “The more that I can demonstrate value to our organization and our brand, the more support we will receive from the IUSA leadership team.”
Glitch notes that her outreach to Iberdrola employees has been particularly well received. “We have a strong safety culture here at IUSA and begin each meeting with a safety tip or contact. My team is leveraging that culture to also discuss security tips at the start of each meeting. We prepare these tips weekly and make them available for all users through our SharePoint portal. Through these tips we are making security an aspect of every conversation, such as password management, tips for traveling, and from a personal aspect, how to keep your home computer safe. A lot of our messages not only stress the impact at Iberdrola, but an employee’s personal life, as well.”
One additional initiative from Glitch that’s related to increasing employee awareness is a passport to security. The “passport” contains security-related information and tips on topics such as security fundamentals, information protection, preventing device theft and password tips. In addition, the “passport” provides information on reporting an incident and security contacts. “These passports will soon be provided to all Iberdrola USA employees and will soon be translated into several different languages,” Glitch says.
Making the Brand Mean Business
Dillon of Oracle recently presented at the third Security 500 West conference in Palo Alto, California. Dillon’s presentation, “Making Security’s Brand Mean Business” was exactly what Dillon has been doing at Oracle for the past year.
Dillon’s exemplary career has been rooted in the high-tech industry in Silicon Valley, with leadership roles at Cisco, 3Com and NetApp. Oracle recruited him from NetApp where he had completed built a global safety and security program from scratch. “It was a difficult decision for me to leave NetApp,” he says, “because the NetApp culture resonated with whom I am, which is not policy enforcement but more of customer service. I tend to trust people first, until they give me reason not to.”
Dillon notes that risks to the Oracle organization are three-fold: The sheer size of its global footprint and expansion plans, workplace violence and customer service. “I say workplace violence in terms of the risks that we bring to each other in the workplace and the responsibility that I have to that. We are working on education, prevention and improving our response and mitigation in this area. A commitment to a Customer Service model is a key success factor because it can have an important influence on productivity in the enterprise environment. At Oracle there is a tendency to focus more on being self-sufficient. We have a program called ‘self service apps’ where employees can procure an employee badge, for example, and while that’s good for efficiency, it’s not customer service. If we are not customer service focused then we can risk degrading how people feel about us, about their personal security and their role in the company.”
Dillon found that Oracle physical security’s brand has not been positive within the enterprise, so one of his first initiatives and long-term goal was creating a security brand that could overcome past perceptions and change things for the better. With support from Oracle executive management, he first ensured that his strategy would be in line with his peers to help drive his planned changes.
“I committed to my boss to provide him with a current state of security assessment, which was produced in the form of a white paper, followed by a five-year business plan that would be carefully executed and communicated,” he explains.
Among the first initiatives was to shift the mindset of “guards and cards” to protection of people. “Everything I do should have some direct tie in to impacting shareholder value,” Dillon explains. “Access control is what we do, but it can’t be 80 percent of our focus. When I looked at the security budget in the past, 80 percent was allocated to access control and security officers. But what about traveling to high-risk areas, workplace violence, or anything that impacts a person’s safety and security? If you invest in people, then those people will work more comfortably and the enterprise will be able to expand into emerging markets and be more productive, as they know their security is being taken care of. The reality is that we are a community in a workplace. That impacts market value and shareholder value. At the end of the day when we spend money on a service, what is the outcome and the value of it?”
He spent six months assessing his newly inherited Oracle global business, looking for waste. He took an approach dubbed, by him, “de-invest and invest,” and found ways to de-invest and reduce wasteful spending.
“For example, when I looked at each region of the world and saw a facility with a security officer standing at the door who greeted people all day next to a card reader but the facility was lacking in investigative or crisis response abilities, I de-invested those resources to a higher priority. The public perception of a security officer is important, but you need a good mobile response team, too. My former boss at NetApp taught me to closely examine spending and track it against revenue dollars and then trend it over years to ensure that you within a tolerable level. It’s important for a CSO to not only understand our company’s business model in addition to carefully knowing the decisions behind where and how to spend security money. The cards and guards are still your foundation, but you don’t promote it as your brand.”
“I believe in full and complete disclosure with our security business plan. I have two annual summits with direct security staff and leadership, and we discuss elements of the security business plan. I meet with region managers twice a year to discuss the plan, and then I meet with their teams to ensure that our message and brand permeates through the entire organization. The brand is who you [enterprise security] are as an individual and who we are as a team. It has to align with the corporate culture. You cannot go to the executive team each year and just ask for more money. You have to talk to them the way that they think, and understand their business model. You have to talk to them as investors, ensuring that they identify the value of your branded products and services as it directly impacts the company’s shareholder value. The security brand must align with the corporate business model and culture, in order to achieve the financial support necessary for success.”
How The Internet of Things Will Affect Security’s Brand
One area that will challenge CSOs in branding security is the Internet of Things (IoT), where analyst firm Gartner says that 26 billion devices will be Internet-enabled by 2020.
While most of the devices are unlikely to pose security threats, many will intersect with enterprise networks in the form of smart heating and lighting systems, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, plant control systems and personal devices such as fitness bands and smartwatches. Managing those devices securely will require a combination of security skills, says Earl Perkins, Gartner analyst.
While organizations have been able to add some measure of protection to smartphones, tablets and other mobile devices in the workplace, they will find it hard to do the same with many of the devices that will comprise IoT in a few years, says Perkins. Instead of layering protection at the device level, enterprises will need to think about centralizing and aggregating security controls via gateway devices.
“There will be many different kinds of service providers who will contribute to security in the enterprise,” Perkins predicts. In addition to traditional security vendors, others like embedded application and operating system vendors and equipment manufacturers will have a role to play, too. “All of [these entities] will become players in the security space,” Perkins notes. “Some will be customers of security and some will contribute to security.”
Dealing with the real-time, event-driven applications and non-standard protocols that define much of IoT will require significant changes to app testing, vulnerability, identity and access management practices, Perkins says, in addition to governance, management and enforcement of security functions.
The challenge, he says, is for security to think less about technology and more about getting ahead of the security curve. Many of the technology controls needed to secure a highly connected world already exist. What CSOs and CISOs need to focus on are policy and process – specifically, developing secure deployment practices and policies and putting in place architectural foundations for accommodating new IP-enabled devices.