Invaluable Advice from a Renowned CISO

As you know, this column focuses on some of the most fundamental components of an effective Security Program, namely the skills and competencies required by the security leader to implement a successful program. These traits, sometimes called the ‘soft skills’ of security management, are increasingly important as security risk management becomes a predominant Board room conversation.

Chapter 8 of the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008] offers invaluable advice from one of our renowned ‘been there, done that’ security professionals, Howard Schmidt. Howard has an impressive resume: In addition to Schmidt’s service at the White House he has served as Vice President and Chief Information Security Officer and Chief Security Strategist at eBay, Chief Security Officer for Microsoft Corp, Supervisory Special Agent and Director of the Air Force Office of Special Investigations Computer Forensics Lab and Computer Crime and Information Warfare Division.” This column will highlight some of the wisdom from that chapter.

In his introspection, Howard relates an epiphany he had early in his career. Although he was working with very intelligent, successful non-security people, he recognized that they had difficulty comprehending the ‘what’ and ‘why’ of information security.

Now, don’t we all experience that at some time in our careers? We, who know and understand the risks and frailties of computer systems and networks; we, who eat, live and breathe security risk management; we, who devour the horror stories online and in hard copy of daily security breaches and identity thefts.

Why would we not expect others to appreciate security?

This is a critical point in achieving success in our profession: we must recognize that our business constituents have a myriad of decisions to make each day, and that information security is but one of many issues that may or may not even appear on their radar range. Regardless of whether we name it security and business alignment, business risk management, asset protection – semantics aside, we have to have the patience and the ability to articulate the importance and more importantly, the appropriate prioritization of information security.

In his remarkable career, Howard leveraged his skills and competencies in his approach to providing visibility and influencing the organizations that he has been a part of. In his chapter, Howard offers excellent advice on the following:

What Skills Should a CISO Have:

  • Understand how technology can be used to create risk
  • Think strategically so security is built in, not bolted on
  • Appreciate the legal and ethical implications of securing resources
  • Leverage business drivers

How a CISO Acquires Business Acumen:

  • Understand the needs of the business. They are your customers.
  • Operate the security program as you would a business. Implement controls that meet business needs, manage costs and reduce risks accordingly.

Remember in the old days how we used to turn blue trying to convince our organizations that security was important. Howard makes a legitimate point that the thought process has evolved from “Why do we need security?” to “Help me make my business secure.” Businesses are becoming quite aware of security risks. How can they not be more aware when daily headlines decry lost laptops and identity theft? Our challenge as security professionals is to figure out how to assist the business in meeting their risk management needs in a manner that won’t be negatively impacted.

Howard also validated what I’ve always believed is an important facet of information security – and a point that I highlighted in my first column on this blog – that is, consideration of the culture of the organization is pivotal for the success of a security program. The level of assurance is dependent on what needs to be safeguarded and the environment in which it resides. Remember, security must be realized as a benefit to the organization, both in cost savings as well as risk mitigation.

Lastly, Howard offers his advice on the toughest challenges facing our profession today. Here’s a partial list:

  • Vulnerabilities in software applications, especially those where exploitable code is available.
  • Mobile devices that either house confidential information or are entry points for the company’s network.
  • Emerging wireless technologies – easy to connect to, not so easy to secure.
  • The age old ‘data classification’ or ‘data flow’ issue – how many of us really have a good handle on this one?

Post a Comment

Your email is never published nor shared. Required fields are marked *