Banking on intelligence-driven security

Security 7 Award winner Jason Witty discusses how rapid change requires a disciplined, collaborative approach to information security.

This article can also be found in the Premium Editorial Download: Information Security magazine: 2013 Security 7 award winners revealed:
Jason Witty

This year, 2013, has proven to be yet another record-breaker for information security teams -- more data, sophisticated hacks, new adversaries and greater motivation for attack. We've also hit an inflection point: I'm now officially fielding information security questions from my family almost as often as I am from my boss. Information security has become a mainstream topic.

We already manage the information security risks of an explosively innovative world, with 7.1 billion people and more than six billion mobile phones. We're responsible for evaluating a world in which Facebook has grown so fast that one in seven people (approximately 1.15 billion) now share information socially. We've accepted that computers don't stay secure over time and we put in systems and processes to patch them on a continual basis. And we're all working on the ramifications, risks and rewards associated with cloud computing and the bring-your-own-device phenomenon. These things alone are enough to keep any competent CISO busy in the extreme.

Jason Witty, Senior Vice President and Chief Information Security Officer, U.S. Bancorp

  • Within his first 90 days as CISO at U.S. Bancorp, Witty worked with executives to develop a three-year roadmap based on an intelligence-driven security strategy, and broadly communicated that vision to more than 6,000 managers at the company. His success in communicating the strategy resulted in large increases in operating budgets and project funding.
  • As senior vice president and cyberthreat prevention services executive at Bank of America, Witty was responsible for a team of information security professionals -- spanning eight countries -- who provided information security risk prevention and deterrence services globally. He was also accountable for all information security controls outside of the United States for Bank of America Merrill Lynch, covering 48 countries.
  • Credentials and affiliations: Board advisor of ChicagoFIRST, Executive Committee of the Cloud Security Alliance, president of the Chicago Chapter of the CSA, Program Committee of the RSA Conference (2013 and 2014); formerly, the Chicago OWASP Chapter president (2006-2010).

Unfortunately, they are not the only dynamics at play. In 2013 we've now witnessed somewhat of an "awakening" on the Internet. Historically, information security professionals have had a lot of practice at dealing with threat actors whose motivation is theft. Whether it's intellectual property or data, we're fairly good at dealing with theft as a profession. But in 2013, we saw large-scale attacks in which the motivation was simply disruption or even destruction. This is a game-changing development every information security professional must ponder. How do you handle a nation-state adversary whose sole goal is to knock your computers offline, or even wipe them all clean, to make a point to your country's leaders? What sort of government help exists? What sort should exist?

Keeping up with this velocity of change is extremely difficult. It requires a collaborative approach to information security that is disciplined and intelligence-based. We have defined six areas of intelligence we watch daily:

  • Customers: Are increasingly online and mobile and demand we are careful stewards of their data and transactions
  • Shareholders: Require we protect revenue and enable growth
  • Business lines: Require agility and fast time-to-market to meet business objectives
  • Employees: Strive for excellence and are changing how and where they work
  • Regulators: Demand we provide evidence of a strong information security program
  • Cyberthreats: Require us to have mature prevention, detection and recovery controls to keep pace

We build feeds, processes, and relationships to track changes in all six intelligence areas, and use that to drive continual re-evaluation of our priorities, and the velocity with which we deploy solutions and controls.

Outside of work

Apple or Android? Apple
 
Plan B: Hapkido instructor
 
Security hero? Gary McGraw
 
How you unwind: Meditation
 
What keeps you up at night? My kids!

All of these dynamics at play also offer CISOs a fantastic opportunity to get what we've always wanted -- a seat at the senior executive table. We must seize that opportunity, realize the implications of what it means and adapt our vernacular to be able to communicate adequately and eloquently with business leaders. How do you speak Klingon with your team all day and then switch to English, when your CEO or board asks you a question? It's easier said than done.

We have to be clear, concise and action-oriented. Consider for a moment, why do you have a job? To manage risk? If you have a breach or large-scale information security issue, it's highly likely corporate revenue will suffer. So your job is really revenue protection. Putting risks in terms business leaders can understand will not only benefit your career, it will help you get the support you need to develop solutions to keep pace with our ever-changing world.

This was first published in December 2013

Dig deeper on Security Industry Market Trends, Predictions and Forecasts

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close