This year, 2013, has proven to be yet another record-breaker for information security teams -- more data, sophisticated hacks, new adversaries and greater motivation for attack. We've also hit an inflection point: I'm now officially fielding information security questions from my family almost as often as I am from my boss. Information security has become a mainstream topic.
We already manage the information security risks of an explosively innovative world, with 7.1 billion people and more than six billion mobile phones. We're responsible for evaluating a world in which Facebook has grown so fast that one in seven people (approximately 1.15 billion) now share information socially. We've accepted that computers don't stay secure over time and we put in systems and processes to patch them on a continual basis. And we're all working on the ramifications, risks and rewards associated with cloud computing and the bring-your-own-device phenomenon. These things alone are enough to keep any competent CISO busy in the extreme.
Jason Witty, Senior Vice President and Chief Information Security Officer, U.S. Bancorp
- Within his first 90 days as CISO at U.S. Bancorp, Witty worked with executives to develop a three-year roadmap based on an intelligence-driven security strategy, and broadly communicated that vision to more than 6,000 managers at the company. His success in communicating the strategy resulted in large increases in operating budgets and project funding.
- As senior vice president and cyberthreat prevention services executive at Bank of America, Witty was responsible for a team of information security professionals -- spanning eight countries -- who provided information security risk prevention and deterrence services globally. He was also accountable for all information security controls outside of the United States for Bank of America Merrill Lynch, covering 48 countries.
- Credentials and affiliations: Board advisor of ChicagoFIRST, Executive Committee of the Cloud Security Alliance, president of the Chicago Chapter of the CSA, Program Committee of the RSA Conference (2013 and 2014); formerly, the Chicago OWASP Chapter president (2006-2010).
Unfortunately, they are not the only dynamics at play. In 2013 we've now witnessed somewhat of an "awakening" on the Internet. Historically, information security professionals have had a lot of practice at dealing with threat actors whose motivation is theft. Whether it's intellectual property or data, we're fairly good at dealing with theft as a profession. But in 2013, we saw large-scale attacks in which the motivation was simply disruption or even destruction. This is a game-changing development every information security professional must ponder. How do you handle a nation-state adversary whose sole goal is to knock your computers offline, or even wipe them all clean, to make a point to your country's leaders? What sort of government help exists? What sort should exist?
Keeping up with this velocity of change is extremely difficult. It requires a collaborative approach to information security that is disciplined and intelligence-based. We have defined six areas of intelligence we watch daily:
- Customers: Are increasingly online and mobile and demand we are careful stewards of their data and transactions
- Shareholders: Require we protect revenue and enable growth
- Business lines: Require agility and fast time-to-market to meet business objectives
- Employees: Strive for excellence and are changing how and where they work
- Regulators: Demand we provide evidence of a strong information security program
- Cyberthreats: Require us to have mature prevention, detection and recovery controls to keep pace
We build feeds, processes, and relationships to track changes in all six intelligence areas, and use that to drive continual re-evaluation of our priorities, and the velocity with which we deploy solutions and controls.
Outside of work
Apple or Android? Apple
Plan B: Hapkido instructor
Security hero? Gary McGraw
How you unwind: Meditation
What keeps you up at night? My kids!
All of these dynamics at play also offer CISOs a fantastic opportunity to get what we've always wanted -- a seat at the senior executive table. We must seize that opportunity, realize the implications of what it means and adapt our vernacular to be able to communicate adequately and eloquently with business leaders. How do you speak Klingon with your team all day and then switch to English, when your CEO or board asks you a question? It's easier said than done.
We have to be clear, concise and action-oriented. Consider for a moment, why do you have a job? To manage risk? If you have a breach or large-scale information security issue, it's highly likely corporate revenue will suffer. So your job is really revenue protection. Putting risks in terms business leaders can understand will not only benefit your career, it will help you get the support you need to develop solutions to keep pace with our ever-changing world.