AKS - Fotolia

Get started Bring yourself up to speed with our introductory content.

In her new role of CISO, Annalea Ilg is curious, driven and paranoid

The vice president and CISO of ViaWest, Ilg is tasked with keeping the IT managed service provider and its cloud services secure.

This article can also be found in the Premium Editorial Download: Information Security magazine: The managed security provider comes knocking:

Don't tell Annalea Ilg, recently promoted to the role of CISO at cloud and IT managed service provider ViaWest, that she can't do something. The one-time interior design major ended up with a job in the cabling industry, moved into IT and never looked back. "I was lucky to be surrounded by great people that had faith in my abilities and let me see how far I could go with it," she said. "I just did what needed to be done, and then I thought, 'Wow! I can do this'—and discovered that solving problems in IT was my passion."

On the strength of that passion and real-world expertise, Ilg held IT administrative positions, roles as a network administrator, and then worked as a senior IT security analyst and business continuity coordinator at a large insurer. From 2011 to 2013, she was director of compliance and security at Cosentry, another IT managed service provider, before joining ViaWest, based in Greenwood Village, Colo., eventually moving into her current role of CISO and vice president. And, she admits, experience has turned her into a somewhat "paranoid security professional."

How different have the security challenges been at ViaWest compared to some of your earlier positions?

Annalea Ilg: Security solutions are constantly evolving. That is probably why it keeps me interested—there are always new challenges to solve. The big difference would be the business. ViaWest and TierPoint [which acquired Cosentry] are IT managed service providers. This is a different business model; we're protecting our clients, not just us. It definitely adds layers of complexity to the equation.

What does that mean in terms of the pressure on the role of CISO?

Ilg: Being a CISO at an IT managed service provider can be an interesting dynamic. We not only focus on the integrity, confidentiality and availability of the data, but also the controls, services and products we provide. Just the other day, I was attending a security presentation. It was clear the presenter was not an advocate of the cloud, which isn't uncommon in the security industry. We have a commitment to regulatory bodies, our clients and the world. The other side of the coin is that clients aren't always following their own processes; some can be negligent, and we as cloud providers need to make the hard call sometimes.

You mentioned the need to protect your own organization in the role of CISO as well as protect clients. In doing that, what has been changing in terms of threats?

Security is about being able to analyze risk, determine what matters and ensure controls are in place.
Annalea Ilgvice president and CISO, ViaWest

Ilg: It seems obvious, but some organizations don't put necessary protections in place. Breaches are becoming the norm because organizations, and people, are not investing the time or money while attackers spend all their time digging and finding gaps. Prevention doesn't just happen by investing in one tool or writing a policy. An assessment needs to be conducted; organizations need to understand their profile, their environment and where they might be exposed.

You went through the lengthy process to become a Certified Information Systems Security Professional. What did you think of the CISSP process? Was it up-to-date and meaningful, and would you recommend it to others?

Annalea Ilg, CISO at ViaWest Annalea Ilg

Ilg: CISSP is a security foundation that gives the baseline and domains of thought. Security is about being able to analyze risk, determine what matters and ensure controls are in place. I would have never got my foot in the door without it. I would definitely recommend it to others, but I would also recommend technical engineering classes or experience in the industry. Translating requirements to the business and to engineering is critical. You need real-world experience to be respected and navigate throughout the business.

What do you do to stay on top of threats and trends?

Ilg: It requires a team effort. I dedicate time daily to keep up, and I also rely heavily on my team, vendors and our professional services team. I am also the president of the local (ISC)2 Chapter and meet with our members on a monthly basis. It's easy to get lost in the priorities of the day, so I always schedule time on my calendar.

Next Steps

What CISOs consider when developing security strategy

The pros and cons of two different CISO types

Are CISO training programs worth the time and effort?

This was last published in April 2017

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Would you recommend the CISSP process in its current form?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close