This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners unmasked."
Download it now to read this article plus other related content.
by Mark Baard
Stress Reliever: Races shifter karts and motorcycles; surfs, kayaks, and enjoys fine cigars and aged rums.
Favorite geek site: www.slashdot.org
Christofer Hoff grew up as a self-professed geek on a sheep farm in New Zealand. While other kids were playing games and tending flocks in the nearby hills, Hoff was in school, learning what he could from the only two computers in the building.
Today, Hoff cares for a different flock at WesCorp, a corporate credit union based in San Dimas, Calif. As the company's CISO, he keeps network predators at bay.
But, he's got good reason to be wary: WesCorp holds more than $25 billion in assets and a massive database of personally identifiable information belonging to thousands of consumers. WesCorp invests in plenty of bleeding-edge technology, including risk management and threat analytics, and has an annual IT budget of approximately $9.2 million.
WesCorp and Hoff are not alone. Security managers and IT administrators are becoming increasingly responsible for personal information as banks and their customers take advantage of new online services. Hoff and his five-person enterprise security services (ESS) team securely store more than 47 terabytes of check images, and ensure the secure annual handling of $1.7 trillion in wire and automatic clearing-house transfers per year.
"[Hoff] has moved us into a far greater security [posture] with the knowledge and technology he's brought us," says Carmen Rangel, senior security administrator at WesCorp and a member of the ESS team. Hoff helped WesCorp implement a SQL monitoring tool "when not a lot of companies were doing it," adds Rangel. "We are relying a lot more on databases and database infrastructures, and we're learning the potential dangers presented by false or captured data."
Hoff worked in startups and large enterprises as a network engineer and administrator before embarking on major security projects for global companies. Eleven years ago, Hoff entered the security business and has amassed a string of certifications including CISSP, CISA, CISM and IAM, and is active in (ISC)2, ISACA, ISSA and other security associations. During his tenure at WesCorp, he has integrated ESS with the credit union's IT department and made security a part of network design.
"Chris developed what we consider to be the internal network security architecture of the future," says Throop Wilder, cofounder and vice president of marketing at Crossbeam Systems, a security services switch company based in Concord, Mass., that has retained Hoff as an advisor. Rather than thinking of networks separately from security, Hoff has integrated sophisticated risk analysis with network design, resulting in a safer, simpler and cheaper network, says Wilder. "We see many cases in which people have adopted compartmentalized thinking and therefore missed key synergies and efficiencies between and among security, networking and business requirements. Chris stands out in his ability to combine these elements into a practical architecture that yields true value for his company."
In the past, WesCorp's ESS team may have deployed firewalls and other tools without thinking of their broader impact. "But what [Hoff] will bring in is less intrusive and generates less traffic on the network," says Rangel. Hoff, before deploying a technology, first assesses its "RROI," which for some stands for "risk-based return on investment," and others "risk reduction return on investment."
Security at WesCorp is now treated as something that can add value, rather than a strict policing function. "Not one piece of technology goes into [the network] without solving a business problem," says Hoff.
This was first published in September 2005