AKS - Fotolia
Don't tell Annalea Ilg, recently promoted to the role of CISO at cloud and IT managed service provider ViaWest, that she can't do something. The one-time interior design major ended up with a job in the cabling industry, moved into IT and never looked back. "I was lucky to be surrounded by great people that had faith in my abilities and let me see how far I could go with it," she said. "I just did what needed to be done, and then I thought, 'Wow! I can do this'—and discovered that solving problems in IT was my passion."
On the strength of that passion and real-world expertise, Ilg held IT administrative positions, roles as a network administrator, and then worked as a senior IT security analyst and business continuity coordinator at a large insurer. From 2011 to 2013, she was director of compliance and security at Cosentry, another IT managed service provider, before joining ViaWest, based in Greenwood Village, Colo., eventually moving into her current role of CISO and vice president. And, she admits, experience has turned her into a somewhat "paranoid security professional."
How different have the security challenges been at ViaWest compared to some of your earlier positions?
Annalea Ilg: Security solutions are constantly evolving. That is probably why it keeps me interested—there are always new challenges to solve. The big difference would be the business. ViaWest and TierPoint [which acquired Cosentry] are IT managed service providers. This is a different business model; we're protecting our clients, not just us. It definitely adds layers of complexity to the equation.
What does that mean in terms of the pressure on the role of CISO?
Ilg: Being a CISO at an IT managed service provider can be an interesting dynamic. We not only focus on the integrity, confidentiality and availability of the data, but also the controls, services and products we provide. Just the other day, I was attending a security presentation. It was clear the presenter was not an advocate of the cloud, which isn't uncommon in the security industry. We have a commitment to regulatory bodies, our clients and the world. The other side of the coin is that clients aren't always following their own processes; some can be negligent, and we as cloud providers need to make the hard call sometimes.
You mentioned the need to protect your own organization in the role of CISO as well as protect clients. In doing that, what has been changing in terms of threats?
Annalea Ilgvice president and CISO, ViaWest
Ilg: It seems obvious, but some organizations don't put necessary protections in place. Breaches are becoming the norm because organizations, and people, are not investing the time or money while attackers spend all their time digging and finding gaps. Prevention doesn't just happen by investing in one tool or writing a policy. An assessment needs to be conducted; organizations need to understand their profile, their environment and where they might be exposed.
You went through the lengthy process to become a Certified Information Systems Security Professional. What did you think of the CISSP process? Was it up-to-date and meaningful, and would you recommend it to others?
Ilg: CISSP is a security foundation that gives the baseline and domains of thought. Security is about being able to analyze risk, determine what matters and ensure controls are in place. I would have never got my foot in the door without it. I would definitely recommend it to others, but I would also recommend technical engineering classes or experience in the industry. Translating requirements to the business and to engineering is critical. You need real-world experience to be respected and navigate throughout the business.
What do you do to stay on top of threats and trends?
Ilg: It requires a team effort. I dedicate time daily to keep up, and I also rely heavily on my team, vendors and our professional services team. I am also the president of the local (ISC)2 Chapter and meet with our members on a monthly basis. It's easy to get lost in the priorities of the day, so I always schedule time on my calendar.
What CISOs consider when developing security strategy
The pros and cons of two different CISO types
Are CISO training programs worth the time and effort?