If security is supposed to be part and parcel of business processes, what do you do as a CISO to get security baked into projects?
We've instituted a governance process with IT projects. It's similar to building permit process where during the concept and definition phase, the project team gets in touch with my security consultants and determines whether there are any security implications. [It] doesn't matter whether they're writing new code, buying technology or outsourcing a function to a third party. Anything that involves the processing, transmission or storage of information goes through this process. We specify what security implications exist, what policies come into play, the threats and vulnerabilities involved and counsel the project team to comply with our policies and regulations. It's evolved to now include architecture, testing and quality aspects of governance. So do you actually sign off on a permit for projects?
One of the big questions for us revolves around whether there is any confidential information involved in a project. If the answer is yes, it raises other questions and our security consultant is engaged. Triage involves quality assurance consultants who work outside information security. They engage us, and we consult.
The key for us is that we need to be engaged. We need the opportunity to figure out if there are security ramifications in a project, not be intrusive and add value. How has this helped your relationship with senior management?
That's come over time from selling security to senior management for the past several years. High-profile cases of breaches or noncompliance with key regulations like GLB or California SB1386 have also raised awareness, and buy-in has become easier.
Buy-in is there. Our senior managers are intelligent people, and aware of what the issues are. They read the trade press and watch the news; they know what consumer concerns are, and what regulators want. They are motivated to do the right thing. How do you expect this process to evolve?
We need to broaden it to more areas in the company and more of our subsidiaries. I'm sure we'll need to streamline it if it gets cumbersome. This has grown from a security governance process to more of an IT process. Then it becomes a corporate governance issue.
I would be willing to bet that some CSOs are having a hard time getting their jobs done because they haven't engaged their business people well enough and haven't approached this as a business issue. They've approached it as a series of technical implementations, but they need to take holistic, risk management approach. Whether to take risks or not is really a business decision. They've failed at adequately marketing the services provided and getting closer to business people to help them understand risks. Do you speak a different language today than you did a few years ago?
I worked hard at understanding issues from a business perspective and not just from a security practitioner's perspective. I've learned to frame things in terms business people relate to. How did that happen for you?
I made a concerted effort to meet with every senior executive in the company. I got to understand them better and explain myself better. I was at a roundtable recently and one of the participants said the business doesn't understand what we're telling them. I responded that it's not the listener's responsibility to understand the speaker, it's the speaker's job to convey terms that are understandable. It's our fault if they don't get it.