maxoidos - Fotolia
Published: 02 Sep 2014
Renee Guttmann has spent the past 15 years leading security and risk management programs at Fortune 500 companies. A one-time Gartner senior research analyst, Guttmann has remained an active member of the global InfoSec community, sharing her hard-won advice -- and technology guidance -- with peers and vendors in the security and privacy space.
Throughout her remarkable career, Guttmann has served as information security architect, CISO and vice president at The Coca Cola Company, Time Inc. and Time Warner Inc. (post-merger), and Capital One. Currently she is vice president in the office of the CISO at Accuvant, an InfoSec services company.
What is the life of a CISO really like? Marcus Ranum caught up with Guttmann to find out her views on leadership and the core skills needed to surmount the never-ending challenges of global InfoSec and privacy programs.
For InfoSec practitioners, the CISO role is the top of the pyramid. Does our perception match the reality? I hear a lot of talk about 'presenting metrics to the board' and stuff like that. But is that really what you do? How do you spend your time?
Renee Guttmann: InfoSec issues, for most great companies, have risen to a level that deserve the board of directors' attention. It is an ever-changing landscape, including maliciously motivated groups ranging from organized crime, nation-states and firms seeking competitive advantage, all the way to cyberactivists attacking the brand. Metrics and reporting [them to the board of directors] is absolutely needed to quantify and simplify the magnitude of the risks facing enterprises and their owners.
But the real time is spent creating, 'socializing' and implementing a strategy for proactively managing potential risks to the organization. Once you have this strategy -- and key stakeholder support -- providing meaningful metrics to the board, and others, becomes a relatively simple task, if the implementation is going smoothly. And I will say that, after working my way up the InfoSec chain of command, being the first CISO for several great companies was incredibly rewarding.
How should security practitioners prepare for the CISO role? What would you say are the core skills a successful CISO is going to need? Where did you get those skills?
Guttmann: There is no one-size-fits-all. I know CISOs that never worked in InfoSec, who are considered excellent business leaders. I came up through the InfoSec ranks, but the most important skill today is to be able to translate InfoSec and risk management into something that is meaningful to others. I've been fortunate to attract and retain great talent who can help communicate the vision and strategy. I also worked for some great companies that provided excellent leadership support and training.
Security practitioners need to be actively engaged with the broader InfoSec community -- sharing ideas and lessons learned. Larry Bossidy called this 'stealing shamelessly.' There's no harm in utilizing good ideas developed elsewhere.
Being in a room with other accomplished CISOs can be intimidating when you are starting out in your career, but it's probably one of the most [important] things that you can do as an aspiring CISO -- surrounding yourself with successful peers never hurts.
You have to be willing to be open to new ideas, willing to change and also be a change agent. One of my favorite [concepts] from Charles Darwin's The Origin of Species is: It is not the strongest, nor the most intelligent, who will survive but those who can best manage change. If you don't embrace change, it's probably going to be hard to be a CISO.
How much of the CISO's role is walking around with a target painted on your back? Are you expected to fall on your sword if there's a breach?
Guttmann: It's common knowledge that anytime there is a network slowdown, it must be a misconfigured security device. I'm joking ... sort of. I'm not a fan of the blame game, but I do believe that CISOs need to be accountable when there are issues in their wheelhouse.
The opposite side of the coin is making sure that if a significant risk is identified before a problem occurs, the CISO is responsible for ensuring that the potential risk is well understood, and properly addressed -- even if it means losing a few popularity votes. Of course, there are different options for managing risk, including acceptance of risk. The right stakeholders need to be involved, and then I think the bull's-eye becomes less of a personal concern.
I've sometimes heard InfoSec practitioners talk about managing risk by getting business units to sign off on bad ideas -- as if that's going to deflect the blame or protect them from fallout if there's a breach. That never sounded realistic to me, and I've never tried it. What do you think?
Guttmann: This is sticky. Even if one business leader signs off, they might say they didn't really understand the issue if there was major fallout. That said, InfoSec is about managing risk, and a CISO needs to be practical. I recommend establishing bright lines in the sand that can't be crossed.
Renee Guttmannvice president, Accuvant
For example: 'We don't allow websites to launch with vulnerabilities that easily enable attackers to steal the personal data from the database.' It's equally important to have senior leadership support these 'bright lines.' And, eventually, folks know that they are not going to be able to launch an insecure website.
It is a good idea to establish a cross-functional governance team, including practitioners and senior leaders, to help assess and accept InfoSec risk. You don't want to run every exception up the proverbial flagpole, so the CISO needs to help the governance team identify what reasonable exceptions to the policy are. For example, the company may allow websites to launch with low-risk issues and a plan to address them within 90 days. You and the team have to be pragmatic. There is no such thing as perfect security.
What's your experience with outreach? How much time do you spend evangelizing security with the business units or having your team embed with other groups? It seems that successful security organizations are sometimes consultants and educators and other times, the guardians of the gates.
Guttmann: Most of my jobs have been global, and IT was also distributed. In each case, I had folks who worked for me overseas and, sometimes, they also reported to the regional lines of business.
We spent a fair amount of time educating key stakeholders and on overall employee awareness. I once told 1,000 people in IT that I considered them part of the team. Just as it was important for my team to understand and support others, it was equally [imperative] that everyone, including employees and consultants, understood the importance of protecting company information.
You know the InfoSec program is working when folks know who you are and they are comfortable calling you when there are issues. This goes back to … the 'no-blame game.' As a CISO, I would rather know about a potential problem early on so that I can address it in a timely manner. I tell people, 'There are always small fires burning, just don't let them burn the building down.'
How long does it take you to get into the role? I've always felt that as the scale of an organization increases, it takes longer to really understand what's going on -- I'm a control freak! Do you have any particular method that you use? Is it a process for you, or is it always different?
Guttmann: One of my managers gave me a gift: He sent me a book with a recipe for getting started during my first 90 days. And the book advised [managers] to ask people three questions: What's working? What needs to be improved? And, what don't I mess with? It was amazing how well this worked, in terms of being able to quickly identify [areas] where the information security program was considered successful and [areas] where adjustments were needed to people, process and technology.
I told my team, 'Perfection is the enemy of success.' I have a sign in my office that says I laugh because I have no idea what's going on. Being able to laugh when you don't have all the answers, and admit you don't know everything, is critical to longevity -- personally and professionally. By the way, I had no idea you were a control freak!
By 'control freak' I mean that I am always uncomfortable unless I understand things very well. That was a difficult thing for me to recognize professionally, because I think it implicitly limits the size of the organization I can work effectively in. When I look at the positions you've held, I get dizzy. How do you know what's going on levels down from where you are? My attitude is 'trust … but verify,' and I always lack enough bandwidth for the 'verify' part. How do you balance that?
Guttmann: This goes back to … managing risk. I don't actually use the word security unless I am talking about my 160-pound dog. This is also why you need to have a strategy that is well socialized along with buy-in. It takes a village or a neighborhood-watch program to be successful. I also think that for InfoSec to scale you need people, process and technology. I get concerned by remediation plans that are overly manual and require someone to look at little tiny lines of print for a few hours at a time. Not to harp on this, but bad things do happen. There are degrees of bad when it comes to InfoSec, and you need to focus on the things that are really important to the organization.
Any do-overs or mulligans?
Hindsight is wonderful but -- yes. First, I would have hired more college graduates, returning vets and interns sooner in my career. They bring perspective and credibility to the team. I can tell you that the twentysomethings in marketing, who work on the social media program, would rather hear InfoSec-speak from my twentysomething employee than me. Second, I would have said 'thank you' more often to system administrators, employees -- for reporting suspicious activities -- my team, consultants and peers. I leveraged all the company-sponsored mechanisms for recognizing people, but it really takes a village, and you need to celebrate success. You need to have metrics that show success, too.
Guttmann: As a CISO, it's important to be knowledgeable about how the state of InfoSec is evolving. Yesterday's due care may be tomorrow's negligence.
I recommend that InfoSec practitioners [consider the ruling] in the T.J. Hooper case -- two barges being towed by tugboats that sank in a storm in the 1930s. The barge owners sued for negligence, noting that the tugboats did not have functioning weather transmission radios. The tugboat owners countered that weather transmission radios were not an industry norm.
Judge Learned Hand ruled in The T.J. Hooper, 60 F.2d 737 (2d Cir. 1932) that the tugboat owners were liable:
Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission.
In other words, if there is a practice that is reasonable but not universally 'customary,' it may still be used as a measure of the standard of care. Doing the minimum necessary or simply adhering to regulations is not enough. The cloud, the Internet of Things and mobile are changing everything, and we need to work as a community and with our vendors -- including emerging technology companies -- to develop the products and solutions that will enable us to support our organizations going forward.
About the author:
Marcus J. Ranum, chief security officer of Tenable Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.