In this video interview from RSA Conference 2011, CISO Scott Sysol discusses his organization's enterprise risk management policy on various emerging technologies, such as smartphones, social networking and cloud computing.
Read the full transcript from this video below:
CISO interview: Choosing enterprise risk management policy
Rob Westervelt: Hi, I'm Rob Westervelt, the news director of SearchSecurity.com. Thanks very much for watching this video. In this edition, we're going to be talking a lot about security issues faced by chief information security officers, and we have one such chief information security officer with us today. Scott Sysol is CISO of the CUNA Mutual Group. Scott, thanks very much for joining us.
Scott Sysol: Thank you.
Rob Westervelt: So let's talk about some security policy issues. We're hearing so much about the influx of smartphones, and tablet devices being introduced into the enterprise. Especially with the iPad coming out in 2010. Talk a little bit about how you're addressing it at CUNA.
Scott Sysol: We actually took, I would say, a fairly aggressive approach. We also wanted to... I sit down with my CIO we talk about being as flexible for our customers and users as CUNA Mutual Group as we possibly can. So we talk a lot about what can we do to aggressive and progressive in these areas, and get ahead of them. So we actually did that last year. We spent a lot of time on our technology that we wanted to use on mobile, our policies around mobile. And we moved them to a very aggressive stance where we allow any device, we allow personal devices, and we some technology to help protect that. That was the piece that we needed in place. We used Good Technology, and it's a great piece of software. It puts me at ease from a security perspective but also gives our end users the ability to do what they want to do, and get the devices that they want to get. Same goes for the iPad, we're just like most companies, testing them, piloting them. Our executives want them, that sort of thing. So we're looking at those as well in the same approach.
Rob Westervelt: We're hearing a lot more about these device management platforms that help enterprises enforce security policies across different device platforms. Is that something that you've been looking at?
Scott Sysol: We didn't want to have to manage smartphones; there's a new one every other week. So we didn't want to have to manage which ones we allow, and which ones we don't allow, and get into all that device management. We wanted to just open up the policy and say, 'You can get what you want.' We have a few guidelines around that obviously; we have a couple of carriers that we deal with, things like that. As long as you're within those boundaries, get the device you want, and we want to have the technology in place that can secure those devices across no matter what it is, whether or not you're getting an iPhone or an Android phone or whatever.
Rob Westervelt: The one thing I've noticed, I think you mentioned in your previous comments, that you're calling end users customers. Why are you doing that? Why do you think it's important to call them customers?
Scott Sysol: Those are my customers; when you're internal to IT that's who you're servicing. So I have a multitude of customers from my peers in IT, who I have to service as well -- deliver service to them so they can be successful -- as well as to the business. So I look at them all as customers.
Rob Westervelt: Of course a lot of employees are using social media and it's even being used by enterprises for marketing and business functions. How does CUNA approach this from a policy perspective?
Scott Sysol: We don't really have a brand per se. We service credit unions across the country. Those credit unions are really the face to the member when they get the products, but we're providing the products on the back end. So our brand is not really there, so we haven't seen a real large like embrace corporately of Facebook or Twitter as a marketing channel. So I've been kind of lucky there, not to have to address it, but from the end-user or customer perspective, we've taken more of an open approach. The philosophy of the company and my philosophy as well is: Manage people by their performance not by how much they browse the Internet or anything like that. So we have pretty open policies for the use of Facebook, but obviously when it comes to speaking on behalf of the company through those channels, we have some pretty strict policies.
Rob Westervelt: We're hearing a lot about cloud computing, how is your organization approaching the use of cloud computing services? Do you feel like you have a lot of visibility into the different parts of your organization [and] whether or not they're using cloud services?
Scott Sysol: Governance is in place to make sure we're doing that in a thoughtful way, and it's not a business unit going off and doing something in a rogue fashion. We've had cloud initiatives, we've done software as a service, and they've been successful. We used SalesForce.com for example which was a very successful initiative for us. It's going to continue to grow so obviously we think about it all the time.
Rob Westervelt: Have you ever done an audit to find out if maybe there's anybody using a cloud service on their own?
Scott Sysol: We do audit pretty regularly. We haven't found anything yet.
Rob Westervelt: Internally your proprietary data -- is that all being kept in-house?
Scott Sysol: Interestingly enough, our HR organization wants to outsource our internal HR systems. They're working on that right now. We're thinking about it, and yes, that's been a concern. We've spent a lot of time on contracts and negotiations about how we're going to protect that data. We audit those organizations to see what kind of protections they have in place. We put a lot of liability clauses in those contracts to make sure that if something happens, if there's a data breach for example were to happen, where's the blame going to be. Who's going to have the liability? That is a concern of mine.
On a broader scale, I'd say the market isn't ready for that yet. On a one-off, we'll look at them one at a time. Taking our whole data center and putting it in a cloud, I wouldn't say we're ready for that yet. Not in an organization where we carry so much private data. Typically you'll find in insurance companies that there's a lot of old technology. There's a lot of legacy, which make moving to those technologies in the cloud harder. You'll find a lot of mainframe applications and A/S400 applications and things like that.
And they're typically policy systems that have been in place for 30-plus years, sitting on the mainframe, and people don't want to spend the millions of dollars to move those off. Whether it's to a new system or the cloud, for that matter, they will just generally connect front-ends to them and let the mainframe run. So it poses a little problem from that perspective, but I would say we're a little bit more progressive. So we're looking at them, but it's going to have to be the right thing, the right time, right solution.
Rob Westervelt: Scott the one thing I know is that insurance companies seem to have a really good handle dealing with risk, and measuring risk. Does the same metrics that security companies use to deal with risk, can that be applied to IT security and IT in general?
Scott Sysol: It's a little harder to quantify those when you're talking about it from an insurance perspective. There's pretty rigorous technologies and tools in place an underwriter can take advantage of to say. Catastrophes for example, they can look at historical data for many, many years and have patterns that can go around. Security is a little more difficult, it's a little more art than it is that kind of science. It's harder to apply those models but we do. We do apply the models and the good news is being an insurance company people understand it when you talk risk, when you're talking about how big of risk it is, how big of an impact. What's the likelihood, sitting down and talking to somebody about how big it might be is an easy conversation because they all understand that.
Rob Westervelt: However are they looking for metrics that you may not have?
Scott Sysol: Sometimes they do poke at that a little bit, but they quickly realize that there's only so much data that you can go back on. It's a short window, they get that, they understand that, which makes it a little difficult when, and I've been in companies where it's been hard to sell these initiatives because people aren't buying your story. So that's where the art form comes in around being able to be a good salesman.
Rob Westervelt: Finally Scott, I know that your organization actually sells data breach insurance. Let's talk in general about that. Are you seeing a really big uptake in the need for this kind of data breach insurance?
Scott Sysol: Yes, very much so. I would say it's a growing business for us, which is obviously an indicator of that. When I talk to my peers, a lot of folks have it. It's pretty prevalent, we have our own that we have for ourselves that we purchase. It's definitely a growing trend; I see it being kind of a mainstream insurance for companies.
Rob Westervelt: Well, Scott Sysol the Chief Information Officer of the CUNA Mutual Group, thanks so much for being with us.
Scott Sysol: Thank you.
Rob Westervelt: And thank you for joining us for this video. For more information on issues dealing with chief information security officers, you can go to SearchSecurity.com.