The CISO Challenge It's About Using Security to Enable the Business

Jason Clark, CSO of Websense, has spent a significant amount of time meeting with over 400 CSOs. From his interactions, Clark offers his advice on how chief security officers can be more effective in their positions going forward.

The biggest challenge for a chief security officer is to become more of a business leader, Clark says. Companies are making major transitions around information technology, such as implementing cloud services and mobile devices. "Security has to be engaged and connected right into that," Clark says in an interview with Information Security Media Group's Tom Field [transcript below].

And for the first time ever, top business executives are including chief security officers into those conversations. "In my travels, about 40 percent of [CSOs] are now talking to the board about security," Clark says.

This amplified communication is also increasing the profile of the chief security officer, and in return CSOs need to show c-suite executives that they're the person who can help enable the business securely, not hold it back.

And along with that increased business leader role comes innovation. "Think about different approaches of security," Clark says. "It's not about the technology and it's not about the processes." It's about people, he argues, and getting their buy-in to move forward with new solutions, such as cloud and mobile, in a secure manner.

In an exclusive interview, Clark discusses:

  • The challenges of mobile security;
  • Security trends that concern him most;
  • How CISOs can be more effective.

As a previous customer and early adopter of Websense products, Clark is responsible for leveraging his technical knowledge and deployment expertise to help CXO executives and advise them on how to best take advantage of the Websense TRITON architecture and unified content security solutions.

Clark brings more than a decade of senior IT security leadership to Websense. He previously served as chief information security officer (CISO) at Emerson Electric, a global Fortune 100 company, where he significantly decreased risk by building the security program for its 140,000 employees across 1,500 locations. Prior to Emerson Electric, Clark was the CISO at The New York Times and senior manager of security and infrastructure architecture at EverBank. Clark also served as a senior network and security engineer for BB&T and as a U.S. Army security systems engineer.

TOM FIELD: To get us started, why don't you tell us a little bit about yourself and your own personal experience, please?

JASON CLARK: I'm the chief security and strategy officer for Websense. Previously before that I was the chief security officer for Emerson, which is a 140,000-employee company, a Fortune 100. Prior to that, I was the CISO for the New York Times. In my 18 months that I've been with Websense I've sat and met with 450 chief security officers and one hundred CIOs. That gave me a great opportunity to really see what was going on out there through all of 2011, which was a pretty interesting year for security to say the least.

Biggest Security Challenges

FIELD: That's what struck me looking over some of your blogs, the amount of time that you spent talking with CSOs. From your conversations, what do you see as their biggest challenges today?

CLARK: It's the changing landscape of really what's happened with the threats, but also with their infrastructure. It's kind of those two things coming together to make a perfect storm, whether it's the target attacks combined with the issue of the adding of mobile devices. And as people add these devices, it just increases their attack surface and that phenomenon of BYOD. And the mobile device concern is the top topic I hear everywhere I go. It's the first thing they bring up that they want to talk about, at every round table and every meeting.

Then, we transition into talking about some other topics and hacktivism is a big one that has come up in the last six months because it's not your traditional threat that they have built their defenses against. In the end, in the last part of our discussion, it all comes back to the data and protecting data theft, whether it's a malicious insider or these targeted attacks. That's the number one thing these guys are trying to protect and that tends to be their biggest challenge.

How CISOs Can Be More Effective

FIELD: You talked about the interesting year we saw in 2011, the various threats that we all faced. Given that landscape and what you see as the challenges for CISOs today, what do they need to do to be even more effective in 2012 then they were in 2011?

CLARK: The biggest thing I see for the future for everybody is that they've got to become much more of a business leader. Engage with the executives of their company. They have got to have a major transition of the businesses going toward IT, toward the cloud, toward mobile devices. Security has to be engaged and connected right into that. As I watch and we're making this transition, for the first time ever the board of directors across everywhere is asking to talk to the chief security officer. In fact, I'd say in my travels about 40 percent of them are now talking to the board about security on these topics. It's raising the profile of the chief security officer and in doing that, they need to show that they're the guy now that's helping to enable the business and they're not trying to - if I can use the analogy of brakes on a car - stop the car, but to help the car to go faster safely. That's exactly what we need to do with our security department.

And as you're doing this, be innovative. Think about different approaches of security. Think differently so it's not about the technology and it's not about the processes. It's really about the people and then what do you do with that technology and the processes to get the funding, which is the number one thing you really need to get through to your peers and from your executives, they're buy-in to move forward and then get the solutions to help you be successful.

Mobile Security Issues

FIELD: We're talking in advance of the RSA Conference. There are a couple of new topics that have entered the discussion at the event this year. I'd like to get your take on these. One of them is mobile security, and you've talked about BYOD, the phenomenon of bring-your-own-device. Including that, what do you see as the top issues in mobile security that we're going to be talking about at this year's event?

CLARK: The top issues ... if I break them down into three different domains, are going to be malware, the growth of malware in the mobile space. That's kind of the threat side. Then you have the MDM [mobile device management] players out there. That's really about controlling and managing the device. And then you have the third area, which really comes down to protecting the data on the device. I would say those are going to be the three major themes; but when I look at it, I think it's a little overblown on the threat side at this point. We're really not there where it equals a threat of even just your laptop. When it leaves your infrastructure, the laptop is still at more risk just because there are so many ways to break into it. It has so much more of an attack surface. So while it's a top thing to talk about, the threat isn't there on the inbound for the device. Now on the outside it is.

The big thing I think we're going to see is a lot about MDM, but we need to remember that solving the world by endpoint security and trying to manage a device didn't work and isn't working for security today, and it isn't going to really work for our mobile devices for the future. When I walk the floor I'm going to be looking at people that are talking about things other than that. How do I do it via cloud? How do I do it without endpoint security? How do I worry about the data? Pay attention to those topics is the advice I would give.

FIELD: Another broad topic at RSA this year is security trends. Aside from mobile, what are the trends that you're thinking most about this year?

CLARK: I'm thinking about the transition of how the bad guy is going after intellectual property. If you look at all the reports, the Verizon breach reports, DataLoss.org and every report out there, even the Ponemon reports where they talk about data loss, all their stats are all made up of PII, and the problem with that is the big guys have shifted away from PII at a massive rate because they're starting to make more money on intellectual property then they are on PII because we put so many controls around PII. With that transition, our security defenses or even our surveys that we see out there in the industry have not adjusted yet. That's a big topic, a major concern and something we need to be focusing on.

RSA Conference 2012

FIELD: Final question for you. We've both been at the RSA event before. It's the Mardi Gras of security in a lot of ways. For first-time attendees coming to this event, what advice would you give to them to get the most out of the experience?

CLARK: First one is don't over pack your schedule. Look at everything that you want to attend and cut it back a little bit, because it's really about maximizing the sessions that you do sit in versus trying to race around and get to them. The event, while there's a lot of good sessions there, the biggest value you can get is connecting and networking with your peers as you're going to learn a lot more from them then you will from any vendor. The peer connection is something that's going to be long-lasting. You can ask them questions forever. The networking opportunities, the lunches, the drinks and the dinners I think are very important.

But going to the sessions, specifically, I'll tell you the ones that I'm going to be attending that just jump out to me, and that's, "Security Enters the Boardroom", which relates to that CISO becoming more of a business leader. How do I articulate my value and how do I sell my security group to the business and to the board? The second one is "Elephant in the Room: Intellectual Property Hacking." Again, that theme we talked about - intellectual property - is becoming the big issue that most people aren't equipped to handle. And then the third one - and one of my friends is managing the session, Jerry Archer, who is the chief security officer for Sally Mae - is talking about "weather" beyond the cloud. That session is on Wednesday morning and it talks about the challenges of moving your data to the cloud. He and a couple founding members from the Cloud Security Alliance will be managing those sessions. That's my advice.




Around the Network