CISO's Challenge: Security & Risk
Security Leaders Take on Dual Responsibilities
David Sherry, CISO of Brown University, sees the information security leadership role transitioning completely to risk and governance over the next few years. And with that transition will come new challenges.
A member of Wisegate, a private association of senior IT leaders, Sherry sees the chief information security officer evolving to manage the risk of an enterprise by setting the proper programs, policies and processes that are necessary to fulfill the IT security mission.
"By establishing one person who thinks of the compliance, risk and security needs holistically, the areas responsible for the day-to-day operations of utilizing the controls and the assessments will have better leadership and direction," he says in an interview with Information Security Media Group's Tom Field [transcript below].
Wisegate recently commissioned a study on the changing role of CISOs, identifying that as security and risk management roles continue to merge, tension will grow in the organization.
Those tensions include push-back from key partners in the enterprise who don't see the need or institutional value of security initiatives. Also, incorporating new policies and changes into an organization create worry from technology teams and clash with entrenched business processes.
"Setting some small wins, setting manageable targets and understanding the impact to the organization and decisions we make will certainly aid in overcoming this," he says.
In an interview about the CISO's evolving role, Sherry discusses:
- The challenges of managing both information security and risk;
- Essential skills and tools for the evolving CISO;
- Advice for tomorrow's security and risk leaders.
Sherry is the chief information security 0fficer at Brown University, with university-wide responsibility and authority regarding matters of information security and privacy. He leads the university's information security group, which develops and maintains Brown's information technology security strategy; IT policies and best practices; and security training and awareness programs. the group also conducts ongoing risk assessment and compliance tasks. As the university spokesman for both information security and privacy, Sherry also plays a key role in the records management program, regulatory compliance and copyright law. He came to Brown in 2008 with more than 20 years of experience in information technology. He most recently worked at Citizens Bank, where he was vice president for enterprise identity and access management.
TOM FIELD: To start out, why don't you tell us a little bit about yourself and your experience? For those who don't know about Wisegate, tell us a bit about that organization as well.
DAVID SHERRY: I have 20 years in IT management, which encompasses government, a start-up, financial services, and now in higher education. I've been completely focused on security since right after Y2K, and I've been the top security practitioner in three organizations since that time.
I came to Brown University a little over four years ago as the first chief information security officer for the institution, and I've seen this role, my mission and the scope change quite a bit in the last four-plus years. I have certifications of CISSP and CISM. I sit on several national committees for Educause, and I speak on security and privacy at several colleges and public community groups throughout the academic year. I'm also a founding member of Wisegate and part of a small, but rapidly growing, group of higher education members in Wisegate, which I'm very excited about.
Wisegate is a great community of security minds where information, expertise and more importantly wisdom is shared freely amongst the group and has provided me, so far, great value in both content as well as networking.
FIELD: Wisegate recently came out with a report on how CISOs manage information security and risk. What's the genesis of this study?
SHERRY: The genesis of the report is the observation that the role of the CISO is changing. More and more enterprises are looking to the CISO to take responsibility for a deeper and broader set of interrelated tasks, in addition to their security role. Enterprises are recognizing the need to have someone responsible for privacy and compliance issues, but resources are tight. So, as security has proven itself and has become more of a strategic player in the success of an enterprise, utilizing the security role and the proven success risk in risk management has been seen as an emerging trend in this area. It really makes sense. Security, privacy and compliance disciplines all require the same type of thinking, and having them fall into one area can create efficiencies and economies of scale as well.
Enterprises need a champion in this area who can really take a systematic and holistic approach to security and risk that spans numerous areas, including legal and operations, HR, compliance and privacy. No one wants to be visited by multiple areas with surveys and assessments, when they can be accomplished through one vehicle and possibly one person or one department. Wisegate heard this from their members, did the investigation and published the findings in the report that you spoke about.
FIELD: Your perspective: What are the report's key findings?
SHERRY: It appears that it's common for the security role to have an expanded responsibility. That's one of the keys of the report, perhaps adding privacy, compliance and sometimes even both. It appears that it's compliance that's the key driver in combining these roles and missions with the obvious alignment and the importance for all enterprises to be able to show compliance success. It has always been necessary for security to prove their worth and their protection, so the mindset is already there.
The report also talks about the tensions that are inherent in risk management and the information security program. Risk involves managing the balancing of risk and available resources, while security must focus on securing the information. There's also attention in the risks and legal requirements that mandate some of them to be acted upon, whether the institution wishes to do so or not.
Finally, the report also talks about the options for risk assessment tools and the methodologies that can be used when managing security, risk and compliance from NIST to ... COSO and ISO. The options are many and while daunting at first, they certainly play a key role in how a program can be assessed and proven once it's up and running.
CISO's Evolving Role
FIELD: Given the report and your own experiences - as you say, you've been the head of information security at several organizations - what's the message about how the CISO's evolving role is developing?
SHERRY: Certainly it's recognized and it's evolving, and I think the message for all of us is to embrace it. Security has worked hard to establish relevance in the enterprise, and the recognition that a company would want the security function to take on increasing responsibilities is a humbling and exciting one. It validates the actions and the thinking of the security discipline that we have been developing as a community and establishes the function as a business one, in addition to a technology one. That's a great evolution for us.
The evolution also highlights that security is really about managing risk, and CISOs are really risk managers at their core function, whether it's architecture, compliance, privacy, records management, business continuity; you can throw in disaster recovery. It's really all about identifying and managing the risk posture of the enterprise. That's where I see security evolving towards.
Trends in the Coming Years
FIELD: Let's look ahead. Where do you see the CISO role headed over say the next three to five years?
SHERRY: In the near term and hopefully into three to five years, I see the CISO role completely transitioning to the risk and governance area. Certainly, this does not eliminate the IT security needs and responsibilities. That will always be necessary and always be an important area to the success of an organization.
However, I think the CISO can manage the risk of an enterprise - or in my case a university - by setting the proper program, policies and processes that are necessary under which a nested IT security mission can be fulfilled. By establishing one person who thinks of the compliance, risk and security needs holistically, the areas responsible for the day-to-day operations of utilizing the controls and the assessments will have better leadership and direction from one person, one area, and reduce or eliminate the tensions that can sometimes be in conflict or that can be a conflict within separate functions if they are not looked at holistically.
Necessary Skills, Tools
FIELD: What would you say are going to be the tools and skills necessary for the role to get where you just projected?
SHERRY: I think the new CISO needs to have c-level type skills. These include polished communication skills to talk with board and corporate-level senior managers, business plan development, finance and ROI, legal and audit knowledge and understanding, risk assessments, mitigation and even things like transference mastery. It's almost like a MBA approach in dealing with the business.
In addition, this new breed of CISO must have leadership, vision, the power of persuasion and a full business mindset to set the story told in a proper context. Security in the past was considered a place where ideas really went to stop, and CISOs now have to create an environment of complete support and stand behind a reputation where they're not really there to hinder business practices and processes, but to securely enable anything that comes across their plate.
Finally, I think the CISO must be knowledgeable in the solutions that are available to help them in the mission, including things like risk registers, assessment methodologies and what I mentioned before, the frameworks that are available.
FIELD: What do you see are the challenges that CISOs might face in this evolution?
SHERRY: The business challenge is going to be some push-back. Establishing security as a key partner would certainly enable additional responsibilities to be accepted more easily, but getting to that point sometimes can be hard to show the need and show institutional value. The CISO, I think, also needs to be aware of the danger of focusing and speaking in deep technical terms. As it moves up to speaking towards corporate-level members and board-level members, we really have to worry about the technical terms that we use and talk more in business terms. Certainly, we should not lose those skills, but remember the audience, and context is a necessary recognition.
Also, I think one of the challenges is going to be tension from technology teams, entrenched business processes that have been there for years, maybe from the necessary finances that are needed, and the question of "why" sometimes. Why do we need to do this? Setting some small wins, setting manageable targets and understanding the impact to the organization and decisions we make will certainly aid in overcoming this.
Managing Information Security, Risk
FIELD: At an educational institution, you're in a great place. What would your advice be to CISOs to help them better manage both information security and risk? What are they going to need to do?
SHERRY: Use your talent and use the knowledge that you've built up as security experts. Build on the success that you've had and that you've already created as a security practitioner, and embrace this new opportunity. Understand the connections and similarities that I see and I think most security people see now between security and privacy and compliance. Think holistically about solutions that can support and aid in all the areas that a CISO might be responsible for going forward and be excited about the opportunity that's being presented to us. It wasn't that long ago we were seeking relevance as a discipline, and now we're being considered for an expanding role. That's a really cool place to be in. I see CISOs being at the vanguard of our changing role, and certainly there are questions. I suggest to people to seek out their peers, ask what others are doing that have been a success or sometimes, more importantly, ask what they have done that has been a failure.
It's really an exciting time to be in security and in a CISO role, whether it's in an educational institution or not. I imagine that if we were to have this similar conversation in two or three years, we'd be looking back with pride at how the security discipline has evolved and matured, and probably at that time embracing the next wave of challenges as well.