Leadership Profiles: Incident Response

Lessons Learned from CISOs Who Survived Breaches
Leadership Profiles: Incident Response
In 2006, Patrick Howard, then chief information security officer at the Department of Housing and Urban Development, discovered that a backup disk containing sensitive and confidential personal information on 757 current and former employees was missing from the department's headquarters.

The password-protected backup disk contained personal data of agency employees, including names, social security numbers and other personal data.

"It was a significant incident," says Howard, now CISO at the Nuclear Regulatory Commission. "What surprised me is the way the incident escalated so rapidly and so high in the organization - I wasn't prepared for that."

Incidents like this one heighten the need for an incident response plan for leaders such as Howard, which can quickly find themselves confronting situations for which they had no time to prepare.

Consider: Within a matter of weeks, we have experienced a slew of high profile data breaches, including RSA's SecurID multifactor authentication tokens, the compromise of personally identifiable information at Sony and e-mail marketing provider Epsilon, as well as alleged hackers from China targeting Google's Gmail. In this era of ongoing cyber attacks, the need for a CISO and an incident response strategy is paramount.

"A key point to make is that companies can be breached with or without a CISO, but having one improves the company's ability to manage the risk, and if breached, more effectively respond," says Brett Wahlin, CISO at McAfee, a security product and solutions provider.

Following are profiles of three security leaders who survived data breaches. These leaders share their experiences, approaches and challenges from battling incidents that impacted their organizations - and their careers.

Patrick Howard, CISO at NRC: "Being Patient Was the First Thing I Learned."

The incident at the Department of Housing and Urban Development generated a significant media attention, and as a CISO Howard needed to report the incident to the United States Computer Emergency Readiness Team within an hour of its occurrence. The incident resulted from an end user error that was caused by leaving the disk in a desktop that got turned in through a normal refresh process. The disk could not be accounted for, and agency officials thought it was destroyed, but could not prove it.

Howard's senior managers understood that these incidents could happen, but they also were concerned about the credibility of the agency. What would a newspaper reader or an average T.V. viewer will say when the incident was publicized? "It was not a matter of placing blame on me," Howard says, "as much as 'How can we minimize the damage? How can we prevent this from happening again? How can we get all information we need?'"

In this situation, Howard felt his controls slipping, as he was suddenly responding to senior managers who were calling the shots. He was having to attend a whole lot of meetings that he didn't control anymore. "Being patient was the first thing I learned," Howard says. "You have new people involved in the process that don't know a heck about security, so you have to be patient with them and take the time to explain what occurred, how we routinely operate and what the significant risks involved are."

Career Impact: Howard decided to stay on in his role, as his management was extremely supportive, and he took corrective actions in updating the end user polices and increasing the frequency of audits. But he also learned that a CISO's response and patience to such incidents is critical.

"What you do in the first 24 hours helps restore confidence in management that you are in charge, you have things under control and have a path forward that can bring things to normalcy again," he says. "As a CISO, if I didn't take corrective action to prevent this from happening again, I would probably run the risk of being [blamed]."

Hord Tipton, CEO at (ISC)2: "I Was Put in a Position Where All My Due Diligence Was Incomplete."

When Hord Tipton became CIO of the U.S. Dept. of Interior in 2001, he knew he would be wrestling with some challenging IT security issues. This was a time when the department was going through a class-action suit filed by American Indian plaintiffs that convinced a judge that their Indian Trust accounts, which are managed by the agency, were mismanaged and not safe from hackers. This was followed by a court ruling that demonstrated the department's apparent failure to secure its systems, and as a result of the breach the court ordered the department to disconnect all its systems from the Internet.

The agency had a rough path ahead: It had to find ways for the 85,000 affected employees to get their jobs done without the Internet. And the agency had to get back on its feet and improve its security posture and a ranking of "F" assigned by the Inspector General.

"This was the best position to be in; jobs like this only go upward," says Tipton, now chief executive officer at (ISC)2, the IT security training and certification organization. He felt important and powerful as an IT security leader, as people were totally dependent upon him to restore their work lives. "It was a glorious moment for me to demonstrate my skills and work in getting through the solutions."

Tipton and his staff spent the next four years upgrading systems security, tightening controls and getting all of the Interior's systems reconnected to the Internet. Under Tipton's leadership, the department established sound IT security policies and guidelines, then initiated testing and IT security training programs throughout the agency.

Tipton also took this opportunity and made IT security visible to management. The agency's ranking rose from a 'F' to a 'C+' and Tipton saw a significant increase in budget from $2 million a year to $50 million for IT security initiatives for the entire agency. "This was the success point of my career."

But there was a downside. "I could see that they were happy with a 'C+' - this was as good as they wanted to be," Tipton says. As soon as things restored to normalcy, he experienced a major budget cut, withdrawal of management support and saw business managers taking more than reasonable risk. "I was put in a position where all my due diligence was incomplete," Tipton says. "I knew I had to be thinking of a career change, and I did exactly that."

Career Impact: Tipton knew he could not progress further in the agency in terms of further improving the IT security posture. "I was very frustrated, but did not make a big scene out of it," he says. "I have always believed in building with my feet. if you don't like the situation you are in, rather than start a war or turn the boat, I have learned to move on."

Bruce Brody, CEO of New Cyber Partners, LLC: "This Was a Serious Security Breach."

During his first week in July 2004, as the chief information officer for cybersecurity at the Department of Energy, Bruce Brody was informed that classified information involving nuclear research was compromised at Los Alamos National Laboratory. The problem was two disks, known as "controlled removable electronic media," or CREM, (these devices allow a person to download massive quantities of data that can be easily concealed) were reported missing with sensitive information.

"This was a serious security breach," says Brody, now president of New Cyber Partners, LLC, a security consulting company. "We immediately had to put a tiger team in place to figure out what went wrong across the agency, why and what measures we could put in place to prevent this from happening again."

The incident resulted in the shutdown of several national laboratories and few other nuclear weapons facilities to stop existing employees from using classified information stored on computer disks, portable hard drives and tapes that could be easily removed from work. Also, each site was now responsible for conducting a thorough inventory of such items.

"Management was extremely concerned, as the incident made it to the front page of the Washington Times," he says. In this situation, Brody took charge to figure out what happened and communicated diligently up and down the chain of command and externally to the oversight committee to assure them that he had things under control. "I had to be very informative and straight-forward with management," he says. "My thorough communication and updates helped in getting their buy-in and approval for our approach to the problem."

Over the next two years, Brody and his team spent considerable time implementing a client architecture solution across the agency that prevented users of sensitive information to remove any information from the computer or systems. It also offered the feature of locking classified information in a different environment. However, the problem Brody experienced in the agency was a complete lack of authority. As a CIO in the federal space, he had a major disconnect between authority and accountability. "It appears that the CIO or CISO has certain level of authority to him or her in Congress, but in reality that is not the case," Brody says. "As The Federal Information Security Management Act of 2002 gave no such authority to this office, individuals in their roles as CISOs or CIOs can identify problems, but do not have the authority to actually fix those issues - they need to get someone else's help ahead of the agency."

As the agency's CIO, he could issue policies and hope for compliance, but even issuing policies required the consent of the operating administrations. Brody felt frustrated at the lack of real authority or enforcement and also by a fierce cultural resistance to central authority.

Career Impact: He chose to leave the agency to work for the private sector because of the disconnect he experienced over authority and accountability in the agency's CIO position. "I left, as I saw that possibility existed where there could be an incident which would be blamed on the CIO, who had no authority at all at the Dept. of Energy."

ASK THE EXPERT: Do you have a question for these security leaders who have gone through well-publicized breaches and survived? Patrick Howard, Hord Tipton and Bruce Brody have agreed to entertain your questions. Please submit your questions to Upasana Gupta at ugupta@ismgcorp.com. Answers will appear in a separate story to be published at a later date.

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network