Executive Training for Security Leaders5 Time-Efficient Tips for Keeping Up with Industry, Tech Trends
"My job is to make tough business decisions impacting IT security controls, processes and collaboration," Congdon says. For instance, he recently had to remove the company's Acrobat and Adobe Reader applications because of known security flaws that could otherwise be used by attackers to take control of vulnerable systems within Red Hat.
"I had to understand the nature of risk and level of acceptable and unacceptable risk involved in my decision here," he says. "At the end of the day, my efforts are all directed at reducing risk and enhancing IT security for the organization."
A significant aspect of his role involves executive training for other senior leaders on the social impacts of IT security, including monitoring social media interaction and initiatives, how social engineering attacks can take place, and responding to security incidents or emerging threats.
Kris Herrin, chief technology officer at Heartland Payment Systems, the fifth largest payment card processing company in the United States, plays a similar role. He is frequently involved with merger and acquisition opportunities, and as such must understand the risk posture and impacts to effectively perform his job.
"What are the IT risk trends? How do I gauge the risk tolerance of the organization to correctly present to the board?" says Herrin, offering examples of the discussions he has regularly with C-level peers. "Our conversations are all based around risk."
It is, therefore, imperative for leaders such as Congdon and Herrin to stay current on the latest risks, threats, trends and solutions.
On the Job TrainingSo, how do senior leaders keep up with all these changes - and then share the knowledge with their teams? Not necessarily through traditional means.
"In my experience, senior executives do less in a way of formal training," says Congdon. "We just don't have the time for such initiatives."
Instead, Congdon finds that senior executive training is a combination of team and organization effort. At Red Hat, the company invests in annual and quarterly training for executive leaders, spanning from discussions of strategic risk management to emerging threats and social impacts of IT security.
Red Hat also establishes partnership programs with associations such as ISACA, SANS Institute, the United States Computer Emergency Readiness Team (U.S- CERT) and prime vendor companies to educate the leadership team on the threat landscape and emerging tools and technology. At least twice a month, leaders have informed sessions presented by these organizations to educate them on the upcoming trends and risk factors in emerging technologies.
Red Hat promotes internal collaboration of business and IT leaders on a daily basis, encouraging active participation on internal forums, email alerts, informal lunch discussions and chat sessions. "A key to executive training is to partner with business leaders effectively," says Congdon. "As a CIO, I have learned to pick key points with my business counterparts and understand the risks from their perspective."
In the Adobe application case, for example, Congdon reached out to business leaders to understand the impact of pulling out the applications.
Another key avenue of learning is his immediate team, which provides updates and education on critical IT security issues. Congdon routinely meets with his reporting officers, including the director for information security, to understand key undertakings and initiatives involving IT security.
"I depend on my team to provide me in-depth advice on the security nuances of a particular technology like encryption or biometrics," says Congdon. He has everyday meetings with his key team members, who educate him on issues such as how the company should approach implementing policies on mobile applications or cloud computing.
At Heartland, the company heavily promotes external participation at conferences, industry forums and groups for executive leadership training on cybersecurity. Herrin cherry-picks events he wishes to attend, including the RSA Conference and Gartner's Security Symposium, which attract a broad range of people who are active executives wanting to know what's new and what's coming up. "At our level, it's really all about peer transfer of knowledge," he says.
Herrin also spends time networking with executives at industry specific forums such as the Financial Services Information Sharing and Analysis Center and the Payments Processor Information Sharing Council, which talk about the whole spectrum of risk, current threats and pertinent security-related issues for senior executives within the industry. In addition, he invests in quick one-hour webinar sessions on high level topics such as governance and risk management offered by targeted security publications and organizations.
Learning Tips:Congdon and Herrin's advice to executive leaders for training on IT security issues include:
- Participate in Industry Focused Symposiums that cater to the specific needs of executive leaders in defining IT security and risk matters from a more strategic level.
- Build Collaborative Teams that are required to meet at least monthly to coordinate and communicate on IT security and risk issues. This team should include senior management from human resources, public relations, legal, IT, security the chief financial officer, chief risk officer and other key business executives.
- Hire Smart Folks that can help others understand how the specific IT security risks fit together into the broader organization. "As leaders, we need to ensure we hire the right people we can depend upon," says Herrin.
- Establish Partnerships with internal business units and external parties such as vendor companies and relevant associations to get more awareness on possible security collaboration tools and technology. "Our training includes seeing things from the business perspective and relating to emerging trends", says Herrin.
- Read Targeted Publications including those from the SANS Internet Storm Center, U.S. CERT guidelines, Security Focus, BITS Financial Services Roundtable, and others to keep updated with industry trends.
"The impact of executive training on IT security is about owning the responsibilities, sharing accountability and balancing the risks," Congdon says. "Ultimately, learning at this level is internal and focused on partnering with business leaders."