Giving Non-IT Execs Onus for IT Risk
Oregon CISO Theresa Masse on Agency Directors and IT RiskThat's something Oregon Chief Information Security Officer Theresa Masse is changing, working with agency directors in state government to get them actively involved in assessing the risk their IT systems face.
"Agency directors tend to think of information security only from a technology perspective, so we want to help them become more engaged in understanding that protecting their info assets is an executive leadership responsibility. and, it's not appropriate for the IT management to determine risk for that agency," Masse says in an interview with GovInfoSecurity.com (transcript below).
"It's important for us to insure that executive agency leadership has information security and the protection of information assets on their radar screen, Masse says, "and that they have it in perspective with all of the other types of risks that they deal with on a day-to-day basis, and determine what's acceptable from the information security perspective."
In the interview, conducted by GovInfoSecurity.com's Eric Chabrow, Masse discusses:
- Steps the state is taking to engage non-IT managers in IT risk decisions.
- Workshop and forums being developed to get buy-in from agency leaders.
- Improving communications between non-IT managers and IT security professionals on information risk.
Masse has been Oregon's CISO since 2004. Previously, Masse established the information security office at Oregon's Department of Human Services, the state's largest agency. Earlier in her career, she served as director of corporate and information security at engine maker Cummins Inc. Masse holds a master's degree in management from Webster University.
ERIC CHABROW: As CISO, you're looking into training and educating agency heads, the people who run the various departments and agencies in Oregon, with understanding the risk of IT and IT security, enterprise risk management. You want them to look at this as they assess other types of risks. Tell us something about this initiative and why it is important for agency heads to look at IT security risks as they would other risks?
THERESA MASSE: Agencies directors tend to think of information security only from a technology perspective, so we want to help them to be more engaged and understanding that protecting their information assets is an executive leadership responsibility. It's not appropriate for the IT management to determine risk for that agency. It is important for us to ensure that executives agency leadership has information security and the protection of their information assets on their radar screen, and that they have it in perspective with all of the other types of risks that they deal with on a day-to-day basis and determine what is acceptable from the information security perspective.
CHABROW: You are preparing a survey now to assess what in regards to their understanding of risk or of information security risk, what is being done in that respect?
MASSE: We often ask them from time to time to do a number of different assessments. Certainly one of them is doing a risk assessment that we have within our enterprise information security policy; they need to conduct a risk assessment every year. Many of them struggle with understanding what exactly does that mean, what do I need to look at? We're developing an agency risk help assessment tool that has a variety of questions in it, including risk about other areas within their organization. We want them to go through the exercise of completing that questionnaire, returning the results to us, which will give us an opportunity to see where are the major gaps for the various agencies [exist] so that we can develop programs or some type of education to help them become more mature from an information security perspective.
CHABROW: Do you have a timetable of when you would like to implement this?
MASSE: We're hoping that we're going to have it out early in [2011]. [In late 2010], we just had a draft copy of the assessment tool, so we're going to be sending that out to some of our key stakeholders so they can review it and give us feedback, make sure that it makes sense. If they have any outstanding questions, how can we make it as easy as possible for the agency directors to complete? Then, we will have a variety of workshops and forums, where we will go through the questions with the agencies so that they have an understanding of how they should respond to it, what are the types of things they should be thinking about. So, when they actually receive the survey, it will probably be hopefully second quarter [2011]. We will take probably the first quarter to do our education component.
CHABROW: How do you see this process making IT systems within the state of Oregon's government more secure?
MASSE: I think the questions that we've incorporated into the survey will hopefully give the agency directors a variety or areas that we want them to focus on so that they become more familiar with where their agency is. When we receive the results, it will help us to understand where some of the gaps that we need to address from an enterprise perspective.
This is the first year that we're conducting it. I'm sure agencies will be perhaps a bit uncomfortable in going through the process, because this is the first time they've done it. But I hope over time that they will begin to see that this is a very useful tool in keeping them updated on where they are, where the areas are that they need to focus on, and the progress that they are making over time.
CHABROW: Can you provide some examples of hesitancy on parts of some of these agencies in taking, what you would consider a legitimate risk, if the appropriate safeguards are put in place?
MASSE: My biggest concern is that the agency leadership, at least, because they haven't been, at least most of them, as engaged as we would like them to be, don't really understand what risks they are incurring, particularly not being compliant with state and federal laws. If they really don't understand what information they have, where it is, and how it is being protected, then they probably don't most of them have a good understanding of what federal and state laws they need to be compliant with. It makes them very susceptible to, perhaps, incurring some kind of breeches, etc. and so we just want to raise the level of awareness amongst the agencies, and also so that they are completely an annual risk assessment, which will help to keep it on their radar screen and help them to track hopefully they are progressing as far as their information security posture is.
CHABROW: There are things such as new media out there, a use of social media or the use of individual employee devices having access to government systems. Please address how managing risk addresses these concerns?
MASSE: We have an enterprise acceptable use policy, and it provides a fair bit of flexibility for each of the agencies to determine what is appropriate within their particular organization as far as allowing employees to use state-owned devices or the state network for conducting personal work, for determining whether they are going to allow them to go to social networking sites, etc.
We certainly understand and believe that it is appropriate for agencies to make that decision, based on the business that they happen to be in. What makes sense for them. However, we believe that going through this annual risk assessment will help them to think about some of these areas more from a risk perspective then just well, should we allow employees to do this or should we allow them to do that, etc. Always considering and bringing it back to the question of risk, and then what is acceptable for their organization. That varies depending on the agency. We don't want to take that away from the ability to do that, we just want to ensure that all of them are brining it back to the question of risk and what is appropriate or acceptable.
CHABROW: Do you have any sense on how agencies will react to this?
MASSE: I hope that the agencies will find it useful. We have no reason to believe that they won't. Most of them are struggling with being compliant with our policy that says they need to do risk assessment because they don't really know what that means or what type of questions to look at it or how to go about it. This will provide a standard and consistent tool that they are able to use, so I think that they will find that helpful. It will also give many of the agency directors more insight once they've completed the risk assessment about where their agency is, and will we will provide feedback to the agency, not only letting them know where they are, but also probably giving them some sense of where they are compared to the other agencies. If they have not been looking at it from a risk perspective, and they need to start doing that, then hopefully that will help them as they go forward.
CHABROW: How would you know if what you are attempting to do is successful?
MASSE: W have done surveys in the past for agencies and they have focused on compliance with the state policies and standards. We have some idea about where they are at, but this is a little more comprehensive then just asking them whether they are compliant with our policies and standards.
The agencies will find it helpful, because it will give them a standard tool to use and they will find the information helpful as they go forward. Part of our enterprise policy is that all the agencies have a security plan and that they are documenting their plan and making progress on it. We're also using as part of the assessment tool, we are using the Carnegie Mellon Maturity Model. All of the agencies will be using the same rating score. This is the first year that we're using this particular tool, it's just going to form the baseline of information that we have at the enterprise level, but it will give us an opportunity to see as I said, where agencies are from an information security perspective and then help those agencies that are more behind the curve or depending on where they rate on that Carnegie Mellon Maturity Model.