Key Elements of Risk ManagementISSA's Debbie Christofferson on How to Manage IT Security Risk
In an exclusive interview, Christofferson, who currently works with the State of Arizona, discusses:
- How to manage IT security risk;
- Elements of a successful security risk strategy;
- Current trends that impact careers in risk management.
Christofferson has more than 20 years of IT and security management experience, in a Fortune 500 environment, across the U.S., Europe and Asia, with Intel Corporation and the Apollo Group, and currently supports the State of Arizona's Security and Privacy Office. She's earned CISSP and CISM security certifications. She serves as a Board Director for the Information Systems Security Association, and Chapter President of Phoenix ISSA.
TOM FIELD: You've been in the business for a long time. Now why don't you give us a little bit of a sense of what your background is and the areas that you've worked in your career?
DEBBIE CHRISTOFFERSON: Well, I've worked most of my life, my career life in IT before, and I worked at Intel for twenty years in IT and security program management leadership. My last 20 years pretty much have been focused on information security. I've done almost everything in information security, although I'm not a super-techy like some of the real technical pros that we get the pleasure of working with. I've been a manager most of the time. I worked for Intel Corporation for many years. I left Intel and started my own business in 2001. I worked with Apollo group for the University of Phoenix almost two years, and recently I've been a contractor and information security consultant for the state of Arizona currently. I am working specifically information and risk management right now.
FIELD: Well, Debbie, let's check out the topic we brought up front. I think everybody has a sense to themselves of what risk management is. From your perspective, how do you define risk management in the context of security and, as you say, in organizations' business?
CHRISTOFFERSON: Well, when it comes to information security, anything about our job in security is about risk, so all your decisions around information security should be based on risk to the organization. So from an organization or business standpoint, risk is how much can you afford to lose if some event happens. So, it doesn't matter if it is disaster recovery planning, whatever it is for your organization and from a security standpoint -- what does it take for your business to remain viable and so that you don't have outages or disruptions to your business to impact your bottom line or your ability to stay in business and be successful? So, from a risk standpoint and a security standpoint, all decisions about security should be strategic and based on business risk, not our opinions on what technology we need to have in place. A lot of security is based on technology, but it's really all based on what your specific business risks are.
FIELD: You've been in a number of different types of organizations. We speak to financial institutions, healthcare organizations, government agencies -- what do you tell these people about how to manage IT security risk. There have got to be some common elements there?
CHRISTOFFERSON: Well, automation is one common element, but if you define what your risk is to your business and then you go out, you create a strategy based on working with your business, you need to collaboration with your business leaders, so that you really understand what your organization's business is and what are those risks relative to security. One of the things we do today is the compliance hammer because we have so many regulatory requirements, but that is not always successful. We do have to comply to mandates in the fields we work in. You need a strategy and a road map, and you need to decide what your priorities are to manage the highest risk first to your business, and that is never in a vacuum. That is always with management input and your stakeholders' input from the business. That is why, whatever you do, you have to understand that first. And then automation is a way to achieve that for policy compliance, especially as it complies with IT organizations. Where you look for solutions so you can automate what those security solutions are. But you also have the behavioral element inside and outside organizations, too, that you have to focus on, so nothing can just be a pure technology decision. But if you don't have the technology in place and automated you, you lose a lot there coming in the door too.
FIELD: Now you talked about a security risk strategy. To put together a successful strategy, what does that involve?
CHRISTOFFERSON: Well it involves first of all identifying what your core business is, and if you know that -- great. Some people, depending if you are coming in new, you may not be fully aware of what that is. What the core business is of the company. And then so what are the business drivers, and then what are the things about your business that are going to depend on security? What are the ways security interacts with the business that is going to make a difference or not? So, then you're going to look at what your risks are in your environment. And you can do this a hundred different ways, but at a high level, you might look at what audit findings you might have had in the past. You would interview business leaders and senior management on what they feel like the risks are. You can take the strong man approach and jot down some things based on what you see and think, and then you go out and you collaborate with the people in the organization that are stakeholders to verify those and to prioritize them, because you're not going to be able to do everything. So that is the start of a risk management, before you even look for what a framework might be at the most strategic level. People probably jump in with two feet before they even get this far with a lot of the models they talk about and over-analyzing things to death. Some of those are in the execution stage, not when you are really trying to put a plan in place.
FIELD: Now I think there might be a philosophy out there too, a wrong way, that one size might fit all. Risk management really isn't a strategy you can buy from somebody is it?
CHRISTOFFERSON: No, and there are a lot of people that are selling it per se, but no one size does not fit all. You might be able to find a one size fits all when you look at the strategic level on what your approach is, but even when you define what it means for your organization. It is very different. For instance the Somali piracy that has happened with the ships on the African coast. When there is piracy, that is a risk decision for companies to take whether or not they're going to transport their ships along that line. That does not have to do with us in information security, but it is definitely a physical security decision. If they take their ships around the other way, it costs them way more. The number of ships that are hijacked and the number of violent incidents are really, really low. So when you look at the numbers from the risk decision, those companies are making a conscious risk choice to do business that way anyway. So, the thing about security when we look at what these different models are and how we define risk, one size does not fit all. It is really what you need for your business. A hospital that is handling healthcare records needs more than some of the other kinds of business, so it depends on what data you need to protect and what your core business drivers are. So there is not one size that fits all, but there are a lot of people trying to sell it that way. And some managers, if they come to you and ask for a risk solution or a one size fits all, you have to be able to know about their business to ask the right questions to help support them. Because sometimes what they tell you they want is really not what they want. There are a hundred different definitions for risk management means.
FIELD: Debbie, let's talk about trends. What do you see as some of the current trends and what do you foresee as trends that will impact security risk for organizations?
CHRISTOFFERSON: Well, security risk changes as technology and as the globe evolves. So, technology risk is always going to be a risk, because there is more technology coming out from an IT standpoint than we can support. Like social media and the malware moving to social media now, cloud computing, virtualization and what that means. So these things always change. So virtualization and social media and cloud computing are the big things now from a risk standpoint, and maybe a couple of years ago you would have been hearing about wireless devices and portable devices, and those are still big risks because we still lose Blackberries that aren't protected with internet with email on them. But from a standpoint of going forward, those are going to continue to be -- they'll keep up with us and from a technological standpoint, more merging of devices, more external databases that are exposed on the network without protection. There will be more automated solutions to address those so from a technology standpoint.
From a management standpoint, there will be probably be more merging, and there already is in some cases. Some security officers or managers report to a risk officer of a company. So it's evolving to a more risk-based. I really think security is probably evolving to a risk-based function more. There is a lot of risk there because it's kind of hidden and people don't really know what it is, but we move ahead.
FIELD: Let's talk about career opportunities, Debbie. For someone that wants to get in to the field today, and we know particularly in government there are lots of opportunities in healthcare there are more opportunities. How would one go about building a career in risk management?
CHRISTOFFERSON: Well, there is a certification now, at least through one organization -- you can get a risk certification through ISACA. So you can get a certification. That will make you more marketable, but I think there are opportunities right now if you focus strategically. There are enterprise risk managers, so if you wanted to look at enterprise risk, do they have recovery fees into that if you wanted to be a leader in that area? That is definitely risk management in its enterprise basis, not necessarily IT-based although it can be. There are big time opportunities all across compliance. I talked about the compliance hammer, but audit managers, audit directors, compliance. There are a lot of compliance analysts now. If you like that kind of thing and disaster recovery definitely is in that space. If you like the physical security space, counterfeiting is big business these days, organized crime is huge, the trends in organized crimes, so you have opportunities in areas in the federal sector that you might not have seen before. There are a lot of job growths in the federal sector in that space. So I think that at the "C" level, this is getting a lot more prominent. There are opportunities in the "C" space for corporate risk officer, corporate privacy officer that we didn't use to see in addition to the ones that are in the audit, in the compliance and audit space.
I mean, locally here for instance in Phoenix, Charles Schwab is here, and they've had a lot of job openings for compliance analysts, and those are in the IT space. American Express is here, and it's another finance company. So you see a lot of that for the business drivers in what the career opportunities are. Apollo, they had an Enterprise Risk Officer and it was a new position too.
FIELD: Just one last question for you. If you were to sum up your advice and someone came to you and said, "I want to pursue a risk management, where should I start?" What advice would you give to someone starting out in that career today?
CHRISTOFFERSON: I would probably go have them talk to the IT audit director for the company, whether it was an insource or outsource company, and offer to maybe if they have the background in IT to understand what it is, I would send them to consulting companies, because some of these companies that provide outsourcing support, they are good starting places for people if they have a basic background. Because a lot of the risk management functions today, not when you call somebody and they supply you with an officer, they are in some of these consulting firms. So a lot of the consulting companies have had cutbacks in the last few years with the economy, but that is where a lot of the growth currently is in those positions. So, some of them are permanent hires that belong to the consulting company, and some of them are third-party subcontractors. There is a lot of demand for that, and there will be a lot of demand for that in the coming couple of years too. So I would put them in touch with those two pieces and talk to people that work in that field, and in fields like banking, Wells Fargo has a big corporate information security center here in the Phoenix area, and they are a big branch, so that's finance and the healthcare industry. So I would put them in touch with the places where they had a lot of demand for that, and where you would be expose to that risk side of business to talk to them about how you get into that specific field, and how you gear your experience that way.