Talking Security

Rhonda MacLean is the founder of MacLean Risk Partners, LLC. As the former leader of Bank of America’s Corporate Information Security group, MacLean was responsible for the company’s security policies and procedures; information risk management; security technology implementations, including perimeter and internal system defense; cyber investigations; computer forensics; and general information security awareness for the company’s leadership, associate base, and outside suppliers. She is also a member of the bank’s Information Protection Steering Committee.

MacLean has spent more than 20 years in the information technology industry and is an important national voice in the information security industry. Immediately before joining Bank of America in 1996, she was responsible for information security at The Boeing Company, managing Boeing proprietary and government programs. MacLean has also been influential on the larger stage. After many years of service on some of the industry’s most important associations, groups and think tanks, she was appointed in 2002 by the Secretary of the Treasury to serve as the first sector coordinator and chairperson of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security. In that role, she brought together 25 financial service trade associations, utilities and professional institutes, working with Treasury’s private sector liaison to create several important industry initiatives. When her two-year appointment ended, MacLean maintained an active role as chairperson emeritus of the Council and as an advisor to the Congressional Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, in her capacity as a member of the Corporate Information Security Working Group. She also sits on the Global Council of CSOs, a think tank of senior cyber leaders from the public, private and academic sectors.

BM. In a recent article, Dave Cullinane, CISO at Washington Mutual, wrote: “Think about the responsibilities of today’s CISO/CSO. The last time I counted, there were more than 40 domains of security expertise required of a CSO – and that doesn’t include all the business and financial expertise that you need to be successful.” Is the CISO/CSO under pressure – and why?

RM. Pressure? It comes with the territory. A CISO/CSO role by nature has enormous pressure. The challenge is ensuring one stays calm and demonstrates positive leadership whether it’s ‘business as usual’ or ‘in the line-of-fire’. The CISO/CSO sets the stage and others will take their cue from the demeanor and reactions of the senior security executive within the organization.

The role of the CISO/CSO requires multiple skills in today’s complex global business environment. I would compare it to the skills that companies look for in a CIO. You need to be able to understand your company’s business objectives and articulate effectively at all levels of the organization on how the security organization supports them. The ability to effectively work and build alliances across the various business groups within and outside the organization is the key to success. Building and nurturing strong relationships can make the difference between success and failure. This is not a job for a loner.

I believe we are seeing the CISO/CSO role evolve because the job demands broad-based business, technical and people skills. One reason some CISO/CSOs are feeling the pressure is they either lack experience or lack confidence in the business and people areas. Many have grown up through the technical ranks and are experts in security. It takes much more than being the ‘expert in security’; it takes being an effective business leader who can manage relationships and influence others.

BM. What are the key attributes that all good CISOs/CSOs need today?

RM. They need to know their business, know the security and risk environment and best practices as part of the basics. But beyond what we see as skills in many job descriptions, good leadership skills make the difference between those who simply survive and those who really make a difference to their organizations. Some basic examples would be:

• The ability to present a clear and compelling business case as well as using facts and data to influence others (this is absolutely critical).
• The ability to deal effectively with complex issues.
• Adapts quickly to new demands and challenges.
• Inspires and motivates others to constantly improve security practices and operations.
• Projects confidence and optimism in the face of adversity.
• Uses failures and mistakes as opportunities to learn for the future.
• Cares about team members and partners and treats them with respect.
• Takes personal responsibility for professional development and seeks coaching from multiple sources.

These are just a few of the leadership skills a good CISO/CSO should aspire to demonstrate on a daily basis. Strong leadership skills can really make a difference in being invited to the table with other business leaders within their organization. This is where influence starts and results can be measured.

BM. The CISO/CSO is responsible for protecting people, property, information and reputation. How important is technology to this process, and how important is good training and common sense? Is there a “best practice” solution or a set of widely applicable guidelines to improving corporate security?

RM. Best practices start with a simple framework, which is comprised of people, process and technology. It is the effective application of solutions to each of those components against the concepts of prevention, detection and responding and recovering within which CISOs/CSOs must weigh their choices. The graph below is something I’ve used for years to simplify and present a common sense approach to implementing effective solutions to meet the challenges of the complex security environment we find ourselves in today.

Effective application of best practices can be applied in the intersections of this framework. The job would be easy if everyone’s business required the same structure or solution set. This is where a good CISO/CSO can build the right mix with the right solutions based on their company’s unique risk tolerance and business needs. There are plenty of published best practices for CISOs/CSOs to use to help them determine the best application supporting their company’s business needs. Some of these best practices are generic but many associations provide industry specific guidance, which can be very useful for organizations that want to leverage resources already available.

BM. The Institute for Critical Information Infrastructure Protection (ICIIP) has The Security Continuum – a five-stage transition from compliance-based security to commitment-based security. Is the US moving towards commitment-based security, or is security still seen as a cost? How can security be presented and exploited as a benefit?

RM. The work from the ICIIP on The Security Continuum is very good. It provides thought leadership in this area. The goal of transitioning to a commitment-based security paradigm is something that makes good business and economic sense. However this does not mean the concept of ‘compliance’ should be taken away from our risk vocabulary. Certainly, regulatory or contractual obligations for security practices and controls, as well as investment priorities in the security and risk management programs, will align with those requirements. However, the jury is out on whether the US will move quickly towards a commitment-based security model and make the necessary investments in the shared and private networks and systems on which many of our critical infrastructures depend. (e.g. telecom, power, transportation, financial, etc.) It is within these critical infrastructures that investment needs to be infused to ensure we have secure, resilient and reliable systems.

Security and resiliency is still seen as a ‘cost’ in most organizations. The industry can continue to use the lessons learned from the ‘cost of quality’ work done in the 1980s and 1990s. Building quality in and doing it right the first time became the mantra of many CEOs. It has stood the test of time and remains at the forefront in the minds of today’s leaders. Security and resiliency affects the bottom line. How well a CISO/CSO makes a clear and compelling business case is essential to guarantee adequate funding is available to effectively manage today’s risk and threat environment.

I have also seen some good examples of how investments in security and resiliency have contributed to revenues. If it can be factually demonstrated that the investments made contribute to revenues, customer confidence, customer satisfaction and competitive advantage, the CEO and Board will take notice. The CISO/CSO must reach across the organization work with marketing, sales and finance to look for opportunities that may contribute to the company’s products and services.

Making commitment-based security a reality in an organization is just one more challenge for the CISO/CSO. In order to make this happen, remember the leadership attribute: “The ability to present a clear and compelling business case as well as using facts and data to influence others.”

We also need to ensure we don’t just approach security and resiliency from the US perspective. Security and resiliency must be viewed as a global challenge. At the end of the day, we are a global economy with global interdependencies.

BM. Security is vital – but do CISOs/CSOs have a place at the table yet? Can they provide business leadership? And if so, how?

RM. There is no consistency throughout the profession. Those who are speaking the language of the business and demonstrating strong leadership definitely have a place at the table. They are also the ones whose organizations place a value on security and resiliency risk management as part of their overall business strategy.

For those who haven’t made it to the table yet, don’t give up. Here are some strategies that I have found to be extremely useful over the course of my career:

• Make sure you know your company’s strategy and objectives.
• Ask business leaders in your organization some basic questions. What are your challenges in helping the organization/company reach its goals? What is at the top of your mind? From your perspective, how do you view the importance of protecting information, physical and human assets? What would be the impact if information, physical or human assets were compromised (e.g. health, safety, brand, intellectual property)? Is legal or regulatory action a concern for you? Remember: it is essential to ‘listen’ before trying to be understood.
• Formulate an action plan.
• Find a mentor and a business champion.
• Take your place at the table.