CISO Panel: Speaking Klingon to Captain Kirk
This year's RSA Conference was chock full of great content. One of my favorite sessions was the chief information security officer (CISO) panel, hosted by Cigital Inc. CTO and build-security-in guru Gary McGraw. Instead of a whip, McGraw wielded a Star Wars lightsaber (a vendor was handing them out on the exhibit floor) to keep four top security execs moving through a series of "driving" questions.
In answering a question about measuring risk, Gary Warzala, CISO at Visa, argued that, although it was certainly important to measure an organization's vulnerabilities and level of compliance, it was just as important to make sure that risk is owned throughout the enterprise.
"When I think about the technology organization, we hold the majority of operational risks," he said. "We need a process by which we're managing that risk on a daily basis, and then we need to be able articulate that ... But you can't just have the conversation around risk when you're talking to the board; you have to have it across the enterprise."
Google views security as an existential issue, said Eric Grosse, VP of the company's Security Engineering group. It's evaluated based on observed incidents. In fact, the company authorizes internal groups -- on a short-term basis -- to try to break in.
"We have a referee standing by, because they're actually working on the live systems," Grosse said. One side effect of this process is that it makes other employees more alert to potential security issues, he added.
For an answer to the question, "How should the security function interact with executives?" McGraw turned to Howard Schmidt, who served the country's chief executive. The former cybersecurity coordinator for the Obama administration said that the interactions between a CISO and his boss need to be customized, or they can have unexpected consequences.
"One minute you're doing a nice briefing for executives, and the next thing you know, they're subscribing to some list and every virus that comes out has them on the phone saying, 'Is this going to affect us?'" he said. He hastened to add that that never happened with Mr. Obama.
"What you really have to do is to sit down and involve all the business units, preferably in the same room," Schmidt said. "It's almost like creating a disaster recovery plan or business continuity plan, where, if you send out an e-mail asking about priorities, and they're all No. 1. But if you get them all in the same room, you get a better idea of when you need to escalate."
Jason Witty, CISO at U.S. Bank, said that information security execs need to do a better job of speaking with management in business terms.
"We need to talk about things like protecting and enhancing revenue," he said. "We need to change our vernacular ... We don't want to be speaking Klingon to Captain Kirk."
McGraw also asked the panel about which tools they found the most useful in their work, which drew a little groan from Witty.
"I saw a list of information security vendors the other day," he said. "When I saw it, I rolled my eyes so far back in my head I saw behind me … The bottom line for me is that this is a people-and-processes issue, not a technology issue."
McGraw also wondered about how the gathered execs retained good security people. Beyond having "the best recruiter in the business, bar none," not to mention Visa's strong brand, it's the kind of field that attracts people who love the work, Warzala said.
"People in the information security field are what I call digital first responders," he said. "They're the kind of people who run toward a fire while everyone else is running away ... They're not doing the job to make lots of money. They're doing it because they're passionate about it."
Posted by John K. Waters on March 5, 2013