Tuesday, November 23, 2010

Conversation with a Financial Services Chief Information Security Officer

I recently shared a very informative conversation with a financial services CISO. This was my first opportunity to interact with this CISO.  He immediately struck me as someone who “gets it” and I wanted to figure out as quickly as possible how this person became a successful CISO. No easier way to find out such a thing other than to ask!

“When I joined my most recent company, it was my relationship building with business units, legal, privacy, compliance, and corporate security that made the difference. The first thing I did when I arrived there was meeting with the "players". It was amazing how much the “players” did not know about protecting information and how regulations played into the grand scheme. I guess that's why I ended up there.

The challenge with relationships is that they are like plants. To have a plant flourish, it needs proper care and feeding. You first need to plant the seed which is as simple as putting the thought in a person's head about what could happen to the company's brand and image if they had a breach or regulatory violation. As that thought grows, you need to carefully watch it and help the person understand the evolving landscape (i.e., the headliner of the day). The continuous heads ups regarding headlines are like fertilizer. It sure can make a plant grow faster.

Over time if you ignore the plant or deprive it of water and sunlight, it can die or grow in ways and directions that you may not want. And then when weeds enter the picture, if you don't pluck the weeds (i.e., noise makers) the plant can be over taken and all the hard work of raising the plant goes away.

The battle with information security is not in technology alone. It's the lack of rational risk- based thinking. Also, the inherent fear of brand damage clouds people's judgment. Don't get me wrong, I'm not advocating that people shouldn't be fearful, but rather, like all business decisions, they need to assess the risks against the costs. And they must realize that there are no guarantees in security just like there are no guarantees in launching a new product or service. In short, it comes down to the art of risk management.”

What you just read is one Chief Information Security Officer’s point of view when asked what has made him successful in his career and at the CISO level. I've asked this CISO to share his thoughts regarding what he looks for when recruiting to fill information security jobs and risk management jobs.  If he shares these thoughts, I'll share his answers in a future Secruity Recruiter Blog post.

SecurityRecruiter.com's Security Recruiter Blog