The CSO perspective on risk management

Candy Alexander is the CSO at Long Term Care Partners and volunteers as a member of the International Board of Directors for ISSA. In the past, she was invited to the White House to speak on the importance of security awareness to the President’s Cyber-Czar staff and has held several position as CISO for which she managed Corporate Security Programs.

In this interview she gives a CSO perspective on the importance of risk management, threat mitigation and security awareness.

Companies are increasingly aware of the benefits of risk management. What’s your take on risk management’s goals within an organization?
In setting up risk management programs, I like to keep things simple – that way they get done. The goals are to identify real risks to the important items within the company, mitigate the risks and continuously monitor the environment.

It is more than running a vulnerability scanner and addressing all of the “critical items”. It is talking with the business to understand what is it that they consider critical to their operation, and then focus on areas within the environment where the “important things” are. A risk manager needs to be a translator if you will, between the business which knows what’s important to the company” and the technology support side, which applies the safeguards and mitigation.

Is risk management a desirable career path? What can aspiring CSOs expect?
That’s an interesting question. I have been in information security for 25+ years and have seen the profession morph over the years and branch out into difference specialties. Risk management is what old school information security folks have been doing for years, security management.

So, it is desirable – you bet! It has been an unbelievable journey and only gets better. As for what aspiring CSOs can expect, that’s easy. It’s the same thing but only different. People will always have motive to do “bad things”, businesses will always need to be safeguarded – the thing that is different is technology.

My advice to aspiring CSOs is to be flexible and stay on top of technology and how it is being used. Take for example the whole BYOD thing. Many security folks were in denial that BYOD was being used within their environments, then they see things like their CEO using a mobile device in a meeting. You need to keep your ear to the ground and know what’s going on as quickly as possible. Build trusted relationships with as many people as you can – often times I have found out what’s going on from my “informal/off the record” conversations.

Is it realistic to expect an organization get ready to address all potential security risks? How much preparation is good enough?
No, it’s not realistic to address all potential security risks, just as it isn’t realistic to be 100% compliant. If a risk management program is going to be successful, then you need to be realistic and protect what matters. How much preparation is good enough – is all up to how much is the business willing to lose if something were to go wrong. Would they be able to sleep at night with the investment that they’ve made on protecting, monitoring and mitigating the important things? Only they can answer that.

What’s your take on security awareness and employee training?
It is a necessary evil. The reason why I say that is evil is that many folks believe that posters, online training and things of that nature are good enough. Let’s face it, people are the reason why we need security. Many times I have performed investigations of internal incidents only to find that it was a user error.

People need to be provided the security awareness and training that pertains to their job function. People get overloaded with information as it is, so providing security messages based on role or function is key. A consideration is to be sure to provide examples of “why” it is important. People want to do the right thing, so if they know why they must use a certain safeguard – they will. Another tip is to provide messages that people can personally relate to and then remind them that it is the same “at work”. For example, the week after Thanksgiving many people start their holiday shopping online. I use this opportunity to remind folks how to protect their information, and by the way – they should use the same practice at work.

What lessons have your learned in your current position? What advice would you give to other CSOs tackling the issues surrounding risk management?
One of the business lessons I have learned is to keep building relationships with people. Get to know what their goals are and what their business processes are. Once that is understood, a realistic risk assessment can be done.

Another important lesson has been that security messaging may not always accepted in the corporate culture. So, divide and concur. Identify the key stake holders and how the security message will improve their area. Try to think of what they’re objections may be and be prepared to address them. It is all practical business sense, but many of us in information security have been technically trained, not business trained. I would say that we as a profession need to get on the fast track to get into the business rather than a bolt on-¦ Something that we’ve been trying to do for years and now’s the time to get to it.