Information security executives need to be strategic thinkers

George Baker is the Director of Information Security at Exostar. In this interview he talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, discusses BYOD, and much more.

How have your previous positions prepared you for the challenges you face as the Director of Information Security for Exostar?
I’m not sure you’re ever fully-prepared to face the challenges associated with information security because the threat landscape is so dynamic. I think what’s most important is a mix of strategic planning, technical, and analytical skills so that you protect the organization as much as possible proactively, and are able to respond agilely and effectively when the unexpected befalls you.

I’m fortunate that my background has helped me build the appropriate perspective. I received my degree in international politics just as the Internet was taking off. As a result, I immediately was able to apply my planning and analysis mindset to technology. I spent a decade focused on Enterprise Resource Planning implementations, B2B eCommerce consulting, and design and operation of private cloud solutions. These positions gave me the strong technical foundation I needed to make the move into security, where I’ve focused my career for the last 7 years. The mix of a non-computer science education and practical technical experience has proved invaluable as I help Exostar navigate today’s advanced threat environment.

Based on your experience, what are the essential qualities every information security leader should possess?
I think information security executives need to be strategic thinkers, understand the underlying technologies, and be able to calmly and practically assess evolving scenarios. The reason I believe this is that most security challenges inevitably occur at the intersection of people, process, and technology.

Being a technical guru simply isn’t good enough. Neither is being a good manager that lacks the technical depth to properly address situations. The key to a business’s success is its ability to focus on effective security beyond the traditional IT compliance silo. That’s especially true for us at Exostar, where we deliver Software-as-a-Service (SaaS) in the cloud for customers in industries including Aerospace and Defense (A&D) and Life Sciences. We face the double whammy of not only protecting our own systems, solutions, and information, but also those of our customers. As you might expect, these customers are concerned about issues such as regulatory compliance and protection of their intellectual property. Security is an essential element of our business and a market differentiator. What I think serves me best in my role is persistence and a solid understanding of the fundamentals.

How do you properly assess the complete risk posture of a large organization? What specific setbacks come from BYOD?
In many ways, large organizations are no different than small organizations – they both are subject to threats and must account for vulnerabilities. How risk is mitigated may vary minimally; the biggest difference is that solutions for large organizations must be able to scale.

The bottom line is that every organization faces common and unique sets of risks, and every organization defines its own levels of risk tolerance. The risk posture and corresponding security initiatives must be calibrated in that context.

The approach I advocate is to start by bringing all internal stakeholders together in a collaborative forum. I think it’s critical that information security leaders find a way to provide visibility throughout the organization and get communications flowing so they can build a collaborative spirit and obtain buy-in from all impacted parties. Together, the group can identify the organization’s “crown jewels,” be they systems, applications, or information. They also can best determine where the “third rail” issues reside that would create unacceptable consequences should they come to pass. With this information in hand, you can prioritize the risks and focus on solving the issues.

BYOD adds a layer of complexity, no doubt. Everyone recognizes it brings benefits and drawbacks to the table. That said, its adoption is inevitable in most organizations, so I think you should sensibly embrace it instead of battling it.

BYOD drives a change in the way we think – we must be laser focused on protecting our virtual assets, because they will reside on a growing number and variety of devices that are not exclusively under our control. For me, that means taking extra precautions in close proximity to our intellectual property crown jewels, while empowering employees to leverage BYOD as much as possible to maximize their productivity.

Is it realistic to expect an organization will get ready to address all potential security risks? How much preparation is good enough? How do you tolerate risk?
Unlike the physical battlefield, cyber warfare is changing far more rapidly, with an unlimited number of permutations and combinations. There are so many more points of vulnerability, and the science is advancing at lightning speed. So, addressing all potential security risks may be outside the realm of possibility, but you have to try. This is where the value of building a team of stakeholders who can collaboratively prioritize the risks comes into play, so you can best prepare for the most likely scenarios.

My mantra is, “Don’t become complacent.” Challenge yourself and your organization to move outside of your comfort zone. Static defenses like the Maginot Line didn’t work in the 20th century, and their cyber-security equivalents will suffer a similar fate. Be resilient and always maintain a forward-leaning security posture.

There’s definitely a cost vs. risk vs. impact tradeoff. If the risk and/or impact of a threat are infinitesimally small, and the cost of preparation and prevention exorbitantly high, you may make a conscious decision to focus your resources elsewhere. You tolerate this risk by understanding that you have limited budget and personnel, and you’ve targeted them to those areas that you’ve identified as being more likely to occur and/or more impactful if they do come to pass. Here’s where the strategic planning, technical excellence, and first-class analytics of our team at Exostar give me the comfort I need to sleep at night.

How important is security awareness? Do you believe in employee training?
I take a bit of a paranoid perspective – everyone in our organization is a target, and trust from the outside must be earned and consistently validated. My goal is to convey a similar posture to all Exostar employees. Security awareness is vital at all times; otherwise, our business becomes vulnerable. I want our employees to recognize that threats such as malware and social engineering are adaptive. That means everyone constantly must remain vigilant. It is frequently the vigilant user that spots an anomaly before it becomes a real issue.

I absolutely believe in employee training. Every new hire gets to spend some quality time with me. I personally deliver training so individuals not only understand our policies and procedures, but why we have put them in place and what might – no, would – happen if they didn’t exist. In addition, every employee must attend training updates on a regular basis, because our approach is constantly evolving as we strive to stay a step ahead of the changing threat landscape.

Training should be more than just a box-checking exercise with a slide deck. I think this individualized, face-to-face security training allows everyone to better connect with the business, and that leads to better outcomes for all of us.