Wise Words From CISOs at RSAC 2015

Posted on by Tony Kontzer

In the first few days of this year's RSA Conference, I made it a point to hear as many information security executives speak as possible. Thankfully, there have been a number of opportunities to do so.

I've always felt that the most interesting stories and perspectives come from customers. They tend to speak plain English because they have to appeal to a non-technical audience. Vendors are much more interested in technical buyers and are always trying to sell something, which tends to get in the way of the story.

If I was a security professional attending RSA Conference, I'd be seeking out these executives to hear their perspectives on everything from best practices and leadership to career development and corporate politics. While there are plenty of opportunities to hear them speak this week, no one can be everywhere at once, although some of us do try!

With that in mind, here is a list of some of the security executives who've spoken at the conference, and a a key takeaway from his or her session.

Melinda Rogers, CISO, U.S. Department of Justice
Melinda Rogers was part of a panel discussion on the glass ceiling female security professionals face in the industry. Rogers was asked how, as a hard-charging CISO for a high-profile federal agency, she has managed to maintain a balance between her job and her twin 8-year-old boys.

"There's no magic answer," she said. "I have guilt about not spending more time with them."

But, as Rogers went on to say, there's also no reason that raising children and having a successful information security career have to be mutually exclusive. After all, men haven't had any problem doing so. And the challenge isn't limited to information security, as doctors, lawyers, and other professionals struggle with the same questions.

Robert Buchheit, global head of IT GRC, Zurich Insurance Group
"The thing that really lured me to security was that you've never got the answer," Robert Buchheit said during a panel discussion about what it takes to become a CISO.

Buchheit's comment gets at one of the most important aspects of working in the IT security field. Namely, it's a job that's never done. CISOs can never rest on their laurels, because the second they do, they have to respond to another incident.

Think of it as solving a jigsaw puzzle, only to have the puzzle immediately split apart, divide into more pieces, and morph the puzzle's image. To some, that proposition is irresistible, and those are the people the security field needs.

Justin Somaini, chief trust officer, Box
Justin Somaini joined Buchheit on Monday's CISO career panel. He identified a list of attributes successful CISOs possess:

  • Curiosity. If you're not interested in problems and how to solve them, CISO is probably not the job for you.
  • A moral compass. Any security executive who doesn't understand the difference between right and wrong may be on the wrong side of this equation.
  • An ability to take risk. Can you feel the irony? While the appetite for risk may be low at most companies, a CISO must take risks with how he or she approaches everything from managing an organization's security environment to recruiting new security talent.

Less Stoltenberg, CISO, University of Texas MD Anderson Cancer Center
Less Stoltenberg had a clear mantra during his participation on the CISO career panel: You have to know the business. But knowing the business doesn't mean much unless one acts on that knowledge. Along those lines, Stoltenberg said that CISOs shouldn't be afraid to make mistakes — or to face consequences for their failures — when in pursuit of the right security environment.

"I don't care if you audit me," he said. "It can only make me better."

Troy Braban, CISO, Australia Post
Troy Braban delivered one of the best talks of this year's RSAC, discussing how to give board members metrics they can act on. One of his strongest messages was to look at the metrics they're preparing with a critical eye.

He showed a slide of a metric that at first glance looked good. It charted the number of emails containing malware that were being blocked each month. It was simple to understand and clearly showed the trend it was trying to highlight. But a closer look raised a number of issues, such as the fact that the didn't make clear what action the board should take. It probably would have been more useful, Braban said, to chart malware-infected emails that were not successfully blocked.

Before he pointed out the flaws in the slide, Braban polled the audience, and most of them thought it presented a strong metric. They fell right into Braban's trap, and something tells me they'll return to their respective HQs a little wiser as a result.

Bradley Schaufenbuel, director of information security, Midland States Bancorp (leaving to fill a similar role for a cloud application company starting next week)
Bradley Schaufenbuel was at RSAC to lead a discussion on transitioning from CISO to CIRO — or chief information risk officer. It's a needed transition, he argued, because CISOs are falling short in areas that could otherwise help them transition into being CIROs.

This is important because the CISO role has grown to increasingly require core CIO capabilities such as business savvy, an ability to communicate with the C-suite, and an understanding of risk management principles 

So how have CISOs been falling short? For one thing, Schaufenbuel said, they're focusing on protecting information at the expense of potentially superior approaches such as improving the quality of information. Along those lines, they also often overlook organizational risk that resides outside of their organizations' data centers and firewalls.

"CISOs spend too much money on technical controls that produce lower levels of exposure," he said. "Companies are not getting their money's worth."

By shoring up those areas where they're relatively weak, CISOs can improve the efficiency of their companies' security spends while also potentially furthering their own careers.

You won't get advice like that from a vendor, folks.

Tony Kontzer

, RSA Conference

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community