by Brendan McGowan

CIOs reveal their security philosophies

Jul 31, 2018
CIOIT StrategySecurity

Global IT leaders describe their approaches to cybersecurity application and communication.

security breach egg reveal locks binary code hacked
Credit: Getty Images

Security has always been a universal preoccupation, and there are countless examples of societies reforming their own institutions to stave off chaos and oblivion. In the Roman Kingdom, which preceded the Roman Empire by some five centuries, the local royal quaestor (“investigator”) was tasked with investigating murders. At roughly the same time, subprefects in the Chinese state of Jin patrolled the land and conducted criminal inquiries. Far more recently, The Metropolitan Police Act of 1829 afforded London its first allotment of inspectors and constables — first in buildings at Whitehall Place, later in nearby Great Scotland Yard.

Today, organizational security is almost entirely synonymous with technological security. CIOs act not only as technological champions — but, in their own ways, as quaestor, subprefect, and constable.

“For many organizations, CIOs represent the key leader in the battle to protect valuable data,” says M. Eric Johnson, Dean of the Owen Graduate School of Management at Vanderbilt University. “While not universal in all organizations, the bulk of the security investment is in the CIO’s organization.”

CIO [2018-07-31] > M. Eric Johnson, dean, Owen Graduate School of Management, Vanderbilt University Owen Graduate School of Management, Vanderbilt University

According to Johnson, CIOs face a host of challenges in this role. Chief among them is the need to “balance risk reduction with strategies that enable firm innovation and growth.”

“Overly strict security creates a different risk — throttling information exchange and creativity can threaten a company’s competitive viability,” Johnson adds. “Poorly managed reactions to breaches — and all firms have been breached in some way — can lead to other business deterioration.”

“Security is as much a human challenge as it is a technical challenge,” he concludes. “Dependable cybersecurity requires a three-part strategy of 1) superb technical implementation of the basics, 2) consistent education aimed at increasing awareness of employees, vendors, and executives, and 3) building a security team that is as motivated, skilled, and innovative as the bad guys.”

In this edition of Transformation Nation, CIOs delineate their own IT security philosophies — dispatches from the front lines of cybersecurity strategy. The implications of a breach for corporate reputation, economic well-being, and personal security are immense. Through these accounts, CIOs reveal the many tension points in application and communication that they grapple with every day.

Ann Dunkin, CIO, County of Santa Clara, California

I communicate my philosophy about security with three memorable statements:

There are two kinds of CIOs: those that have been hacked and know it and those that have been hacked and don’t know it. The scariest thing to a CIO is a security team that tells us that everything is OK because they haven’t found a breach. There are so many potential vulnerabilities and so many people trying to break in that it’s likely most enterprises, no matter how good the security program, have been hacked.

I could respond to that reality by curling up in a fetal position in the corner, but that wouldn’t be productive. Instead, I know what my high-value assets are and apply extra resources to protecting and monitoring them. That doesn’t mean I’m going to give up on protecting my perimeter and my other assets. I’m just going to assume that the perimeter is breached and apply extra protection and monitoring to what concerns me most. This reduces the chances that a hacker is able to breach those assets, and if they do breach those assets, it reduces the chances they can exfiltrate my data before I discover them.

Make yourself a harder target than the guy down the street. Some of us have data that is of particular interest to a hacker. But that’s the exception. In most cases, lots of people have similar data. My patient data is no different than any other healthcare system in the country. So, if my security is tough enough to deter attackers, they’ll try someone else they think is a softer target. Selfishly, that reduces my risk, but if all of us take that approach, we’ll collectively raise the bar and make the bad guys work harder.

CIO [2018-07-31] > Ann Dunkin, CIO, County of Santa Clara, California County of Santa Clara, California

Users — all of us — are our weakest link and our greatest asset. It’s tough being an end user these days. Hackers are growing ever more sophisticated. We’re getting hit by everyone from the nation-state actors to the script kiddies. The phishing messages in broken English have been replaced by sophisticated and convincing attacks that challenge the experienced technologist along with the average user. Somehow our users can still identify and report attacks. In this environment, we need to both constantly educate our users and be compassionate when they mess up. We need to turn them into allies in this fight because thousands of educated users can be our greatest asset.

When I talk with our security team, I will describe my priorities very differently. I talk about having system security plans, about defending the perimeter and high value assets, about auditing and maintaining good cyber hygiene. But talking about those things outside a small technical circle causes eyes to glaze over. The vast majority of staff simply need to understand of how they can contribute.

The three ideas described above are both understandable and memorable. I talk about security whenever I have a chance, and I always talk about one or more of those three concepts. I tell users that their help is crucial and how they can help us maintain our security. I tell engineers and designers how important it is that they design in security, and I tell system administrators and service desk staff how they can ensure that we implement our security controls.

Those three simple statements work with nearly any audience and help everyone remember how important their actions are to securing our enterprise.

Dick Daniels, executive vice president and CIO, Kaiser Permanente

My philosophy on IT security has two primary tenets. The first is that we aggressively address risks right away: We don’t wait until they become problems. In some organizations, it can be hard to get the needed support and funding to tackle something that is only a potential problem. But that’s how risks become breaches, and that’s a lesson that too many organizations learn too late.

The second tenet is that our security is only as strong as its weakest component. It’s essential to take a multi-level, holistic view of security that ranges from perimeter defenses to the actions of our employees, to the external organizations that we partner with to understand and address the evolving threat landscape.

Spreading the word about security comes down to governance, action, and education.

CIO [2018-07-31] > Dick Daniels, EVP and CIO, Kaiser Permanente Kaiser Permanente

Governance is the alignment of authority, decision making, and oversight that enables us to prioritize security and enable action. Governance is a critical part of our organization’s ability to act in accordance with our security philosophy and to highlight the importance of this work through active leadership commitment.

The actions that we take are also critical to disseminate the philosophy. When we proactively take on the complex process of rolling out software updates and security patches across hundreds of thousands of devices, people take notice. They see the investment our organization is making to address a risk before it becomes a problem and to make sure that we are strengthening that link in our security chain.

Last, but certainly not least, we focus strongly on educating our workforce. While we take comprehensive measures to prevent malicious email from reaching our employees, we know that no defense is bulletproof. It is a top priority for us to educate our employees — through training and realistic drills — to detect malicious email, phishing attempts, etc., and to report anything suspicious. This is an ongoing campaign to make our employees an active strength in our defense posture.

We also feature security at leadership meetings to make sure that we are continuously updating and educating senior leadership about the business risks and the importance of our strategy to address those risks.

Tim Barbee, Director of Research and Information Services/CIO, North Central Texas Council of Governments

IT security is a necessary evil. It cost a lot of money, creates inconveniences for customers (do you know anybody that likes secure passwords?) and is a drain on IT staff time that could otherwise be spent helping customers with solutions to enhance the business model of the organization. But it is necessary.

We have to protect the confidentiality, integrity, and availability of the data on the network, which, of course, means protecting the network. Like every other decision area, the trick is to find the most cost-effective method of doing that.

IT security is about acceptance of risk and risk avoidance. This is a bit of a circular analysis.

CIO [2018-07-31] > Tim Barbee, director and CIO, North Central Texas Council of Governments North Central Texas Council of Governments

First you need to know how much risk is acceptable to the organization. Second, you need to complete an IT security risk assessment to determine what the risks are — and prioritize the issues generating risks to focus on the ones that most benefit the organization. Third, you need to determine the cost to address each risk. Many times, the cost results in an adjustment of an organization’s definition of “acceptable risk.” There must be an understanding of risks that must be addressed for effective operations versus risks where there is no business case to address them because they are costly to tackle but that action does not significantly benefit the organization.

The messy part of security is the people part. No matter how much is spent on tools, monitoring, automation, etc., if there isn’t a good security education program for employees, the risk will probably stay higher that what has been defined as acceptable. Our security program includes mandatory online classes and using targeted phishing campaigns as an educational tool. If an employee falls for a phishing campaign, they receive immediate feedback with instructions on what should have been done and how to identify that this particular activity was problematic.

Every new employee during initial orientation is given a briefing on IT security. Additionally, directors in our organization give a broader orientation to new employees every six months. In that orientation, I emphasize their role in keeping our organization free from malware and unwelcome intrusions.

There is a very good understanding of the need for IT security at the executive level in all areas of the organization where I work. To some extent, that was accomplished by highlighting the unending security breaches happening to all types and sizes of organizations around the world. Because of the executive-level acceptance, there is very good acceptance of new security initiatives, as long as they are well-conceived.

One other activity we are working on is peer-sharing. I work in the government sector. In the North Central Texas region, there are approaching 250 governmental organizations, including cities, counties, water districts, wastewater districts, school districts, and others. There is a real desire in many of those organization to regularly meet and discuss IT security: current issues, methods of addressing, lessons learned, etc. This is actually one area where the government sector has an advantage over the private sector. There are no trade secrets to protect, so sharing information can happen freely.