Effective and open communication with upper management about information security requirements and threats is a topic of daily discussion now. But, despite the mounting lip-service it gets, its importance to the success of a holistic and sound business-centric risk program cannot be over-stated.
For many professionals in this space it can make or break a security strategy's overall efficacy. As a result, some CSOs are becoming just as practiced at promoting their security initiatives as they are at actually implementing and managing them.
SC Magazine's 2014 CSO of the Year, Forrest Smith, who is the senior manager of information security and CISO for Nissan Americas, says that establishing and diligently following through on an “internal marketing plan” helps “to build consensus across the organization” and reveals just how IT security works to facilitate wider business aims.
“If you expect everyone to support security initiatives, everyone from the top down needs to know what the security initiatives are and how to support the security team in meeting those objectives,” he explains.
To Lee Eaves, who works for Smith as manager for information security at Nissan, this way of thinking has contributed greatly to how company executives and workers alike view IT security.
“I've seen a significant evolution of Nissan's security program over the past three years,” he says. “Forrest generated a strategic vision and added thought leadership to information security and its associated programs. Under his direction, Nissan created a business-centric, global information security incident response plan, digital forensic team, threat intelligence team, improved the use of information security tools and improved communications with business sponsors and executives.”
In addition to improving the company's threat intelligence levels, Smith – who previously worked for IBM as a consultant, middleware architect and team lead – also developed the idea of “threat hunting,” he says. This allows his staff “to apply behavioral analytics to network and computing systems to identify anomalies.” And, although his team of full-time and contract employees continue to use traditional systems, such as intrusion detection, AV and others, they layer on top of these the “threat hunting” practice in an attempt to catch more “sophisticated, targeted attacks,” he explains.
Another big change in the past year occurred with the IT security organization moving out of the information systems department into corporate services. Among other things in the works, this move expanded IT security's scope to include the management of engineering and manufacturing. “We are no longer solely the information systems security group, but instead we focus on threats across the organizations and across different types of devices,” says Smith.
The change also is aiding in the alignment of IT security and physical security, adds Brian Delauter, Smith's boss, who is the director of the corporate services division, which includes shipping and receiving, corporate vehicles, global aviation, facilities management, real estate and physical security divisions.
As well, it makes IT security much more autonomous, allowing for Smith and his crew to “shine the light on issues that don't always make it up to leadership,” adds Delauter. “The net goal is to strengthen IT security for the enterprise. It's always about the company. We're going to be better tomorrow than we are today.”
Smith is critical to this process because he brings a “tremendous amount of knowledge and a pragmatic approach,” Delauter says, adding that Smith's solid risk management approach to security helps the company's executive leaders and business units prioritize corporate goals, marrying security goals to them, so that all the players are moving in the right direction.
Continuing to partner business with security likely will result in IT security eventually standing on its own, with Smith reporting to the highest levels of the company – a goal of Delauter's. As such, he definitely sees Smith moving into a position that is in line with his own level now.
“[Forrest] is very well regarded at the organization and we want to help him grow,” he says. “If we don't, someone else will.”
Both Delauter and Eaves agree that Smith is more than deserving of SC Magazine's CSO of the Year Award given these and other steps he's taken to advance information security for Nissan.
“In the next 12 to 18 months, I think we're going to see the growth of information security outside of the IT function,” says Eaves. “Forrest has been able to communicate and demonstrate the strategic value of information security within our organization. As a result, he is driving the sure of information security in all aspects of our business. Forrest's most valuable trait is the strategic vision and thought leadership that he brings to the security organization. Because we have a solid strategy, we are very visible and integrated into the different business units within Nissan.”
SC Magazine gained some insight directly from Smith, querying him about his major concerns when it comes to safeguarding Nissan's most critical assets, how the role of the CISO will evolve, and more.