Security Strategy, Plan, Budget

Embrace change: How security translates to business

Security pros are acclimating to shifts in the landscape and earning a return on investment for their enterprises, reports Deb Radcliff.

André Gold (left) is no stranger to change. As senior director of technology operations and security for AutoTrader.com, Gold has cut an aggressive career path working with leading-edge companies to get where he is today. Recent employers include Continental Airlines, where his program enabled a $2 billion online revenue stream, and MoneyGram International where his team enabled the company's remittance program that serviced major organizations like Wal-Mart and CVS.

All along, he has chosen companies that challenge him and keep him relevant for the next job, as well as provide him opportunities to show the value of security to drive revenues.

“I like being measured on the revenue we generate,” says Gold. “But in security you don't get measured that way because risk is all shades of gray. I don't want to just protect everything. I want to enable the growth of the company I'm working for.”

This can-do attitude and adaptability are two key traits IT security and privacy leaders need in today's fast-paced and integrated technology risk arena, says Tracy Lenzner, CEO of LenznerGroup, an executive security staffing firm based in Williamsville, N.Y.

“The ability to get ahead of and enable change is now being directly tied to pay and bonuses,” she says. “Hiring organizations are requesting professionals with a certain core set of leadership, technical and business acumen similar to traits required to run other business functions such as finance, legal, HR, marketing, sales and other business units.”

C-level security professionals are also being judged on their effectiveness at bringing together and simplifying solutions, vision and ability to engage business units as stakeholders. Particular skills around new technologies and how a potential hire fits into the organizational culture are also important, she adds. However, the most important thing C-level security professionals need to possess is operational knowledge that can be applied to the business.

Hailing from an operational IT background, Gold understands the value of his business background and can relay how security supports the overall goals the business is trying to achieve.

While thinking five to 10 years out, no one can predict all the changes that will occur in their environments, Gold says. So the secure infrastructure must be developed with core access, compliance and security controls that are expandable to support new and improving operations and business services.

“One of the key components is to maximize reuse of security and operations services,” he says. “You don't need to duplicate efforts between them. So we've developed a core, symmetric approach for implementing security and operations into new business requirements and for managing security and operations for existing business applications.”

Gold received his MBA three years ago. He attends industry conferences and peer groups, stays visible in publishing and speaking and, most importantly, and regularly engages with other relevant units within his organization, particularly marketing, he says.

“I just listened to a new marketing pitch and can listen to it from both an operations and security sale,” he says. “Ultimately the operations and the security sell both lead to the same question, which is ‘What does this mean to the AutoTrader business?'”

Adding value
Security leaders should always be looking for ways to improve their organizational bottom line, says Omar Khawaja, global manager for security solutions at Verizon. For example, he points to one of his peers who, despite a $1.5 billion IT budget, is looking to outsource to the cloud to reduce cost and offset risk to the cloud provider.

Another IT leader, Kenneth Johnston (right), CIO and VP of information systems at Guaranty Bank, headquartered in Springfield, Mo., is also all about bringing value to his organization. To keep up with consumer demand for new banking applications at the $731 million commercial bank, he hires personnel as needed through a small force of vetted consultants, which keeps costs down. He also takes advantage of virtualization because it reduces his hardware investment. For example, his mail servers, including the organization's email security solution, Proofpoint, are already virtualized.

Driving efficiencies
These are examples of bringing value by means of driving efficiencies in the organization's internal processes. Johnston also believes security can be directly responsible for enabling lines of revenue. For example, last June, his team rolled a smartphone application that allows customers to verify their ATM and point-of-sale transactions in real time using their phones. Customers are also notified of suspected fraud with a call to a pre-designated phone number.

“Our customers love us for this app,” says Johnston. “Now, we're working with other banking applications we can roll out to our customers on their phones.”

Joyce Brocaglia (left), CEO of the executive IT security and privacy search firm Alta Associates, refers to this time of change as a “risk revolution” for security and privacy professionals, their customers and their places of business. In fact, it is the theme of the company's Executive Women's Forum National Conference, to be held in Scottsdale, Ariz. from Oct. 19 to 21.

“This year's conference theme is about embracing accelerated change,” says Brocaglia. “Our participants will learn about what is required to implement effective risk practices while adding value and remaining secure and compliant. Our workshop on the consumerization of IT will explore risk-reward scenarios and compliance and strategies to support consumer-driven demand of BYOT [bring your own technology].”

As an example of the changing roles of security professionals and their ability to add value to an organization, Brocaglia cites an executive placement whose role now includes developing a ready-to-go playbook for facilitating acquisitions, mergers and divestitures for their organization. This position requires more than an understanding of where to connect and disconnect merged systems and access, she says. It also requires intimate legal knowledge of the mergers, acquisitions and divestiture processes.

Not only do IT security executives need to learn business at this level to enable change, they also need to pass on business acumen to others within the security and privacy organization. For example, Nasrin Rezai, senior director of global information security for Cisco, has developed effective ways of passing down critical business knowledge to her team, including a common syntax for translating technical terms and phrases into business terminologies.

“If one of my directors or managers turns in a report and it is technical gobbly-goo, I send it back and reiterate that it must be in business language,” says Rezai (right), who is responsibile for Cisco's entire security architecture. “The business doesn't care that we need two-factor authentication because we're vulnerable to a web-based attack. They need to know that the customer account data they're processing on the new business portal is safe with two-factor authentication and here's how we'll enable that and accept the risk.”

Like Gold, Rezai hails from an IT operations background. Her most recent position at Cisco was running the government unit's business planning function, which she grew from five to 300 people in three years. Then, five years ago, she says Cisco Chief Security Officer John Stewart offered her the global directorship because of her ability to form business partnerships. Throughout her tenure, Stewart has taken direct interest in how she disseminates that knowledge to those reporting to her and others in the organization.

“We needed to get security outside of the policing function, outside of technology and bring it into the business partnership model where we can assess business directives and support growth and agility,” Rezai says.

Added value
As she developed multiple internal partnerships with legal, operations and other internal teams, Rezai also went well outside of her organization for mentorship and business advice. For example, she set up an advisory board with Cisco's top eight customers for input on security products and services. So, in addition to driving change internally, Rezai is also ultimately driving new lines of revenue for her company by taking those suggestions and improving products or driving new business.

One revenue-generating program she is in charge of is Cisco's WebEx software-as-a-service platform. And, after bringing up the matter internally, she was recently put in charge of developing Cisco's role in identity and access management.

Security and risk executives who have the ability to link effective risk management strategies and frameworks to driving business results will differentiate themselves and their programs by adding value, says Alta Associates' Brocaglia. To innovate and add value, they will ultimately need a strong foothold in all relevant business processes.


[sidebar]

Failure: Not an option

By failing to embrace change and not using it to improve efficiencies, effectiveness, lines of business and revenue, IT security professionals face a real risk of becoming extinct, staffing and security experts say.

“Saying no to change because something's insecure is no longer an option,” says Omar Khawaja, global manager for security solutions at Verizon. “IT security leaders must be able to embrace change and go beyond responding to being proactive and driving value. Unfortunately only 20 to 30 percent of C-level security professionals are actually this aligned with the business.”

Kenneth Johnston, CIO/VP of information systems at Guaranty Bank, who started work in IT with the U.S. Army in 1969, faced the real danger of becoming extinct through many transitions in technology. But, he says working with cutting-edge companies, staying informed, working with young talent and observing consumer use of technology keeps him relevant and ready for the next new business requirement.

“I just spent several days configuring security and access policies for the iPad because our CEO wanted to use the device on the network,” he says. “It's a balancing act – planning for risk over the next couple of years while also being on the leading edge of technology.” – Deb Radcliff

Deb Radcliff

Deb Radcliff was the first investigative reporter to make cyber crime a beat starting in 1996 after researching a best-selling book about Kevin Mitnick called the Fugitive Game. Since then, she has written hundreds of articles for business and trade magazines, won two Neal awards for investigative reporting, and was runner up for a third. She stood up an analyst program for SANS Institute and ran it for 15 years before joining the Cyber Risk Alliance as strategic analyst on the business intelligence unit. And she wrote her first book in a cyber thriller series, “Breaking Backbones: Information is Power,” which is selling well on Amazon and other outlets.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.