I have what some might consider a combined role in information security and operational risk. In simple terms, my job is to communicate risk related to people, process and technology and ensure that the level of risk the company accepts is in line with management's appetite.
Why did you get into IT security?
Originally I was sort of enamored by the technology, but it's been interesting to see the rapid change technology has had on business, how we do our jobs and the regulatory environment.
What was one of your biggest challenges?
One of the great challenges in this area is to help others understand process and impact beyond their area of expertise or influence. It's through effective communication and understanding that risk is managed effectively. This is a fundamental yet often misunderstood aspect of risk management.
What keeps you up at night?
It's most likely similar to what keeps most information risk professionals up at night... the unknown. Security professionals spend so much time ensuring the effectiveness of the control environment, but at the end of the day there is always a threat of a breach, fraud, or reputational damage. Organizational crime is getting so sophisticated…it's a constant arms race.
Of what are you most proud?
Helping teams and individuals work together. I love to see real cross-functional team synergy working. People's attitudes and behaviors change so much when they begin to truly understand each other and what is driving their actions.
For what would you use a magic IT security wand?
Insider threats still pose some of the greatest risk against organizations today, yet are hard to detect compared to external threats. Combine this with the rapid proliferation of data and mobile computing and you have a difficult challenge of identifying, classifying and handling information assets. Data leakage solutions today are making progress in this space, but still have room to grow. I would like to see this technology evolved significantly to take a more seamless holistic approach.