Effective and open communication with upper management about information security requirements and threats is a topic of daily discussion now. But, despite the mounting lip-service it gets, its importance to the success of a holistic and sound business-centric risk program cannot be over-stated.
For many professionals in this space it can make or break a security strategy's overall efficacy. As a result, some CSOs are becoming just as practiced at promoting their security initiatives as they are at actually implementing and managing them.
SC Magazine's 2014 CSO of the Year, Forrest Smith, who is the senior manager of information security and CISO for Nissan Americas, says that establishing and diligently following through on an “internal marketing plan” helps “to build consensus across the organization” and reveals just how IT security works to facilitate wider business aims.
“If you expect everyone to support security initiatives, everyone from the top down needs to know what the security initiatives are and how to support the security team in meeting those objectives,” he explains.
To Lee Eaves, who works for Smith as manager for information security at Nissan, this way of thinking has contributed greatly to how company executives and workers alike view IT security.
“I've seen a significant evolution of Nissan's security program over the past three years,” he says. “Forrest generated a strategic vision and added thought leadership to information security and its associated programs. Under his direction, Nissan created a business-centric, global information security incident response plan, digital forensic team, threat intelligence team, improved the use of information security tools and improved communications with business sponsors and executives.”
In addition to improving the company's threat intelligence levels, Smith – who previously worked for IBM as a consultant, middleware architect and team lead – also developed the idea of “threat hunting,” he says. This allows his staff “to apply behavioral analytics to network and computing systems to identify anomalies.” And, although his team of full-time and contract employees continue to use traditional systems, such as intrusion detection, AV and others, they layer on top of these the “threat hunting” practice in an attempt to catch more “sophisticated, targeted attacks,” he explains.
Another big change in the past year occurred with the IT security organization moving out of the information systems department into corporate services. Among other things in the works, this move expanded IT security's scope to include the management of engineering and manufacturing. “We are no longer solely the information systems security group, but instead we focus on threats across the organizations and across different types of devices,” says Smith.
The change also is aiding in the alignment of IT security and physical security, adds Brian Delauter, Smith's boss, who is the director of the corporate services division, which includes shipping and receiving, corporate vehicles, global aviation, facilities management, real estate and physical security divisions.
As well, it makes IT security much more autonomous, allowing for Smith and his crew to “shine the light on issues that don't always make it up to leadership,” adds Delauter. “The net goal is to strengthen IT security for the enterprise. It's always about the company. We're going to be better tomorrow than we are today.”
Smith is critical to this process because he brings a “tremendous amount of knowledge and a pragmatic approach,” Delauter says, adding that Smith's solid risk management approach to security helps the company's executive leaders and business units prioritize corporate goals, marrying security goals to them, so that all the players are moving in the right direction.
Continuing to partner business with security likely will result in IT security eventually standing on its own, with Smith reporting to the highest levels of the company – a goal of Delauter's. As such, he definitely sees Smith moving into a position that is in line with his own level now.
“[Forrest] is very well regarded at the organization and we want to help him grow,” he says. “If we don't, someone else will.”
Both Delauter and Eaves agree that Smith is more than deserving of SC Magazine's CSO of the Year Award given these and other steps he's taken to advance information security for Nissan.
“In the next 12 to 18 months, I think we're going to see the growth of information security outside of the IT function,” says Eaves. “Forrest has been able to communicate and demonstrate the strategic value of information security within our organization. As a result, he is driving the sure of information security in all aspects of our business. Forrest's most valuable trait is the strategic vision and thought leadership that he brings to the security organization. Because we have a solid strategy, we are very visible and integrated into the different business units within Nissan.”
SC Magazine gained some insight directly from Smith, querying him about his major concerns when it comes to safeguarding Nissan's most critical assets, how the role of the CISO will evolve, and more.
SC Magazine: How long have you been in information security? Can you highlight the positions and organizations that helped you prepare for your stint for Nissan? What about pertinent training and certifications?
FS: I have been in Nissan's information security organization for about four years. Prior to joining the organization, I held positions in enterprise architecture, application development, project management, system administration and infrastructure management. I believe my broad technical knowledge of many different areas of IT has allowed me to drive positive, practical security changes. I believe that a technical and business-oriented CISO has an advantage in driving a successful information security strategy and translating complex technical topics into the language of business. I maintain my EnCase Certified Examiner (EnCE) and my Project Management Professional (PMP) certifications.
SC: What have been your major achievements in the last year of which you're most proud (and likely helped you receive this recognition)?
FS: We expanded our team and focused on ensuring we have broad expertise. We focused less on finding the perfect security person and instead on finding experienced individuals who have valuable soft skills, and then we trained them. We've found this approach provides a more comprehensive and cohesive team. This also helped improve our communication within the company as these individuals were highly capable of communicating complex technical issues to our business units
SC: What were the major challenges associated with these? For example, given the economic climate, things generally have been tough for many CISOs with whom we speak. Did you find difficulties here or in any other areas when trying to achieve your aims this last year? How did you overcome them?
FS: I think the major challenge is the need to constantly review your priorities and evaluate whether certain tasks are really adding value. Due to the dynamically changing threat landscape, we constantly re-evaluate and prioritize the way we do things to be most effective.
At Nissan, we are frugal, yet successful, because we focus on security initiatives and activities that provide the greatest probability of reducing significant risks.
I think there's a general philosophy that to build a good security team, you must invest significantly in tools and people. While this is partially true, I also find that we don't effectively use the tools we already have or could use them in a different way to become more effective at detecting or preventing threats. One of our biggest challenges is achieving maximum value from security investments and being innovative in how we use the tools we already have.
SC: Who in your organization helped with these achievements?
FS: We have support from all levels of management and the entire Nissan organization. We have a culture set by our CEO that every employee is responsible for protecting Nissan's information assets. As such, the entire organization helps the information security team be successful.
SC: Is this a sign that more companies and individuals care more about how organizations are shepherding their critical content – that they care about the security of their details when dealing with vendors?
FS: I think companies and consumers care more about security and privacy now than they did several years ago. I suspect that soon consumers will heavily factor a company's ability to secure their private data into the purchase decision. I suspect this is going to propel information security into being an integral part of a company's sales and marketing strategy.
SC: How would you describe today's security threat landscape?
FS: I've seen a dramatic shift and increase in cyber crime, intellectual property theft and I am starting to see more “disruptive behavior” again. More importantly, these things are occurring across more types of devices.
There is a continuing lag in security technologies and services that can stay ahead of the evolving threat landscape. In my opinion, the most promising technologies are those that use whitelists and focus on behavioral anomalies.
SC: What is your biggest gripe with the way security is done these days?
FS: I see an over-reliance by companies on outsourcing of critical security functions. I believe a key factor in detecting business-targeted threats is an intimate knowledge of your IT environment, which an outsourcer just doesn't have. There is a place for outsourcing within the security organization, but a successful security organization must balance when to use and not use an outsourcing strategy.
SC: What are the threats/newer applications that you think you and others in your position must address this year? How will you do this?
FS: We need to find ways to enable and secure bring-your-own-device (BYOD) and “moving to the cloud.” Evolutions of technology are not avoidable and we should embrace them. But, there are enormous complexities in securing both these areas, not to mention the legal considerations. We are going back to the drawing board this year to come up with innovative ways to make BYOD and cloud data initiatives more secure.
Outside of the office, the attention to investigative skill-building does not stop. In fact, it not only is strenghened, but at the same time helps out the local community. Owing to volunteer work with the Williamson County Sheriff's Office, Forrest Smith and a few members of his Nissan team serve as reserve sheriff deputies and perform digital forensic examinations for the criminal investigations division (CID). “This is a great way for us to continue to sharpen our investigative skills, while also providing a service to the local community,” Smith says.
SC: What are the security technology must-haves that organizations should have in place?
FS: The technology must-haves are log collection/event correlation tools and application whitelisting. Log collection and event correlation tools allow the organization to dissect and analyze abnormal behaviors. Nearly every breach report discusses the lack of log monitoring as a significant contributing factor.
Application whitelisting prevents a very high percentage of malware and other unauthorized programs from running on workstations and servers.
SC: What about policies and programs? What are requirements that shouldn't be overlooked as perhaps they are now?
FS: I think end-user information security education is the most overlooked program in security. Effective security education, beyond the mandatory annual training, makes a significant difference in reducing risk and can be done at minimal cost.
SC: Who do you report to? Is there an ideal hierarchical structure when it comes to ensuring IT security is being addressed adequately in a corporate environment (for example, answering to the CEO as opposed to the CIO)?
FS: Earlier this year, Nissan changed the reporting structure and my organization was moved outside of IS into corporate services.
I believe the ideal hierarchical structure to ensure IT security is addressed adequately is for the security organization to report to the CEO as opposed to the CIO. This is important because the fundamental objectives of the information systems organization differ from those of the security organization. With many companies considering cyber security a very high risk, the separation of duties between information security and information systems will become very important to auditors and shareholders, if it hasn't already.
SC: The economy's been tight, with some organizations experiencing budget cuts, layoffs, travel and hiring freezes, and more. How did you fair? Do you foresee more of these stressful budgetary challenges in 2014? Or are things expected to improve?
FS: At Nissan, things are improving. We continue to focus on improving our security posture. Over the past two years, we've increased budget and headcount as needed to mitigate threats and make improvements.
Out of necessity, I do think investments in security are going to increase over the next several years. Major breaches remind all of us of the inherit risk in technology and the need to be vigilant in our security efforts.
SC: In regard to compliance demands, what are your priorities and how do you adhere to such regulations? Must you contend not only with regulations in the U.S., but also with other countries' regulations?
FS: Nissan is a global company and as such we must comply not only with U.S. regulations, but also all other countries' regulations. Compliance demands are simplified by the fact that we divide our operations into geographical regions. So, the focus of any one region is mostly on the countries within that region.
SC: While compliance has prompted corporate leaders to understand security needs more, there may be some thought that compliance with certain mandates means security of critical data. As many incidents illustrate (think Target or some others, like Heartland) that's not the case. How do you make sure those corporate leaders who are supporting you and are responsible for allocating resources understand this so that you get the required support and budget you need for your projects (which ultimately are part and parcel of business activities)?
FS: We separate compliance from information security. Compliance is considered an operational activity with oversight from internal audit. While there is some overlap in these activities, the objectives are different. Compliance tends to focus on validating compliance with specifically defined controls and regulations. Our information security team focuses on protecting sensitive data from an ever-evolving threat landscape.
One way to differentiate the two is through the key performance indicators (KPIs) one uses to measure and report on objectives. Compliance KPIs should be focused on testing of controls. Information security KPIs should be focused on threat indicators, security cases, forensics, etc.
"We are increasing our focus on continually improving our threat intelligence and threat-hunting capabilities..."
– Forrest Smith, CISO, Nissan Americas
SC: How do privacy issues factor into what you do?
FS: Nissan takes data privacy very seriously. We have a robust program that ensures sensitive data is properly protected, and Nissan always meets or exceeds regulatory requirements.
SC: What privacy regulations (in the U.S. and abroad) must you comply with? What are your organization's main objectives when it comes to privacy and how do you ensure these goals are met? Is there a privacy officer with whom you work at your company?
FS: There are many privacy regulations at the U.S. state and federal level and in many other countries in which we do business. Our privacy objective is to keep the commitment to our consumers to safeguard their data. We have robust information security programs and internal controls to achieve this objective.
SC: We've heard there's a dearth of good help lately. When hiring information security practitioners, what experience/knowledge/certifications/attributes do you look for? What advice would you give to individuals looking to enter the field of information security?
FS: Hiring talented information security practitioners has been one of my greatest challenges. My best advice is to be patient – I've taken six to nine months to fill some positions.
Recently, our recruiting has focused on skills that are complementary to information security. For example, an internal auditor develops skills that are easily morphed into a threat analyst. We have had much success in hiring people with complementary skill sets, but without information security experience, and then providing them with information security training and mentoring.
SC: How will the role of the CSO look in five years? In 10 years? In 20? Will the job be evermore integrated into day-to-day business? How will this effect job growth and job security in this space, do you think?
FS: I think the role of the CSO in five years will be more business integrated. The CSO's responsibilities will expand and probably ultimately evolve into managing total risk to the company. I think there's enormous potential job growth in this space because, as technology continues to expand, and as the Internet of Things concept grows, the need for risk management and security will grow exponentially. Those companies that do security well will succeed and those that don't will struggle. n
SC: What is on your agenda for the coming year?
FS: We are increasing our focus on continually improving our threat intelligence and threat-hunting capabilities and improving our end-user educational programs. In addition, we're working on innovative ways to support BYOD and the use of cloud resources.
SC: What are some of the major challenges you believe you and your counterparts at other companies/government entities face in the next year? What about the major threats to your organization and its critical data?
FS: The greatest challenge is our ability to identify and prevent targeted threats.
SC: Any hobbies, destination spots, or other more personal areas of your background that you would like to share?
FS: Along with three members of my team, Nissan sponsors a program in which we volunteer time to the Williamson County Sheriff's Office as reserve sheriff deputies and perform digital forensic examinations for the criminal investigations division (CID). This is a great way for us to continue to sharpen our investigative skills, while also providing a service to the local community.
SC: What's your best advice to others when it comes to building a strong security program?
FS: First, educate executive management until you gain their support.
Second, a highly-skilled team is critical in meeting security objectives – be careful to choose quality over quantity.
Finally, investments (both of resource time, new tools, and processes) should be prioritized based on risk (probability and impact). Generally speaking, the security functions struggle with prioritizing investments and being agile enough to change them when the threat landscape changes.