Critical Infrastructure Security

SC Magazine CSO of the Year: Dennis Brixius, VP and CSO, The McGraw-Hill Companies

So, to further develop the educator within, Dennis Brixius, VP and CSO at The McGraw-Hill Companies, has taken on some pupils.

"I've had a number of managers and mentors throughout my career who have provided great insights and from whom I've learned a great deal," he says. "I found those experiences so valuable that I now participate as a mentor in The McGraw-Hill Companies' Mentor Program to assist in the professional development of the next generation of IT security managers."

To be sure, with more methodical cybercriminals cracking startling numbers of virtual vaults filled with critical information, these future cybersecurity guards will need all the help they can get. And, it's not just about honing technical skills. Today's IT security professionals must expand their business acumen, sharpen their speaking abilities, and embrace their organization's endeavors by bolstering them with their own.

It's a demanding job. Yet, beyond his role as a mentor, Brixius has more than enough to keep him energized and intellectually stimulated in his day-to-day dealings as CSO.

"I am responsible for establishing a complete information security program to protect the property rights of the company, ensure business continuity, protect the privacy of our customers, and help the company to effectively serve its global customers and markets," he explains. "My role also includes information risk analysis and assessment, developing security and risk management, consulting with our business units to ensure that security is addressed early in a project's development, and educating senior management about legal, regulatory and technical changes related to information security and business continuity issues."

Brixius joined The McGraw-Hill Companies in January 2004. With more than 280 offices in 40 countries, the organization employees a workforce of 20,000 strong, while servicing a broad range of customers in the education, financial services and business information markets.

Luckily, Brixius has what he calls "a significant support network across the company which is dedicated to our various security initiatives." Additionally, he says, he has "a core group of employees on my team who also do an outstanding job. We are using leading compliance processes and advancing technologies to protect our information resources and to ensure that appropriate controls and protections are integrated into projects from the start."

We asked our CSO of the Year to provide us with some insight on what has helped him best prepare for his current position at The McGraw-Hill Companies, and to explain what his goals and hopes are for the future.

Illena Armstrong: What helped you prepare for your stint at McGraw-Hill?
Dennis Brixius: Prior to joining The McGraw-Hill Companies, I worked in a variety of positions solving IT-related business and security problems. I was director, enterprise architecture and chief information security officer at Praxair, Inc. I have occupied senior information management positions at TRW, Inc., BP and two consulting firms.

I also have held positions in a variety of fields, including automotive structural engineering, simulating and analyzing oil and gas recovery techniques, and managing global networks and services. My international experiences have proven to be valuable, having developed relationships globally that I can still rely on.

I earned my bachelor's degree from Gettysburg College and an MBA from the University of Delaware.

Q: What have been the major achievements of which you're most proud?
A: We have introduced a number of proactive technologies within the company that focus on host intrusion protection, improving the security of our mobile work force and protecting the privacy of our customers and employees.


Q: What processes and solutions/vendors helped you reach these?
A: We use a variety of vendors, who along with our talented staff help us to meet our goals and objectives and, overall, provide a safer IT environment.

In terms of process, it is important for our group to leverage the best information available before starting a project. For instance, we might develop pilot programs to gain a better understanding of new technologies or reach out to others who have implemented these technologies. And we work in partnership with vendors, engaging them early in our planning and implementation phases to ensure we get the best support.

Q: What difficulties did you face undertaking these efforts?
A: A critical issue is providing the right amount of information to employees, including the impact of a project and its justification. We engage employees early in projects to make sure that they understand the impact of new technologies on products, and to ensure they clearly understand the ultimate goals, strategy and direction of our business initiatives.

Q: Do you get enough support from your colleagues and bosses?
A: We have a wonderfully talented management team and skilled technology employees who are committed to serving our diverse customers and markets. We obviously work closely with one another and do everything we can to build and maintain a goal-oriented culture and supportive environment. The McGraw-Hill Companies has an extremely progressive and performance-focused environment dedicated to growth and achievement. It's fantastic to be a part of this team.

Q: What steps do you find integral in getting and maintaining such support?
A: Clear and effective communications with colleagues is a must. We continually are communicating timely information about important projects and processes.

Q: When you're undertaking various projects, do you have to work with managers of various business units?
A: Absolutely. The work we do impacts the entire company. We have colleague and team members located in offices all around the world. In our role, information risk management is about proactively communicating and providing information that provides our leading businesses with a clear understanding of the risks and benefits associated with a particular technology or product.

Q: Who do you report to?
A: I report to the chief information officer. Our goal is to utilize all the management controls we have in place to ensure that goals are met.

Organizational alignment will vary from business to business depending on the culture and requirements of each individual enterprise. No one organizational model fits all companies.

Q: What about budgetary needs?
A: It is essential to provide metrics so everyone understands the risks and benefits of the investment in risk mitigation. Without metrics, it is hard to measure improvements. Metrics form the basis of any improvement program and can provide valuable information about parts of your tactical plans that are functioning properly and those that need continued improvement.

Q: In regard to compliance demands, what are your priorities?
A: Since we have global operations, I have to be familiar with all compliance requirements across the corporation. Federal, regional and local governments are continually shifting the compliance landscape. Senior managers help me and our group stay abreast of evolving legislation, regulations and compliance issues.

We attempt to create enterprise policies as much as possible to ensure a consistent approach across the company to mitigate risk and protect privacy. However, we do review policies in instances where some clarification may be needed to ensure compliance.

Q: What specific projects are on tap?
A: Hardening our internal infrastructure by ensuring, for example, we have our anti-virus protections operating properly, continues to be a high priority for us, as well as securing intellectual property.

Q: What are some of the challenges you believe you and your counterparts at other companies face in the next year?
A: Heightening awareness among employees is an ongoing challenge.

Effectively dealing with the threat of the "mobile inside user" is also a significant challenge for most companies. Outside of our company, more than 7,000 malware exploits were reported in the first six months of last year, with over 2,000 new vulnerabilities reported during that time. For example, we are constantly working to identify and prevent potential threats that could be posed by an employee or contract worker with a laptop who connects to an unsecured outside network with the possibility of transporting a new exploit into our systems.

Q: Any advice on how to tackle these?
A: A simple solution to the mobile user problem does not exist, although a great number of technologies, such as network access control and limited user rights for desktop computers, are being developed.

Q: What are the policies and programs that enterprises should have in place?
A: Policies are absolutely necessary. Information security policies underpin the security and well-being of an organization. We have a number of technology-related corporate policies that apply to all employees, and we consistently take action to make sure employees understand and abide by these information security policies.

Q: What will these technologies involve in 2007 and beyond?
A: Complexity is the biggest obstacle to deploying a successful, proactive security solution. With multiple security components come challenges with integration, interoperability, management and frequent updates of software and threat signatures.

Connecting the various security components together to enforce a unified, synergistic, proactive security policy requires sophisticated expertise — a requirement that cannot be underestimated, since security vulnerabilities are often introduced through configuration errors. Maintaining the required level of technology expertise can quickly overwhelm any IT organization, unless strategies are aligned with business goals and those strategies are proactively carried out.

Q: What about policy/program updates in 2007 and beyond?
A: We are continuously updating and revising our policies, standards and guidelines to ensure they address current risks and are aligned with the goals of our businesses.

Q: What's your best advice when it comes to building a security program?
A: A security professional needs to combine business acumen and an understanding of technology to implement a common set of security services which will support all layers of a business. Insulating a company's business systems from the underlying security engines is a critical component of a sound long-term security plan. Along with planning, it is important to remember to continually raise employees' awareness of security risks in the online environment.

Taking a leadership role is another key element of a strong security program. I encourage security professionals to take a broader role within the IT organization and move toward encompassing risk management into their job descriptions. Information security professionals should speak up and clearly articulate security risks and the rationale for investing in new technologies to mitigate those threats. We have to become businessmen and women. We have to understand the role of risk and develop cohesive and comprehensive plans to address those risks, while making sure the organization understands our work. I think stronger security programs will result from greater focus on these issues, and that will benefit everyone.

Technology must-have

There are specific technologies that enterprises should already have in place to defend the network, Brixius says.

There needs to be a fundamental, multi-year investment in security as part of a company's overall "defense in depth" proactive posture. He stresses the proactive since the ability to eliminate a threat before it can harm a company's environment is a basic goal of security management.

His company's investments include:

  • Anti-virus;
  • Spam management;
  • Patching (both OS and products);
  • Principle of least privilege for the individual user on the desktop/laptop; and
  • Identity management.

On tap for the year

When asked what is in store for the upcoming year, McGraw-Hill CSO Thomas Brixius says the company has a very progressive agenda. He intends to focus the company on:

  • Increasing its privacy management;
  • Protecting its intellectual property;
  • Hardening of the enterprise; and
  • Assisting its businesses with meeting their security requirements and needs.

"To understand why intellectual property is high on our agenda, it's helpful to remember that The McGraw-Hill Companies is a leading global information services provider," he says. "The three major areas for our company — education, finance and information — have each been growing as a share of the economy over the last 15 years or so.

The growth in these sectors reflects a broader trend in the economy toward intangible investments.

"Businesses have been putting more and more of their resources in intangibles such as new product development, the building of brand equity and investment in human capital. This growth shows no signs of stopping. Creating valuable products and services in both financial and non-financial industries and building brand equity is what we do. And independent and objective information is what our customers have come to expect from us. As a result, we have to be vigilant about protecting our intellectual property."

The McGraw-Hill Companies addresses informational needs in the financial services, education, and business information markets through such well-known brands as Standard & Poor's, McGraw-Hill Education, BusinessWeek and J.D. Power and Associates. No wonder its sales reached $6.3 billion in 2006, resulting in a net income of $882.2 million for the year.

In 2006 alone, the corporation's total return to shareholders increased 33.5 percent compared with 15.8 percent for the S&P 500, continuing a long-term record of growth.— Illena Armstrong

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.