CSOs need to keep evolving, CA security exec says

This is a transcript of a keynote address presented at the RSA Conference on Thursday by Dave Hansen, corporate senior vice president and general manager for CA’s Security Management Business Unit. The address is titled: “Strategic Security: The Evolving Role of the Security Professional.”

This is a transcript of a keynote address presented at the RSA Conference on Thursday byCA’s Security Management Business Unit. The address is titled: “Strategic Security: The Evolving Role of the Security Professional.”Good afternoon.

Dave Hansen, corporate senior vice president and general manager for

Today, I am going to talk about security, but more specifically, I am going to explore the evolving role of the security professional.

In some organizations the senior security person is called the Chief Security Officer. Other companies use different titles – Vice President, Enterprise Security; CISO (chief information security officer); VP Security & Compliance, and so on. To keep things simple today, I am going to talk about the CSO, but please understand that my focus is on the senior-most security professional, no matter what title that role carries in your organization.

As everyone here knows, the job is changing. Not in quiet, imperceptible ways, but in ways that are loud, visible and meaningful.

When the role of Chief Security Officer emerged as a defined position, the common perception was that the role was akin to a corporate cop – on patrol within the organization to slap wrists when somebody broke the rules. Nobody really thought the cop was necessary, so, generally the position didn’t get a great deal of respect.

But that’s changed. In today’s well-run enterprises, the CSO is more visible, has more authority – and more responsibility. No longer merely an enforcer of security protocol, the CSO works with the CIO, CFO and other C-Suite executives as a business enabler, a strategist, and a security evangelist who helps the organization recognize the need to embed secure practices in every facet of the business.

So what has brought about this change? And, how will the role of the CSO continue to evolve?

Let’s start at the beginning – with why this job became necessary in the first place.

Connectivity was the catalyst.

The rise of the Internet and the proliferation of mobile devices enabled even small companies to extend their reach beyond traditional physical boundaries to create virtual businesses and execute transactions globally and instantaneously.

Suddenly, because information was now flowing outside closed, highly secured environments, confidential business-critical data was at risk like never before.

And organizations recognized that since they had to operate in this extended world to remain competitive, there was a need for greater security and for someone to take ownership of the issue within the organization.

As time went by and technology raced ahead, security issues grew more complex and more pressing. For most businesses an Internet presence and the ability to quickly transact business online became not merely an attractive option, but rather a business necessity.

Consequently, technology and the availability of IT infrastructures became critical not just for business success, but also for business survival.

As if the burden of responsibility on CSOs wasn’t heavy enough, the rise of privacy and security regulation, including Sarbanes-Oxley (SOX) and the security standards of the Health Insurance Portability and Accountability Act (HIPAA), imposed a wide range of responsibilities and demands on companies to verify and safeguard data.

Regulators assigned full responsibility for data protection to Boards of Directors and C-Suite executives. The assignment of responsibility to the highest levels of the corporation clearly indicated its importance.

Naturally, they turned up the heat in the CSO’s office. With these changes, the CSO acquired more clout in the organization.

But as business objectives and security imperatives converge, the role of the CSO has continued to transform – and it is this convergence that will continue to drive the evolution of the role.

Here’s what I mean.

Today, the necessity of secure transactions and relationships among the organization and its employees, customers, partners and vendors is a given.

The CSO must ensure that the organization is fully and securely Web-enabled and that business applications are automated so that the organization can transact and compete better than before – on a global scale.

Take the financial services industry for example, where IT is not only important to the business, increasingly IT is the business – it’s all about the digital representation of currencies. In that environment, security can never be an afterthought. It must be integral to every aspect of the business.

As a consequence of this convergence, the whole definition of security within the context of IT has changed.

Security is now not merely about keeping bad guys out and locking up data. It’s about enabling business – it’s about protecting the organization, while reducing costs, driving efficiencies and enabling growth. And that requires a 360-degree view of security.

So if the CSO arrived in the organization as a cop, what’s the analogy today? I would say that we’ve moved away from the enforcement paradigm and into something much more nuanced and sophisticated.

The CSO today is a business leader – with technological expertise.

To have a 360-degree view of security, today’s CSO must have a 360-degree view of the organization and understand how IT systems translate into business services. The CSO must understand the organization’s business priorities and must be thinking about how IT can align with those priorities.

At the same time, the CSO always must be balancing technical protection requirements with business value and scrutinizing any business action that threatens to compromise security.

There’s a lot of debate about to whom the CSO should report. Some favor having the position report to the Audit Committee of the Board of Directors. Some say it should be the office of the Chief Counsel. Others say the CIO or even the CEO.

Certainly, I would agree that with so much riding on the function, having the CSO buried deep in the organization no longer makes sense. But where exactly the CSO reports is less important than ensuring that the CSO is working closely with the organizations senior leaders. Security demands an executive voice with the appropriate degrees of insight and muscle behind it.

I am sure that all of you work in organizations that recognize and value the role of the CSO. But I know that there are still a few Chief Information Officers that haven’t engaged their CSOs on a strategic level. 

Here’s what I mean… [shows video clip]

Now let me point out that I am not CA’s Chief Security Officer.

What you saw there was acting.

Our CSO is here today. His name is Bill Taub. When I was CIO, I knew exactly where he sat. And our current CIO, Steve Savage, does too.

The point of the film was simply to underscore that as Chief Information Officers have assumed a strategic role within many businesses, they increasingly look to the CSO to contribute to driving business value. (Read related story, “Are CIOs losing their mojo?“)

Having been the company’s CIO before taking over CA’s security business, I know about the pressure coming from the CIO.

I know what it’s like to have the Board, the CEO, auditors, regulators, and everyone with whom our company interacts relying on the CIO to ensure the integrity of our entire enterprise infrastructure, our applications, our data and our employees’ private information.

Consider the burdens on today’s CIO and CSO:

The need for continuous compliance can be labor-intensive. Without automation, the need to meet compliance requirements becomes a recurring nightmare – “Groundhog Day” for the CSO.

Help desk overload is a huge problem for many organizations – and a large percentage of the requests involve forgotten passwords.

As the demands on IT grow, administrative costs mount.

Large organizations with hundreds or thousands of employees face the challenge of managing identities. When people exit the company, their accounts need to be immediately terminated. Otherwise, ghost accounts live on in the system, creating vulnerabilities.

A similar problem arises when an employee stays with the company for an extended period and moves through a number of different jobs in different departments. If the employee’s identity is not properly managed, he can acquire a variety of privileges – including access to data – that could threaten the separation of duties required under governance regulations.

Managing employees in the system has always been an issue. But today’s organizations interact with a wide variety of constituents, including customers, vendors and partners. As IT extends beyond the enterprise, the number and variety of identities to be managed increases exponentially.

Internal and external auditors demand that an organization be able to control its IT systems and access to private data – and auditors are indifferent to the costs associated with these requirements.

Finally, a security breach can spell disaster for an organization. Every day we read about another company facing a storm of negative publicity as a result of its inability to protect confidential data. Just a few weeks ago it was reported that more than 4 million credit card and debit card numbers were stolen by hackers from two U.S. grocery store chains.

No CEO wants to read about his company in stories like that. And, no consumer will want to go to a place where buying a quart of milk will end in an identity theft.

By implementing Identity and Access Management, the CSO can address all these issues and:

• Reduce costs.

• Improve productivity by automating processes.

• Enhance security by creating centralized enforced policies regarding access.

• Ensure compliance by implementing strong internal controls while enabling auditing and monitoring.

• Enable business.

Enabling business is what strategic security is all about.

Right now, 46% of CSOs spend up to a third of their day just analyzing security event reports. That’s not the way to maximize value to the organization – and it needs to change.

A comprehensive, modular, integrated and scalable Identity and Access Management (IAM) solution will free up time and resources for strategic initiatives.

Let me talk for a few minutes on how we see IAM at CA.

The IAM solution must offer broad coverage across applications and platforms, including legacy, distributed and Web environments.

To be more strategic there are a whole host of security processes and functions that must be automated. You must find technology solutions to resolve every one of these issues, because the alternative is unacceptable. A CSO cannot afford to become bogged down in managing passwords. That’s not an effective use of time and resources.

Instead, the CSO should be deeply engaged in understanding the lines of business and devising ways to use security to increase efficiency and drive profitable growth.

That’s what strategic security is all about.

At the same time, an IAM solution that offers automation, controls and proof of controls enables continuous and sustainable regulatory compliance.

Automation and the centralization of identity management drives down costs and improves efficiency.

Finally, business performance improves because you can be more responsive to competition and the experience of your customers and partners is vastly strengthened.

As companies migrate to software-as-a-service, the demands on the CSO will continue to evolve. Greater agility in responding to customer needs will be essential and an ever deeper interaction with the business will be the norm.

Let me show you how this can work in a real world situation…

Customer case history

We all know MasterCard. Some of us couldn’t get through the day without it. MasterCard Worldwide is a CA client.

With over $3 billion in revenue, MasterCard relies on a complex IT environment to enable its financial services business, running mainframes, large Unix server farms, HP NonStop servers, Microsoft Windows servers and a wide variety of Web servers.

Tom Compas, MasterCard’s senior security professional, notes that the company faced a huge security challenge: its 5,000-person staff equated to about 200,000 discreet identities across the organization in different systems. There was no single, automated process for managing them. The company was using everything from homegrown workflow systems to specialized access databases.

“The population of our internal IDs was growing by approximately 30% a year,” Compas said. “We had to simplify and automate to keep pace with business dynamics.”

That’s where CA came in. By using CA Identity Manager, the company went to a role-based access control model, which reduced complexity.

But that’s not where the benefits ended. Even more important, according to Compas, was increased responsiveness. Whereas it used to take about 10 days to provision a new employee with full access privileges, automation closed that timeframe down to about a day. Just as critical, when an employee leaves the company an automatic feed to Human Resources, enables access to be removed immediately – eliminating a potentially serious security risk.

Now the company’s HR system is being used as a single authoritative record of employee status and information, which streamlines processes by allowing IT to work with HR to ensure accuracy of data.

With greater provisioning efficiency and automation, MasterCard is in a stronger position to ensure compliance – an important consideration in the highly regulated financial services sector.

Customer satisfaction has increased dramatically. The identity management team is getting rave reviews from all levels of management – new employees are able to be productive from day one. And that’s a big plus.

This project worked because MasterCard’s Compas understood the responsibilities of a security leader within the organization. He understood that his job was to get people to rethink how the company managed identities.

“For this project to succeed,” he said, “it was just as much about the business process change as it was about the technology. This project required a tremendous focus on education and explaining the reasons why we were doing this. We had to demonstrate the benefits of the program to the organization as a whole.”

That’s a key point, particularly in an IT deployment of this scale and complexity – essentially on par with any large-scale ERP implementation. To ensure that the project stayed on track and sustained the support of the company’s management, Compas created a cross-functional governance team with representation from all key stakeholders. The team not only guided the project, it also kept all involved parties informed and updated as work progressed.

The result was that Compas achieved his objectives:

• The project delivered value quickly.

• Provisioning time sped up 10-fold.

• Line managers are empowered to take responsibility for access management.

• No heavy administrative burden was added.

This is what strategic security is all about.

At CA, we’ve given a great deal of thought to how the CSO’s role will change as we build Enterprise IT Management, our vision for transforming the way the world manages IT.

Our vision is built around the three IT management functions of IT Governance, Management and Security.

The CSO has an important role to play. In an Enterprise IT Management environment, the CSO is not simply an enforcer of polices and procedures, but rather a key architect in designing an IT environment that will take an organization to the next level of business success.

Let me explain a bit more on what I mean. IT organizations used to be viewed as tactical necessities and cost centers. Poorly managed ones still are. By contrast, a sound IT organization functions as a strategic line of business and a core contributor to corporate success.

The CSO’s role is elevated. To ensure that level of success, it is not enough to reduce risk and cost or to improve service; IT must be managed as a business and must coordinate with the lines of business. It must incorporate disciplined budget and capital-allocation processes, it must align the portfolio of projects with strategic corporate needs, and it must strive to provide business services that are ever more cost-effective.

At each step, IT processes must be secured. In this vision security is never an after-thought; it is part of the essential DNA of the IT environment.

I showed you a film earlier. It was supposed to be funny. But it was also intended to make a point. If you’re a CIO and you don’t know where your Chief Security Officer sits, you’re probably missing a critical component in your strategic planning.

And if you’re a CSO you need to ensure that:

1. You are serving as a security strategist in the organization. Don’t allow yourself to be consumed by the day-to-day tactical demands of the job. Build a strong team so that you can deliver value to the C-suite.

2. Increase your visibility within the organization.

3. Achieve items one and two by communicating. If security is to become part of the fabric of the organization, your voice must be heard on a wide variety of issues at critical phases in the business strategy process.

An effective enterprise simply cannot exist unless governance, management and security are at the core.

In short, there should be no mystery about where the Chief Security Officer is – because the CSO will have a seat at the table whenever strategic decisions are made.

To view a video of the address, go here.