How MacLean sees other security issues

Security expert Rhonda MacLean answers more questions about subjects she knows best.

Here is how Rhonda MacLean views a number of other security-related issues:

On where enterprises stand in establishing shared responsibility for security:

There is a lot of work going on in the standards community. There’s a lot of negotiation and cross-border talks about policy. We have a variety of privacy policies in the United States. And [privacy policies] vary in the European countries. So what a company is trying to manage can be very complex. There’s a lot of dialogue going on with a lot of groups; that needs to continue. Discussions among the U.S. government and other global organizations are happening, but need to be accelerated.

But industry needs to get very involved. This is about being able to do business. I don’t want to shortchange the policymakers in any way, but it’s really that public/private partnership that’s really got to take hold. And I know that there’s a lot of good work being done there, but my concern is how quickly can they do it to realize the full potential.

On investing in risk management:

Often, the investments in risk management happen as a result of an event, so it’s an event-based economic model. . . . But your [risk-management] profile can change based on the way you’re doing business. Have you started using a lot of open source? You need to be able to look at your organization, the process flows, the mechanisms you’re doing your business with. That’s where you can get innovative and look at the tools, the processes that are going to help you perform and establish an optimal risk-management approach.

On the evolving role of chief information security officer (CISO):

The new breed of CISO has to know the business, has to ask the questions, has to be at the table and has to be focused on how to enable the sharing of sensitive information and to [enable collaboration about] information.

This hasn’t happened over night; it’s been coming. CIOs have been business savvy for a long time, right? Now it’s the same thing for CISOs – absolutely the same thing. I don’t know how, without understanding the business and service objectives and the view of the world from the customer’s eyes, [a CISO] could provide effective leadership.

On the adequacy of today’s security tools relative to New Data-Center architectures:

There are a lot of tools available, but think about this analogy. Today when you drive a car, OK, you’ve got seat belts. The car industry has matured – we didn’t even used to have seat belts, right? And now you wouldn’t even think about driving a car that didn’t have airbags, let alone now side airbags.

[Carmakers] found that customers really wanted safety, and so they provided it. It doesn’t mean that you might not get in an accident and get hurt, or maybe even really hurt. But it does mean that, knowing there’s risk out there, you’ve tried to put adequate controls in place to minimize the risk if there’s a problem.

There are always going to be security problems. That’s just not going to go away. So [picking security tools] is about being reasonable. It’s about doing what you can to protect, and making sound judgments. It’s a shared responsibility. If you disable your airbag, you’re going to get hurt a lot worse. This is about expectations and understanding too that you, as the driver, have some responsibility for your safety.

Companies that deliver products and services are getting this, more so than actual end users. End users just often don’t have the sophistication or the knowledge.

On determining security staffing requirements:

This is about forecasting, just as you would for any other discipline. If you have large databases that need to be managed, you estimate how many [database administrators] you’re going to need. If you’re going to have a lot of switches and network components, you’re going to know, based on some facts and data, how many network operations people you need. The same kind of estimating needs to go how many security professionals are needed.

But, more importantly, this is about determining the skill sets needed.

I am a big believer that you mix specialized people who have very in-depth knowledge in the areas of security and resiliency hand in hand with other disciplines and generalists. I need the database administrators to be security aware, but I may need a resource there to advise them, because they’re worrying about database optimization where a security specialist will worry about vulnerabilities and threats to that data.

I retired from Bank of America, and having had great operational experience [there] and at Boeing before that, I wanted to do something different and fun and have a lot of variety. . . . I’m getting to do some exciting things around strategy [and positioning] – getting companies to think, ‘What do we need to be investing in? How do we position ourselves? What are the elements we need to think about for operational risk management?’ I try to help companies really think about their risk appetites . . . to understand their customers and partners . . . and to think about the best solution for them.

I’m also still very involved with policy issues. One of my retainers, Carnegie Mellon University’s CyLab, helps bridge the gap [between the public and private sector] on what’s needed in research and policy, and gets people out there who are trained in this discipline. That’s exciting, because it will have a lot of strategic influence.