Last week, we interviewed Brian Engle, the Chief Information Security Officer and Cybersecurity Coordinator for the State of Texas, and discussed with him the importance of communication in shaping cybersecurity as an ongoing management concern that businesses everywhere need to appreciate. As part of our ongoing “The Voice of the CISO” series, we now interview Robb Reck, an Information Security and Risk professional who currently serves as Vice President and Chief Information Security Officer for Pulte Financial Services and is the acting Vice President of the Denver chapter of ISSA. Tripwire: What are your business priorities, and how do they relate them to your cyber security efforts? Reck: As information security professionals, it is our obligation to learn the language of business. That is our foremost priority, even if it is not exactly common knowledge. In today’s industry, we know that there are many individuals who are well versed in security but who do not understand business, and that is the wrong way to go about it. First, we must become experts in understanding our business’s strategy; we must familiarize ourselves with the drivers and success criteria that define our business’s mission. Once we understand those factors, we can then build a security plan around those stated goals. T: In your opinion, what is the single most important component in cyber security success? R: The single most important component to cyber security success is developing a risk culture where people think about security as a risk decision and not as a “yes/no,” “pass/fail” binary. That shift in thought is generally not easy for security people. But in business, we have to understand that hardly anything is black and white. For instance, if a company needs to bring in a third-party to review their compliance with respect to a certain regulation, the Board of Directors needs to not only weigh the costs of hiring one company over another, but they also have to judge whether a specific candidate will do the proper due diligence when analyzing their data and controls. None of these decisions are easy to make. However, once we understand the risks inherent in making these decisions, we can approach each choice with better information and greater care. Ultimately, cyber security success depends on how much responsibility we take for our decisions. And part of that is our ability to understand risk, not to mention exploring how security and risk interact. T: How does cybersecurity effectively align to the business? R: Security is integrally tied to the business because at the end of the day everyone acts according to self-interest. What executive wouldn’t worry about how a cyber attack might affect their business—or their job—after hearing that Target fired its CEO following the 2013 breach? People are self-interested, and they don’t want a breach on their records. But it’s more complicated than that. In order to adequately implement a security program, they need to understand what’s important for their business and what the security implications are for each decision they make. T: How literate are your executives about cyber security, and how does it affect how you communicate with them? R: My executives are well versed in risk vs. reward, though they have not incorporated a security component into that metric too often in the past. However, that is beginning to change. Over the last year, the Board of Directors has begun asking for security briefings, and the executives below them have begun to show an interest in understanding the language of security and what my security teams are doing. This allows me to go deeper into the security side of things, which would not have been possible before. What we’re seeing is the effect Target and all of these high-profile cyber attacks have had on the way in which companies view security. The most recent example is Sony, which demonstrated that security incidents can threaten business assets besides financial data. With intellectual property at stake, business executives need to start paying attention, and that’s what I’m beginning to see happen. T: What questions do you get asked, and how often? Are you confident in responding to them? R: In my business, I frequently am asked “Are we secure?” This question implies a limited understanding of security on the part of the individual who asks it, for it revisits security as a “yes/no” binary. Echoing what I stated earlier, security is a thing you do and not a thing you have. It is a journey, not a destination. I therefore focus on making progress; I’m always working to make my business more secure. With this in mind, a better question to ask would be, “Are we managing our risks appropriately?” To this, I would answer conservatively. And I should. After all, there’s so much out there, and there’s a lot more to be done. If the NSA is able to penetrate all of these high-profile tech giants, there’s nothing that can prevent it from doing the same to my business. In light of rest of my industry, I can answer in the affirmative, but I would still like our progress to be moving faster. T: Which departments do you work with to accomplish your goals? R: I work with the GC, CFO, CEO, COO, and all of their key lieutenants who do the work. Success in business is directly influenced by the amount of personal capital and trust you establish with others, so I try to maintain great relationships with all areas of the company. A few allies merit specific mention, however. Throughout the years, I have found the best ally in shaping my business’s risk management conversation to be the legal team. They understand liability, due care, and risk. Sure, they have a limited understanding of security, but they readily respect it as a concept. Another ally has been my business’s privacy and security board, a partnership of sorts that acts as the communication vessel to and from security for the business. Non-security people sit in with me on meetings, during which I brief them on my team’s work, discuss the security impact of different decisions, and ask for their opinion on risk management and business priorities. They then go back to their teams and sell my security message, an exchange which provides me with excellent feedback regarding how effectively my security plans are sticking. T: What does your business look like in three years, and what are you doing to prepare for that? R: I cannot comment on that directly. What I can say is that in my business, an architecture committee meets four times a year to discuss business strategy. It is made of a business priorities architect, an application development architect, an infrastructure architect, and myself as a security architect. Together, we discuss where we would like the business to go based on a number of assumptions, which oftentimes includes operating on the same business model for the next five years and continuing to service customers from a particular standpoint. Security is an integral part of this process, but it does not constitute all of it. At the end of each meeting, we take our results and feed them back to the executive team. T: Do you think anyone in particular is doing cyber security right in today’s world and why? R: Everyone could be doing more, but the ones who are doing it the best are approaching security from a risk-management perspective. This involves roping in key stakeholders and making sure they are aware of the risks, as well as ensuring that a strong financial commitment supports wise investment. As we should all know by now, cyber security is more than just buying tools. That has never gotten teams much bang for their buck, and it never will.
