As the head of information security for organisations like Optus, AMP and Sydney Water in addition to serving as the VP of information risk management for one of the largest banking institutions, JPMorgan Chase, Frede has lived through the initial challenges of individual virus pests to today’s reality of organised security crime gangs and state-sponsored data theft.
Consequently, Frede is one of the information security (IS) professionals that has had to evolve his approach from basic perimeter security to an all-encompassing security strategy that stops the ever-increasing and more sophisticated threats of today.
How does a CISO respond to these threats? How does s/he ensure board members adequately understand the business risks that arise from IT security risks, and how can the CISO lead IT security policy at board level and demand appropriate budget to mitigate the major risks?
Frede shared his experiences about the challenges faced by the IS departments of today in an interview with ZDNet.
Krishan Sharma: As Head of Information Security, what are your most important goals and how do these help the business achieve its strategic objectives?
Stephen Frede: The most important goal for everyone in the business is to help the business achieve its strategic objectives. The CISO can help to shape the detail of specific initiatives, advising on appropriate IS controls to match an agreed level of risk. Essentially, improving the business through risk reduction. For example, I have advised on mobility strategy and the balance of controls and risk in that space.
I have also worked on a project that was using a specific cloud service and after conducting due diligence, it was found to have significant security vulnerabilities. Those were easily addressed once identified, but would almost certainly have been exploited had the project gone live without that review.
KS: How do you work with the board to ensure the company complies with IT security risk management regulations?
SF: Compliance and risk management are different approaches at the highest level, but once IS policy for the organisation is agreed, a common set of processes can be used. The board rarely wants or needs to understand the details around information security. My view is that they need to understand the high level risks well enough that they can set the organisation's appetite for those risks. It's the job of management to then execute accordingly.
KS: Can you give us an overview of the security processes that help achieve this?
SF: An information security governance framework, including IS steering committee and IS policies ensure that appropriate processes are in place. The most important process is continual improvement, to allow rapid adaptation to new technologies and changing business needs, and to address existing control gaps. Once you have that in place, you can leverage that process to develop or improve everything else.
An IS calendar and risk register are used to manage regular and one-off IS activities. An important regular activity is awareness — policy by itself is useless unless people understand it and its implications for them. IS processes need to be integrated with other processes such as project delivery methodology and working with third parties.
KS: How do you work out the balance between addressing security-related business issues and ensuring the technology team can work with scarce resources to repel growing threats?
SF: Every business will already have processes to allocate and manage regular operational budgets and capital expenditure. You need the skills to make a good case for those resources, and also the skills to implement the required controls as efficiently as possible. Both threats and available controls can change rapidly with technology, so it's important to understand that technology well.
An approach I have sometimes used is to combine an information security initiative with other IT initiatives to gather widespread support. For example, an asset management initiative can provide a good internal IS control (you need to know what you have in order to protect it), but also helps a wide range of IT areas and was widely supported. Similarly, web application firewall (WAF) infrastructure can provide a good control on existing web services, but can also reduce the risk of deploying mobile apps that need to communicate to your corporate network using web services — so it's an enabler for those mobile apps.
KS: How do you work out the balance between risk and expenditure?
SF: Organisations will usually have mechanisms to help quantify risk, but it still often comes down to a judgement call. Make that call as informed as possible, which means understanding related project and infrastructure plans.
For example, if you are upgrading a firewall, sizing it too large is obviously wasteful, but with an increase in both mobile and cloud projects, internet bandwidth is likely to increase at a faster rate in future than it has previously. Some cloud solutions, such as Office365, can present challenges for IP-only firewalls, so firewalls that handle domain-based rules may be required. These type of firewalls are likely to have additional security functionality that you may not have been able to justify based on risk alone.
KS: How do you get the board and other executives to understand what security risks need to be prioritised and what the risks really are?
SF: Start by building up a basic high level awareness of IS concepts, perhaps through regular scorecard reporting. Once that is in place, specific presentations can highlight risks.
You may need to start with lower levels of management and work your way up to the exec and the board, depending on where you are placed in the organisation. It can be worthwhile to get individuals, such as division heads, onside prior to an exec presentation, especially if you are asking for something. If your presentation needs to be approved by other layers of management, make sure you work with them up front so that they are on board with the message you are giving.
Specific examples of recent breaches in similar organisations can be very powerful, but make sure your message is not just spreading FUD (Fear, Uncertainty and Doubt). Organisations face all sorts of risk and the reality is that an information security breach, while bad, may not be as important as other types of risk, such as safety.
Work with the risk team to use the risk framework the executive are used to seeing, and make sure risks are assessed accurately.
KS: What sorts of questions should the CEO, board, and business executives be asking security leaders?
SF: As they see events in the media, they are likely to ask about those specific events as they relate to the organisation. Use those peaks of interest to talk about and introduce the wider framework of information security, including maturity or other dashboard metrics if you can. The questions they should be asking are along the lines of governance, capability, maturity, and readiness to respond to an incident. Without a good governance framework, the best infrastructure can fall apart very quickly.
KS: What questions do you ask yourself as the Head of Information Security?
SF: It’s really easy to get caught up in the technical implementation and operation of controls. It's really important to regularly take a step back and question whether some of the basic approaches are right. Is the governance framework working? Are the right stakeholders engaged? Are our policies being followed, and if not, what changes should be made? What's the total cost of ownership and return on investment for our IS controls?
Part of the cost of a control is how much it impedes the organisation. The underlying reason for controls should be reviewed regularly.
KS: Where in the organisation should a Head of IS role fit? Should they report to the CIO or be an equal or perhaps above the CIO?
SF: This varies hugely between organisations. Being outside IT, often in the risk area, means you have more independence, but have to work much harder at building relationships with IT practitioners. That can work in a large organisation where there is still a separate IS team within IT.
Having an IS team within IT, reporting to the CIO, has huge benefits in working directly with other IT teams, rather than being treated as an outsider, like internal audit. You are much more likely to genuinely understand real risks. I don't see that being above the CIO is realistic or beneficial in most organisations. Another model that doesn't work is having no dedicated IS function at all, spreading IS responsibilities across other areas with primarily non-IS functions. For any medium to large organisation, you need a dedicated head of IS.
KS: How do you address conflicts between enabling new capabilities and opening up potential security risks?
SF: The obvious example is that of mobile and cloud solutions. There is an increasing array of niche cloud solutions available that are very easy to implement.
It can be tempting for parts of the organisation outside IT to take up these solutions without going through the often slow IT engagement process. Some of these solutions are very secure, but I have seen a lot that have gaping holes. Just because a solution uses a secure infrastructure provider like AWS, Google, or Microsoft does not make that solution itself secure. So you have to do a security assessment. But it doesn't have to be slow and expensive. I use a tiered approach where a very fast high level set of questions establishes the basic level of risk. From there, further detailed assessment can be done where it's needed.
KS: As Head of IS, how have you had to adapt to the prevalence of cloud adoption and, in your opinion, what are the main security challenges with such services?
SF: The prevalence of cloud services does introduce a new set of challenges. It makes it easy for parts of the organisation to establish services quickly without going through the normal information security processes that are a part of IT projects.
The other side is that with very good cloud infrastructure available, it is quick and easy for a provider to establish a cloud service. They may have the best of intentions, but I have found significant security issues with a number of these providers.
Put together a relatively new startup, expert in their particular area, with a part of the business that is interested in, and probably knowledgeable about, that area, and they don't see the need to be slowed down by engaging IT. To address this, the information security team needs to ensure that all parts of the business are aware that IS assessments are necessary for all cloud engagements. But the IS team also needs to make sure that those assessments are as efficient as possible.
One thing that can really help, but that I rarely see, is if the cloud service provider undertakes an independent third party assessment themselves. Most IS teams would be happy to use such an assessment, as long as the scope was reasonable. If the cloud service provider hasn't done one, then another option is to agree with them to split the cost and allow them to use the result. Or depending on how much leverage you have, just state it as a requirement.
Depending on the nature of the service, another possibility can be to ensure that the service provider contractually wears the risk of an information security incident, or states in their contract that they have appropriate IS controls in place. That may not be enough if the organisation's reputation could suffer as a result.
KS: How does the approach to information security differ across industries?
SF: Financial services organisations in Australia typically have more IS related compliance obligations than other companies. But the overall approach to IS depends more on the organisational structure and the culture of the organisation than the market segment. Of course, there are significant technical differences between telco, utility, and financial services organisations, but the overall approach to IS can be similar.
In every case there will be parts of the organisation outside IT that have significant IS risks and the IS framework, including governance, awareness and continual improvement, needs to address that.
KS: How do the security challenges and associated processes compare when working for a multinational?
SF: A multinational organisation like JPMorgan Chase has a much more diverse range of compliance issues — each country has different regulations. Naturally, it is more efficient to centralise IT systems wherever possible, but this often means those systems must comply with the regulations for every country that uses that system. Australia has few IS specific regulations and those are mainly phrased in terms of "reasonable" or "appropriate" levels of security, whereas other countries may have more prescriptive controls in some areas — the US Sarbanes Oxley requirements being a notable case in point.
This is changing somewhat with the introduction of PCI-DSS, Payment Card Industry Data Security Standard, which is not a regulation but applies to all companies that take credit card payments. Privacy laws are also becoming more uniform across countries.
But overall, one of the biggest differences is simply in terms of scale — the larger the organisation, the more mature and structured their IS control framework is likely to be.
KS: Can information security be an enabler of business, and not an inhibitor?
Business stakeholders have always perceived information security as a compliance burden and Frede says that despite the streamlined processes in place for IS reviews, this notion is unlikely to change.
It would be simplistic to say that we don’t slow you down but there is always going to be an overhead.
In an ideal world it would be nice to say that we didn't. But the reality is we do and we have to — it's the cost of doing business.