Three chief information security officers of Iowa companies spoke to cybersecurity professionals during Pratum’s Secure Iowa conference on Sept. 21 about the role of a CISO and their approaches to making information security decisions.
Speakers included:
Meg Anderson, CISO, Principal Financial Group.
James Johnson, CISO, John Deere.
Ben Schmitt, CISO, Mary Greeley Medical Center.
Here are three takeaways from the panel’s discussion.
Security as a business issue
As information security becomes a daily topic for business leaders, the panelists touched on ways that security has become an integrated part of businesses.
Meg Anderson said her first step as Principal’s CISO in 2008 was asking open-ended questions of its shared services team leaders to understand how the security team had interacted up to that point.
“I would encourage you to expand beyond that and go out to your business leadership, ask similar questions because at the time security was much more technical than it is now,” Anderson said. “It’s a business problem. It’s a business risk, so go into the business and talk to them a little bit about the interactions they have with security. You will learn are they having the interactions that you thought they were or thought they should? You will learn how those interactions are going and you will get a laundry list for what work do we have ahead of us. What’s the culture here?”
Ben Schmitt echoed some of Anderson’s comments that understanding the business is crucial as he has recently started a CISO role for the first time and moved to health care from another industry.
“It’d be really fun to find some flaws and start attacking them and make changes, and putting tickets in and start driving change, but being a change agent day one [won’t work]. You gotta learn the business,” Schmitt said. “I have a clinical mentor, which is really important to have to learn the business. What is the patient experience? We all protect data confidentiality, integrity and availability, so you have to find out how does that factor into business goals?”
He also said while new technology and products are interesting and good to keep in mind, a business’s security team should primarily focus on efforts that “move the needle on business outcomes.”
Anderson added that one of her frustrations is that sometimes employees on other teams don’t know the security team’s goals.
“I’m frustrated because they don’t understand where those things really come from and what outcome we’re seeking for our customers,” she said. “We’re in the business of making sure there’s financial security for people. It’s not about following security’s rules, so that they can check a box on whatever it is they happen to be doing. … It’s really about the outcome that we’re seeking for our customers. Drawing people back to that mission is a mission that I’m on to help them understand. We’re setting those things out on behalf of the organization.”
Adapting the CISO role to a small business
The panelists are all CISOs for larger businesses, so moderator David Cotton with Pratum asked how smaller businesses can approach information security.
“To me, this gets back to the fundamentals of security in general,” Johnson said. “It’s all about talent so if you don’t have someone to implement and drive a program you’re not going to succeed no matter how much technology or tools you buy. I would figure out who you can invest in and then truly appreciate that investment so they stick around. Do the fundamentals well, so basic controls, basic maintenance, patching — these things are simple. … The last thing I’d tell you is get involved in the community and figure out who you can leverage around the area to help you, give you advice. Find some trusted advisers to help you see the forest from the trees and other things that are happening.”
Anderson said Principal is a member of the Cyber Readiness Institute, a nonprofit that provides free training and resources to small and medium-sized businesses, to help ensure its customers are secure. The federal Cybersecurity Infrastructure and Security Agency also offers a selection of free services, she said.
‘When nothing happens, it’s a good day’
“Early in my career I sent an email to senior management and the subject was ‘What didn’t happen today,’” Anderson said. “I’m just really proud of that email because it’s about the team and acknowledging their work and what they do because they are defending us. … Our senior management knew that we did the job of defending Principal — they don’t necessarily know how often we actually see something coming in and we block it, and that was a big deal. … When nothing happens, it’s a good day, but nobody knows nothing happened. They assume nothing’s going to happen.”