Notes from the Expo Floor - Home
Managing Security Risk, the CSO Panel at RSA
Brian Kirk
MAR 07, 2013 13:05 PM
A+ A A-


What does a CSO do all day?

Chief Security Officers, by their nature, have a tall order in today’s world. From managing teams to managing information, their world may seem like a mix of war room and board room to those of us on the outside. At this year’s RSA, Gary McGraw, Cigital’s CTO, moderated a discussion on how CSOs manage security risk. The panel, sponsored by IEEE Security & Privacy, and featuring Eric Grosse (Vice President, Security Engineering at Google), Gary Warzala (CISO, Visa), Jason Witty (CISO, US Bank), and Howard Schmidt (former Presidential Cyber-coordinator), entertained as much as it enlightened the packed room.








Of course, it's hard not to entertain when your moderator has a lightsaber.

The panel began with the seemingly innocuous question:

“What does a CSO do?”

Eric Grosse stated that in order to know what he can fix, he has to:

  • Know the team (and the larger team): hiring the right people and making sure they are deployed in the correct roles
  • Know the adversary: who may attack, how they might attack
  • Know who/what is being protected: identifying the important aspects (technology and users)
  • Know the technology: verifying the proper access controls

Howard Schmidt spoke of the past, present, and future areas that impact his day-to-day routine:

  • Legacy problems (old systems, old tech)
  • Reviewing Infosec news sources and monitoring day-to-day patching and maintenance (BYOD, etc.)
  • Building for the future (evangelizing Infosec, interacting with IT-ISAC, US CERT, and other external sources)

Gary Warzala stressed the four necessary approaches to his job:

  • Communication (across all levels of the organization)
  • Assessment (specifically of the company’s ability to react to a threat, perceived or otherwise)
  • Leadership (especially for the high-performing teams)
  • Planning (preparing and expecting desired results and making sure that all required steps to achieve those goals are in place)

Jason Witty stressed that risk management is in fact revenue protection, delivered by:

  • Providing board accountability
  • Digesting intelligence
  • Removing road bocks
  • Mentoring managers to become leaders

McGraw followed this introductory period with six driving questions, breaking down specific aspects of a CSO’s responsibilities. While there were some discussions and disagreements, for the sake of brevity, here are some of the highlights.

#1: Measuring Risk

How do CSOs measure risk? Should risk management be driven by compliance only, or do technologies and vulnerabilities discovered in the field impact those decisions? While some companies might be able to quantify risk, Grosse spoke of Google’s perspective that security isn’t as much an ROI problem as it is an existential risk to the fundamentals of the company. This philosophical precept probably impacts some of Google’s processes (specifically their bug bounty program). Witty continued, suggesting that security professionals too often “speak Klingon to Captain Kirk,” and that understanding the fundamental concept of how revenue protection is integral to risk management can put the rest of that into proper perspective.

#2: Business Interactions

How should the security function interact with business executives?  Who all should care about security? There was a semblance of consensus that security knowledge isn’t there for bringing in more revenue, similar to what Witty had said. It should be an obvious and fundamental concept. Both he and Warzala spoke of the importance of communicating those concepts across all levels of the organization, getting the buy-in from others to recognize the importance of all aspects of security.

#3: Tools in use

Are there tools that CSOs find useful in their work? The first reaction was that the problem isn’t really a technology or tool problem; instead it is a people and process issue. For Grosse, it’s more about enabling collaborative processes (insert his somewhat shameless but relevant plug for Google Hangouts here), transforming the problem from “what tool can fix this problem for me?” to “how can I work more efficiently with others to tackle this problem?” Schmidt was the only person on the panel who had seen the usefulness of dashboards in his daily work, but realistically, dealing with the cyber-concerns of America (and much of the world) probably caused some of that reliance on curating and contextualizing massive amounts of data.

#4: People

How does a CSO find and retain good security people? A fascinating discussion started about how security people were the digital “first-responders,” running to fires, as opposed to running away. Understanding that mindset is a fundamental step in approaching and recruiting those people (although Warzala did mention that his recruiter was the best recruiter in the country). Continuing the fire-fighting metaphor, Schmidt stressed that with fires, eventually building codes, sprinkler systems, and fire departments were brought in. Grosse reminded him that even after all of those developments, some people still liked to pour water on the fires.

#5: Return on Security Investment

How does one figure out what levels of investment to make in securing the enterprise? Is ROSI real or nonsense? While there was consensus that security is of utmost importance, Witty fought back on the term “return,” saying that the definition of that word controls much of the answer to the larger question. Warzala countered, saying that a reduction in risk benefits most other aspects of the business at large, providing an implicit return in the process.

#6: Building Security In

Should CSOs care about software security and building security in? If so, how does a huge enterprise embrace security in development? To this, Warzala suggested that it should be a focus, simply because lazy coding has enabled a high percentage of breaches by low-knowledge means. Schmidt echoed these sentiments, suggesting that around 80 or 85% of successful intrusions could have been prevented with better code and programming.

Overall, the panel was incredibly fascinating, and I wasn’t sure if the stage would collapse at some point, unable to support the collective weight of influence and intelligence sharing the same space. On some level, it’s good to know that these powerful (yet approachable) people are in charge of so much. Here’s to hoping that more people listen to their advice.

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: