Kris Lovejoy says that security pros should have a physician’s eye
Kris Lovejoy is on a mission to transform the way that CSOs deal with business. The former IBM CISO, who worked her way up as an ethical hacker, knows security from both the technical and the strategic side. CSOs face a period of intense change, she warned at her 2015 SecTor security conference keynote.
Lovejoy didn’t start out in computer science. She managed a volunteer group for military wives, raising money to build a network of computers so that women could talk to their husbands while they were deployed. That made her the resident computing expert, and from there she moved smoothly into a company handling network engineering training. She was contracted out to an intelligence agency where she began securing networks.
An early career in ethical hacking
After that contract, she became an ethical hacker for TruSecure, and from there ended up at IBM through a number of acquisitions. This year, she finally left her role as general manager of IBM Security Services to become CEO at Acuity.
After her keynote, she made some time for an in-depth interview with SecTor, which you can see below.
So she knows a thing or two about what it’s like to be a senior security role at a large firm, and she’s convinced that these professionals face a time of rapid change. Cloud computing has fuelled agile development, which in turn has helped to usher in concepts such as IoT and mobility, she said.
“I’ve always seen the role of a CSO as not being the house of no, but as being an enabler of innovation,” she asserted. “Our job is to enable the business to accept risk with confidence.”
This requires the effective CSO to approach security pragmatically, she added. The cloud can be an enabler for security, creating the opportunity for more easily-deployable standardised security templates, for example. Security teams should tie themselves tightly to agile development teams in a consulting role to help them as they navigate their way through rapid development cycles where processes can be easily lost, she added.
She also draws comparisons between CSOs and physicians.
“Every organization is infected with some form of malicious code that has yet to be detected,” she said. That doesn’t mean that anyone is stealing data. “The job of the CSO is to recognize and differentiate between the common cold, which won’t have an impact, and cancer.”
A doctor’s eye
The doctor’s most powerful tool? Preventative medicine. According to Lovejoy, 90% of the risks can be remediated through the use of rational and simple controls. Effective IT governance and well-thought-out incident response procedures are low-hanging fruits, and a development team trained on security with tools that enable them to build secure code is another.
Companies should apply an IT service management (ITSM) to digital hygiene, added Lovejoy. This encapsulates many of the operational basics such as changing passwords and patches and codifies them into a documented process that can be automated.
These measures are mostly focused on IT administration, but there’s another one that focuses more heavily on non-technical employees: give them a robust collaborative environment that meets their needs, Lovejoy said. “
“Ensure that all end users in organisation have a collaborative environment that meets their needs and is reflective of their risk posture,” she added. Otherwise, they will find their way around the rules, like water finds its way around rock.
Measures like this will get CSOs 80% of the way there, Lovejoy said. What about the remaining security risks? “That’s the hard part. I think that if you’re willing to invest in capabilities in line with your unique risk posture, you can get your arms around it more effectively.”
Conducting a conventional risk analysis will tell CSOs where to put those investments, she said, but then they must also put tools in place to measure the effectiveness of those controls. Too many CSOs count the wrong metrics, such as the number of attacks.
“I’m interested in incidents where the bad guy gets in and makes a material impact,” she said, “But for you to gather that data you have to understand what is routine versus materially significant.”
CSOs also need a mechanism for reporting the controls up and into the risk management framework, she said.
It’s going to be a challenging time for CSOs as they struggle to map out a flight path in an immature job function. But hopefully, with some of these pointers, they’ll be able to move forward with confidence.