A key relationship in any organization with an effective security strategy is that between the CSO and the CEO, who must work together to ensure that security investments are mapped to the changing risk landscape. Network World President and Editorial Director John Gallant asked BT Radianz Acting CEO Laurie Bowen and CSO Lloyd Hession, via e-mail, to discuss how they handle this challenge at the financial-services industry connectivity provider. Hession and BT Radianz CFO Larry Kinsella are scheduled to share their thoughts on stage at The Security Standard conference, which takes place in Boston on Sept. 6 and 7.
I want to explore your working relationship and how you sync up on the risks facing the company and how to manage those risks. Let's start by talking about what you expect from one another at a fundamental level.
Bowen: Our customers trust our services to be high performance, reliable and secure. I look to Lloyd and his team to set and implement an effective strategy for managing risks that could otherwise negatively impact our ability to meet those expectations.
Hession: I have been very fortunate at BT Radianz in that security is an integral part of what we do and a major component of our value proposition to our customers. Everyone in the organization understands that, which makes my job a lot easier.
Ultimately, business decisions come down to a risk/return trade-off, which the management team must make. My team's part in that process has two phases, first the analytical: identifying, quantifying and presenting the risk issues to management; then the second phase, working with the business units to mitigate, assign or accept those risks. The critical skill in this pragmatic approach is being able to deliver within the constraints of time and resources.
To be successful as CSO in our environment, one does not need direct control; it is much more of an influencing role. Fundamentally, such a role needs a prominent position in the organization and the full support of the chief executive, both of which I enjoy.
How has the CEO-CSO relationship evolved over time at BT Radianz. How have you become more effective at securing the company?
Hession: I joined BT Radianz as CSO shortly after the company was founded in June 2000. In those six years our business has grown by over 60 percent a year, during which time we adapted and aligned our organizational structure to meet our goals. My relationship with the CEO evolved much in the same way as our business matured.
In the beginning, I was focused on managing security risks that could cause contractual liability and impact [service-level agreements]. The CEO wanted to know that we could manage the risks of the very demanding contractual terms being requested by some of our customers. These major contracts had board-level visibility, and so did the risks. Over time we developed more formal processes based on utilizing a risk register and associated methodology with a quarterly review. As business grew, and we developed our product and services portfolio, the emphasis of my relationship with the CEO shifted to focus more on business development opportunities. Our conversations focused more on our customers' needs to manage risk and security, and the type of additional capabilities we could build to assist them with those challenges.
As our networks grew, so did the cost of scaling security solutions. With operations in over 40 counties, and at one point around 40,000 routers, scale was a problem. In 2000, we implemented an inline [intrusion-detection system] solution (now known as an intrusion-protection system) and quickly became known as one of the world's largest ISS Guard implementations. Since the complexity and cost associated with such scale is difficult to manage, my bias shifted to focus on highly cost effective and relatively transparent security solutions, such as ConSentry, which is used for securing high-risk LANs.
How do you talk about security with your peers in other organizations, and how do you two share those new insights with one another?
Bowen: The BT Radianz network enables transactions in the trillions of dollars per day. The focus of security conversations with customers is often centered on the reliability of our infrastructure. These dialogues can quickly become technical, going into depth on the architecture and design of our networks, which is a key to our competitive advantage.
Hession: There are three ways this manifests itself. First, we need to make sure we listen to our customers' security concerns and evolving requirements, so we can deliver the products and services that will pass the customers' security bar. We achieve this through hosting workshops and roundtables and participating at financial services forums focused on security and risk. Second, we want to make sure that we are aware of the threats and risks our customers face, and that we take the necessary steps to protect ourselves, and by extension our customers, so that we are not a weak link in the chain of their external security armor. We do this through maintaining relationships into law enforcement and the intelligence community and security organizations, such as the FS/ISAC and [Forum of Incident Response and Security Teams], and working closely with the security teams of our strategic vendors like Cisco (http://www.networkworld.com/news/financial/cisco.html?brl). Third, we built relationships into our customers' operations and security teams, so that in the event of an incident, such as a worm (i.e., SQL Slammer), our teams can take coordinated action to mitigate and manage potentially harmful situations.
As we gain insight through these avenues into emerging security threats, it is my responsibility to brief our management team; at times I have briefed the CEOs of our largest customers on these matters.
With all of the challenges facing companies -- from disasters and pandemics to identity theft and attacks on critical infrastructure and applications -- how do you work together to prioritize risks?
Bowen: As a supplier of critical infrastructure to the financial-services community, we are very conscious of the threats faced by our customers and ourselves. Our customer contracts include specific penalties if service levels are not met. This provides a clear measure of impact for the risk assessment process and a means by which we can prioritize mitigating actions. Aside from those operational risks, damage to our reputation could negatively impact our position as one of the top-rated network suppliers, costing us business and impacting our margins. As a result, the BT Radianz senior management team meets regularly to discuss potential risks and prioritize projects.
Once you've done your risk assessments, how do you work together to determine the appropriate levels of staffing and funding to protect the organization?
Bowen: We have an annual budget and planning cycle that is tied to our business objectives. However, we have built some flexibility into our budgets to adapt to changing business circumstances, should the need arise.
Hession: Because security is an integral part of everyone's responsibilities at BT Radianz, the staffing and funding is not broken out to one large corporate-security function, but rather it is mostly imbedded into the business lines and technology groups. The challenge is working with the business unit heads to help them understand the resources necessary to meet our risk management objectives. The CEO plays a critical role in this process by ensuring that the business unit's priorities, including the risk management component, are in appropriate balance with the other objectives of the group and the business.
How do you work together to ensure that a culture of security is created within the company - one where every manager and employee understands the critical security and risk issues and adheres to policies and best practices?
Bowen: As an organization comprised of knowledge workers, we invest heavily in internal communications and aligning our employees with our business objectives. A part of that effort includes various initiatives to promote our own policies, and the criticality of security to our customers and the importance of the trust that they place in us. The security message is included in my own internal communications, and those of the rest of the management team.
Hession: We take a proactive approach to security awareness and the BT Radianz security message. We post internal communications relating to new vulnerabilities that our employees may hear about internally or externally, explain how it does or does not apply to our environment and if it does apply, how we mitigate its effects. We also work with our colleagues to produce FAQs on emerging security issues, so that our customer service and operations staff is fully briefed and able to handle any security question from customers on that issue.
How do you ensure that the risk assessment adapts as market and threat conditions evolve?
Hession: Security risks can get blown out of proportion in the media. Carefully evaluating how realistic it is for a given scenario to be played out is critical to the decision process. Threat management services like Symantec's Deepsight can provide valuable ongoing input. Often the decision comes down to when to make a change, rather than if it is warranted at all. For example, why patch an IOS version on a router today, if the router is scheduled to be upgraded in a month, with a nonvulnerable version? Does that decision still hold a week from now? Too often, security professionals do not fully appreciate the risks they run by rapidly introducing change into a production environment. Without adequate testing and planning, the risks could be greater than those the change is designed to combat.
How do you involve other business unit leaders in these discussions?
Bowen: I rely on my senior level department heads to work together. We encourage this type of dialogue at our management meetings. We have developed an environment at BT Radianz that avoids the pitfalls of individual departments operating in silos.
Hession: Due to the seniority of my position, I have peer relationships with the department and business unit heads, such as the CIO, head of operations. This allows me to engage with them as a team during the management meetings, which are chaired by the CEO and ensure risk issues are raised when we focus on business strategy. This also ensures my team gets the visibility and cooperation of their colleagues in the business lines. Having a Risk Register methodology ensures that risk owners are kept aware of risk factors, timelines and action plans.
Do you jointly discuss and decide on technology solutions to your risk/security challenges, or are those choices left to the CSO and his colleagues in IT?
Bowen: While we all discuss the need for security built into our overall business strategy, and we are interested in what the solution options are, we rely on our experts to make the ultimate decisions in these areas.
In your roles as CEO and CSO, what concerns you most about security today? What keeps you up at night?
Bowen: One of the more disturbing trends I hear about is the advent of organized crime in the cybercrime space. Well-funded and motivated adversaries are a major concern for our financial services customers, and by extension, for us.
Hession: Keeps me up at night? I sleep like a baby. Which is to say, I wake up every two hours in a sweat, crying. The fundamental issue of our time, as it relates to security today, is two words: conviction rates. The multijurisdictional and transgeographic nature of many cybercrimes makes gaining a prison term conviction highly unlikely. Until we, as a global community of societies under law, can make cybercrime not pay, we are going to see this problem spiral further out of control. Overhyped cyberterrorism is a red herring, one that has distracted the authorities and misprioritzed resources from the real threat, which in my opinion, is cybercrime.
What are the potential pitfalls and obstacles to an effective working relationship?
Bowen: If the CSO cannot grasp that security spending and prioritization has to be seen in the context of opportunity cost and the associated trade-off, the working relationships will suffer. As a CEO, I want to know my CSO understands our business first and how security impacts that business.
Hession: At the CSO level, your role is 90 percent business, 10 percent security. You cannot lose sight of the fact that business is about making decisions of where to risk capital. You have to approach your role as one of clarifying the risk side of the risk/return relationship, and managing risks within the accept/mitigate/assign paradigm. Recognize that the business is there to make money. If you spend too much, or encumber it with too many controls, you may be very secure, but you'll also be out of business.