Information security is too often an afterthought, playing second fiddle to functionality and speed to market as companies race to become digital businesses. So says Roota Almeida, head of information security at Delta Dental of New Jersey. The problem will only get worse with the explosion of the internet-connected devices and things, she says in this SearchCIO video.
To bridge this gap, Almeida stresses the importance of chief information security officers (CISOs) getting involved with business decisions and idea development early on. To effectively sell security to the business and the board, the CISO role needs to include acting as an adviser and facilitator, not simply an enforcer.
Senior news writer Nicole Laskowski chatted briefly with Almeida at the MIT Sloan CIO Symposium, where she was a featured speaker, to talk about how CISOs can play -- and need to play -- a bigger role in their organizations' digital initiatives.
How can CISOs be part of the digitization conversation from the get-go?
Roota Almeida: In today's day, CISOs have to be coordinated with every business process. So they need to be able to communicate security in a business manner. When the business takes decisions or the board takes decisions -- like, say, mergers and acquisitions and new product launches -- and digitization happens, CISOs should be at the conversation from the first get-go.
Security should not be an afterthought. In a lot of solutions that we are seeing -- [such as] the internet of things, or internet of everything -- security is kind of an afterthought. First, they look at how great the product is from a functionality point of view. And they are like, 'Oh, oops, we forgot security, so now let's build it in.'
That afterthought is what's creating this big security gap. The way CISOs can help in the digitization process is to be involved in the first step from when the idea is being developed by the board or the suite.
Big data sets entice cyber criminals
How has big data changed the security and privacy conversation?
Almeida: Big data installations in companies have increased. Even small and midsize companies have a lot of data now. As it goes with any new software installations, security is still an afterthought for big data installations. They still don't have the necessary security and administration that are required for such a huge installation. It's still not robust enough.
When you combine that with the advances in the server-side hacks, where big data is stored, [big data becomes] a very lucrative data source for hackers to go after. So it's becoming a very highly vulnerable platform because of the criticality, the different kinds of data that it has. Because big data consists of a lot of different kinds of data pulled in from different applications, information classification of the big data installation becomes very critical.
To get to a robust information classification process, the information ownership needs to be defined accurately. And when you have ownership, you can classify the data correctly based on the classification; you can protect the data appropriately. All those things tie together.
CISO role in balancing infosec and going fast
How can CISOs strike the right balance between the business' desire to go fast and the need for security, which can slow things down?
Almeida: In this day and age, CISOs need to be good security communicators. So what security professionals should do is try to communicate the threats, the security risks, in a non-threatening way, and also in [terms] that a business or a board member can understand. I would put it as loss of revenue because of application downtime; loss of brand or image because of a breach, because we lost X amount of records.
That communication piece is a big part of the CISO role now to make it a part of the business and make it a facilitator. [CISOs need to make it clear that security is not just] something that they need to do because they want to be compliant or they need to do because they don't want to be featured in The Wall Street Journal.
Why is working with the business so vital to the CISO role these days?
Almeida: What are we trying to protect? We are trying to protect the information that the business uses every day. I need to know what my business is. Only then can I protect that information, only then will I know where the information moves, how the business works and how that flow of information happens.
I cannot be in only the IT domain and try to protect that. I need to understand what the business' needs are and then fulfill those needs in a secure manner. I cannot go to a business unit negatively saying, 'You can't do this because it's insecure.' But I should say, 'Yes, we can do it, but let's do it this way so it's more secure.' So you put it in a more positive way, rather than negativity. Instead of a backstop, I need to be a facilitator. Instead of an enforcer, I become an adviser.