Bonk CISO Larry Whiteside on the head, and like Jason Bourne he will wake up thinking about security in 12 different languages.
“For me, security and risk management is a mind-set. When I go into a restaurant with my wife and kids, I automatically see where the exits are,” says Whiteside. And how the waitress handles the credit card. How far the credit card machine is to another table. The location of the security cameras, the station of the guard.
“I am always thinking about the security scenario, not to take advantage of it, but to be aware,” Whiteside says.
Whiteside is chief information security officer for Visiting Nurse Service of New York (VNSNY), the country’s largest not-for-profit home health care provider. Some 130,000 patient medical records and pieces of credit card data fall under VNSNY’s watch. The organization must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act (SOX).
Whiteside practices what is called a risk management approach to security compliance. I interviewed him this week for a story I’m doing on the topic. While his organization has many regulatory obligations, “the way I approach compliance is through risk. We do not focus on just ensuring we are compliant,” Whiteside says, stating the first principle of risk-based management to information security.
“When I look at new applications or systems or architectures, I am looking at the risks to our business and the risk to our information. Those are the things that are important, not does it meet a line item associated with HIPAA and SOX,” Whiteside says.
A risk management mind-set is always looking for patterns — not items on a regulatory checklist — that pose a threat to the asset one is responsible for protecting. So when somebody comes to him with a security problem, even if he knows nothing about the particular system or application, he can formulate a set of questions.
Incidentally, most CISOs live in a security mind-set, he says, whether they’re hard-core techies or recruits from the business side. “The methodology they follow by day at work is the methodology they live outside of work,” he says. At conferences, when CISOs unwind afterward with a drink, they invariably play a Where’s Waldo? version of security gaffes, competing to see who can spot the most security lapses. “It’s kind of weird if you are outside the circle.”
The mind-set can have its limitations, as in “If you are a hammer, the whole world looks like a nail,” adage.
Indeed, when he is taken by surprise, it is typically by something that happens on the business side.
“You can’t believe that business would make that decision. You have that mind-set and forget people don’t think that way,” says Whiteside, who nonetheless never forgets what needs to happen next.
“But the fact is they went down that path, and you have to make it right. CISOs are support personnel. That is the reality. We are on the same side of the business as the help desk, and that is all we are. Until it can be determined how a CISO can make the company money, we will always be there to support.”