The Growing Business Role for Security LeadersInterview with John Pironti of ISACA's Education Board Security leaders are quickly evolving in their roles to focus more on the business of banking, less on the technology of information security.
This is the main message delivered by the results of ISACA's recent Information Security Career Progression Survey of 1400 Certified Information Security Managers (CISMs) in 83 countries.
To learn more about the survey results and the trends they identify, read this interview with John Pironti, Chief Information Risk Manager with Getronics, and a member of ISACA's Education Board. Pironti touches on:
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. Our topic today is the growing business role for security managers, and I'm talking with John Pironti, Chief Information Risk Strategist with Getronics and a member of the ISACA Education Board. John, thanks so much for joining me today.
JOHN PIRONTI: Thank you.
FIELD: John, I'm talking to you today because I've received the results of this survey that ISACA recently did, and I would love you to tell us a little bit about it. Tell us about this survey and what they hypothesis was going into this research.
PIRONTI: Sure. Well, the survey was intended to kind of validate some thoughts that ISACA and other groups in the information security world have had for a while to see where we thought the growth of information security within the organization, not just at the organizational level but at the employee level. So we wanted to understand and validate our thought process that said that we think information security is becoming more popular, more important, more of a business-driven activity and not an IT function, and that it was drawing help from different parts of the organization, including the audit organizations, the compliance organizations, the IT organizations, the legal organizations. We wanted to really kind of see if that really was happening or if that was something we were just seeing through conversation but not realistically in the perspective to all the people that we talked to.
FIELD: Did you have a specific hypothesis going in here? PIRONTI: I think the hypothesis we had going into this was that we felt as though information security was becoming more important, that it was becoming more of a risk management conversation than an IT security conversation, and that's really kind of what we were focusing on. How much did we change the conversation from a traditional IT conversation to more of an information risk management conversation?
FIELD: That said, what did you find to be the clear messages from the survey respondents?
PIRONTI: The most important message I think that we received out of the survey and the thing that we found most interesting is that people are really becoming--having information security as part of their role. It's becoming something that is evident in everything that they do, auditors, compliance people, legal staff, general IT security staff and IT staff, now all have a stakeholder in information security, so it is now no longer a specialized small group of people who have a specialized talent in this area, but we are finding that people in many different roles are finding that they have a connection to information security and they are taking notice of that connection and they are finding themselves more and more involved in activities that promote good risk management practices within organizations and good information security capabilities within organizations.
FIELD: Now John, I understand you folks surveyed more than 1,400 CISM's from 83 countries around the world. Any surprises in the responses?
PIRONTI: I think that the biggest surprise that we were finding was that most organizations feel that they need to retool. Most people feel as though they are not yet prepared properly to carry on this mission. They are not properly educated with all the knowledge that they need to be successful. They don't have all the capabilities, nor do the organizations that they work in. They all want to be secure, and they all want to follow a business-aligned approach and a risk management approach, but there is a real understanding that came through the survey that was found as a surprise to us that said that they really need to retool. They need to rethink how they are operating, that the way they are operating today is not going to solve the problem in the best way it can be solved.
FIELD: Well, that is interesting because it segues into my next question. Based on the results that you've seen, what do you think are going to be the major trends for security professionals going into 2009?
PIRONTI: I think that the most important trend that we have been seeing, and we are very happy about seeing this, is that we are moving away from that traditional information security concept into an information risk management concept within the organization. And what is so important about that is the word security typically has a debilitating context associated with it. People associate with security something that is going to prevent them from being successful in some way or is going to block them from doing something in some way.
In security for many years we've talked about the idea of being more gentle to our audience, being more transparent, being more business aligned and enabling and in changing just the we way we have the conversation from an IT or a security conversation to an information risk management conversation. We are changing the whole dynamic to go well beyond just IT issues, but now focusing on information and data and information infrastructure, which includes all the people, processes, procedures and technology associated with all the business activities and processes that were functioning within organizations.
So we think that this new concept that we are evolving, this new conversation that we are having that really focuses around risk management, really is changing the playing field. We are also changing now to include this concept of governance, risk and compliance. The analyst world has really taken us by storm and kind of taken this new acronym to add to our list of acronyms, we call it GRC. This now is really how we are starting to look at the future of information security and IT governance and risk management within organizations. We are asking for governance conversation, risk management and compliance and looking at how we look at them in a holistic and heterogeneous way instead of a homogeneous concept for each one of those independently.
FIELD: Well, what it sounds like, John, is that in some way means you almost have to have a new vocabulary for this role, and maybe even a new skill set. So, what do you expect to be some of the challenges that are facing security professionals that are trying to have these new types of conversations?
PIRONTI: Great question. Great question. The most important thing that we find and the biggest challenge that we have is a lot of security professionals that are still in place have grown up to this technology perspective. Their experience and their knowledge is wonderful and capable and great, but they are still focusing on the widget. They are still focusing on the technology control, not the business process control. They still are focusing on how they can use different IT technologies to solve problems versus taking a more business-aligned approach, which it starts out by doing business process mapping, and logical and physical asset inventories so you understand where your data is, and approaching it from a control-based and risk-based process that says 'How am I going to understand where I truly am at risk, and how am I going to understand the threats that are associated to my information infrastructure and my vulnerabilities that are associated with those threats, and then how I am going to manage them?'
One of the things that security professionals tend to love to do is we love to save the day. We love to solve the problem. But in this new realm of conversation, we are not always going to solve the problem, and in some ways we are just going to manage the problem. Because the business really wants to look at this in a business responsible way, and now that we have to think business we also have to work like business. So we have to work under a budget, we have to work under business plans; we have to work under a business process in our governance, risk and compliance activities as well.
FIELD: This reminds me a lot of the conversations we have had for years about the need for IT professionals to be better aligned with the business and speak the language of business.
PIRONTI: Absolutely. In fact, some of the guidance that I have been giving the CISM population that I work with and professionals that I work with and I give guidance to is that we really should be pursuing MBA's more than we should be pursuing Masters of Computer Science at this point. To be successful we need to be able to understand our audience and understand the business in a way that is well beyond the concepts of what we think in our minds intuitively, but truly understand how and why a business operates and one of the key functions that a business wants to operate under so we can understand the management team that we are trying to service. And in reality, information security groups are typically there as a utility to the organization. Our job is to service the organization and help the organization to be able to operate in a safe and secure fashion without having to think about it. That's when we've done our job well. In order to do that, we have to understand the language of our business, we have to understand the business processes, we have to understand the business people, and the culture in order to be more effective.
FIELD: You know, we had an interesting debate on our site recently. I want to throw open this question to you because we posed the question: OK, you are going to hire your next CISO at a bank. What is more important to you? Do you need the security professional that you can teach banking to, or do you need the banking executive who can pick up security? What's your take on that?
PIRONTI: This one's an easy one for me. I've installed information security programs at many banks all over the world, large and small, for some of the biggest in the world, and my most successful CISO, my most successful security people, are people that come with a risk management background with almost no technology background. I can teach the technology, I can teach CISO's enough to help them understand that basics and premises they need to worry about, but they also can build programs and build staff that can be more technically competent to cover that small area. If you understand that information security is only 25% technology, 75% people, process, procedure and policy, that right alone drives you to understanding that the person that is going to be successful is the person who understands the business and not the person who understands the technology.
FIELD: So for a young professional that is just starting out in a security career today, if you could boil it down to a piece of advice, what would you tell them?
PIRONTI: I think the best advice I could give a young security professional is always ask yourself what problem are we trying to solve, and does this help the business and how? The conversation has to come back to one of reality and realistic threats and vulnerabilities that are going to be a reality within the organization, not the fear and certainty and doubt conversation. The fear and uncertainty and doubt is fun -- it is fun to be able to stand up and say I can do these wonderful things, I can bring down the internet in thirty minutes or less, I can break into environments, and there are definitely people out there who can do that and we have to understand the viability of if they will do that, how they will do that, and what is the reality of that becoming something that will concern my information infrastructure. And then, I can start dealing with it accordingly and not just assume that everybody is out there to do that bad thing to me.
FIELD: You can't really bring the internet down in thirty minutes can you John?
PIRONTI: [laughter] No comment.
FIELD: John, I really appreciate your insights today. It's been great. The insights on the survey are wonderful and just your thoughts on the industry and where it is headed.
PIRONTI: Oh thank you so much for the time.
FIELD: We've been talking with John Pironti, Chief Information Risk Strategist with Getronics and a member of the ISACA Education Board. For Information Security Media Group, I'm Tom Field. Thank you very much.