Wednesday, July 23, 2014

People, Processes, Technology: 3 Keys for Security Leadership



By Richard Noguera
Head of Information Security
The Gap

When I get introspective about myself as a leader, it's often because I've had a flash of doubt. In other words, I sometimes wonder if I made the right call on any given topic during especially stressful times. And through the course of self-analysis, I am often reminded of Ray Dalio and reflect on what makes me tick as a leader.

I'm a process guy that thrives in the company of good people. More often than not, I find my operational peers to be extremely technically focused. So as a people and process person, I'm typically at odds with those peers. That's not to say that I'm not technically competent, I'm just not comfortable asking an engineer to step aside so that I can correct the flawed line of source code, running config, FW policy, or ACL at the drop. My peers however, not necessarily those immediate to me, largely believe this is a functional must-have. And interestingly, one that I am often presented with, directly and indirectly, at least once a month.

Information Security was begot by Information Technology. So naturally, most leaders expect CISOs to be nearly entirely technically driven. Arguably, this works – if not required – when you operate in organizations like Google, Facebook, or Yahoo! Beyond the Technology sector though, the balance between people, process, and technology is critical to success. Consider Retail, an industry sector largely built on brick and mortar and Loss Prevention. Here, Information Security cannot be driven without understanding the Store Operations and employees in the field. With approximately >90% of retailers not technically driven, and often prone to compromise by the phishing/spam campaigns that the Finance and Technology sectors have identified several years ago, success in Retail requires a strong people and process focus in order to maximize the benefits of technology. Recent breaches in the sector only stress the need for balanced people, process, and technology capabilities.

So to simplify, my view is that Security Leaders must have strong capabilities in the following domains:

  • People – Communicate, educate, and motivate their superiors, peers, and subordinates effectively. Customers, partners, and employees are always the first line of defense. 
  • Process – As it relates to the business and what it does, leaders must manage Information Security itself as a business and maintaining controls consistently to minimize human error risk.
  • Technology – Effectively identify, qualify, and remediate threats holistically across the cloud/mobile connected enterprises across an ever changing technical landscape. 

So when these flashes occur, I remember that I'm here because I chose to be, and make a call based on the people, process, technology information I have in hand. And if my assessment of the situation isn't right, I can course correct with my team the next day.

This post original appeared on Justin Somaini’s Cyber Security Blog.

No comments:

Post a Comment