For over twenty-five years, Steve has been directly involved in establishing, building and directing Information Security and Privacy functions. He is the founder and President of Security Risk Solutions, an information security company providing consulting and advisory services to major, mid-size and startup companies. Steve is an Executive Advisor to Deloitte& Touche, heads the Advisory Board of Cogentric, Inc. and is on the Board of Directors of nCircle.
Steve organized and managed the Information Security Program at JP Morgan for ten years. In 1995, he was recruited into Citicorp/Citigroup after the Russian hacking incident. At Citi, Steve was the industry's first Chief Information Security Officer. He spent the next six years directing Citigroup's global Corporate Information Security Office, which had been described as the premier information security program in the industry.
Steve then joined Merrill Lynch as their Chief Information Security and Privacy Officer, where he organized and instituted the company-wide privacy and security program.
Steve has testified before Congress on numerous information security issues and in 1998 was appointed Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury. He was also the first Chairman of the Financial Services Information Sharing and Analysis Center (FS/ISAC) and is currently on the FS/ISAC Advisory Board.
Q. What does Security Risk Solutions do, and how are you spending most of your time?
A. Security Risk Solutions consults with small security companies in order to help them be successful. I look for companies that provide the types of solutions I wish I would have had available to me when I was a CISO.
Q. You are considered by many to be the world's first CISO. How much of the time did you feel like you were making things up as you were going along?
A. I became Citicorp's CISO after the Russian hacking incident in 1995. As far as the CISO title goes, I got that by shear accident. That came from Citicorp's human resources department after I was recruited by their CTO and they needed to quickly describe what I was doing. We actually developed a lot of the strategy for the CISO and security function during the interview process. We opted to implement a "federated" model for corporate security - a small corporate function with representatives within the business units and departments. We weren't interested in running the operational security, we initially focused on developing badly needed standards and policies and let the IT function implement it. From there we launched training and awareness initiatives to build a culture of security within Citicorp.
Q. There does not seem to be a single upward reporting structure for the CISO. What is your opinion of the ideal reporting structure?
A. I reported to Colin Crook, CTO of Citicorp and an extraordinary visionary. We got along very well and had a great working relationship. However, going forward I believe the CISO function needs to be separate from IT and needs to report to the Chief Risk Officer, or whatever title provides similar authority.
Q. What is the ideal role for security oversight that a Board of Directors should have?
A. At Citicorp, we reported to the Board of Director's audit committee every six months, which seemed to work very well. It is important that the board get a comprehensive report on the state of the company's security on an annual basis at least.
Q. What are the indispensable skills a CISO must have?
A. Risk Management skills. While you cannot always quantify risk probability in information security, risk management is the best system we have for managing the vulnerabilities that we face and their criticality and relevance to the business unit. As we will see with the Basel II Capital Accord, in the future banks will need to better quantify their operational risk - which includes information protection - or be faced with higher reserve requirements. (Basel II is scheduled to impact financial institutions in 2004 or 2005.)
Ability to translate security to a business context. A CISO must be able to express risks in a non-technical way that allows the business people to tell you what is most important to them and why. You must be able to give the business people options that allow them to remediate, accept or transfer the risk. You must be pragmatic in your communications. It is also important to have some internal sales and marketing skills to be the best advocate for the security function and budget within the company.
Hire smart people. You must hire smart and ethical people to support your strategy. You need people who are both good technologists and people that can educate the rest of the workforce. At Citicorp we performed 300-400 penetration tests each year, which takes a lot of talented internal and external resources. We never hired gray hats and I wouldn't advise other people to do that either. I always found plenty of talented security professionals by legitimate means, out of the government for example.
Q. Do you see a lot of value in a CISO professional association, or is it too much of a niche to be effective?
A. I think it's absolutely a good idea, there are a lot of strong CISOs out there which is the most important prerequisite.
Q. How effective is the FS ISAC, and do you have a prescription to make it better?
A. It has definitely made a positive impact as we have tried to create a positive environment for sharing data as the I-4 (International Information Integrity Institute) did in the early days. I expect that the Department of Homeland Security will push for some structural changes. In my opinion, we need to get more institutions involved and I expect that the FS ISAC will survive in a multi-tiered format. There will probably be some sort of "Level 1" free membership added, likely offered in conjunction with a pervasive trade association like the ABA (American Bankers Association), which will promote greater involvement. There will continue to be a dues-based "Level 2" membership, and by getting more institutions involved on the free side hopefully we will see more of them "upgrade" their memberships.
Q. What are the technology trends that you find interesting?
A. Vulnerability awareness and management is very important to me. Foundstone and nCircle are interesting emerging companies in this arena, because of the enterprise architecture of their technology (note: Mr Katz is on the Board of Directors of nCircle). An interesting startup is Ron Gula's Tenable Network Security, which is based on the Nessus open source vulnerability assessment software. Ron was the original developer of the Dragon IDS software, which is now part of Enterasys.
Sana Security is an interesting IDS company. Their software looks for and intercepts abnormal system calls. It is an intrusion prevention approach compared to the human immune system. Another company I like is Safe3w. They have a two factor authentication system for remote access which I really like for wireless access. You can define an authorized configuration based on machine ID and other unique factors to help lock down rogue remote access in a centralized manner.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.