James R. Wade is a key player in the information security industry. Mr. Wade has more than 20 years experience in information security, and is currently the Chief Information Security Officer of KeyCorp, one of the nation's largest bank-based financial services companies, with assets of approximately $86 billion. Mr. Wade is also President & Chairman of the Board of the International Information Security Certification (ISC)2 organization, the premier information security certification organization with more than 15,000 certificate holders in more than 90 countries worldwide. He is also the past President & Chairman of the Board for the Information Systems Security Association (ISSA), and has previously held senior level security positions at the Federal Reserve and Verizon. Mr. Wade recently sat down with CSOinformer to provide his insight on the challenges of the CISO and his view of the security industry.
Q. Better understanding how to manage and measure risk is possibly the most vexing problem for information security professionals. Some people, such as Donn Parker, maintain that it cannot be done. Are you seeing any developments that are making this problem easier to solve?
A. I have known Donn Parker for many years and I do not consider myself to be on the other end of the spectrum. I believe it is true that you cannot do absolute quantitative risk management in information security using theories such as Bayesian or Monte Carlo modeling. However, I believe qualitative risk management can be useful in enabling effective decision making within businesses. It is necessary that the business units are directly involved with the security group on this - ultimately it is the business that owns the data and they are the ones with a holistic viewpoint of the issues.
Q. What do you think are the major IT security-related implications of the Sarbanes-Oxley Act of 2002?
A. We see it impacting us directly and we didn't even wait for it to be fully enacted before we started working on it. The major impact on IT security is developing and properly documenting IT systems-related financial controls. Sarbanes-Oxley has actually been very helpful for us in prioritizing and finding the most critical controls.
Q. Perhaps related to the last question, there does not seem a single upward reporting structure for the top information security executives within an organization. Should they be inside or outside of IT, or does it matter?
A. I have been involved in a lot of discussions about this, and honestly, I don't see a trend one way or another. At the end of the day, I think it is more of a cultural call within each corporation. My two guiding principles on the position of the security executive within the corporation are:
1. The person should be sufficiently high within the organization to influence the strategic direction of the company as it relates to security.
2. The person should be in a position to exert positive influence on the financial commitments the company needs to make for appropriate security.
Q. One of the consistent themes for all of the critical infrastructure sectors is the formation and utilization of Information Sharing and Analysis Centers (ISACs). In fact the Financial Services ISAC has been up and running for some time. What kind of grade would you give the Financial Services ISAC and what are the keys to improvement?
A. I have been involved in this and related government initiatives from the very beginning, including NIST's Computer Security Advisory Board and the Critical Infrastructure Protection Board in the Clinton Administration.
In my personal opinion, the FS ISAC really isn't a good investment. You spend $7,500 a year for the membership and then you need to dedicate the resources to manage the information coming out of it. The result is information that is late. We end up getting free information off of the Internet that is more accurate and timely.
I think the model for the FS ISAC is flawed. It is supported by a contractor who can only provide a limited amount of resources and services, which are constrained by the amount of dues that can be collected. I would prefer federal funding to create a better baseline service. Perhaps the FS ISAC can work more closely with the National Information Protection Center (NIPC) to funnel NIPC's information to financial institutions.
Q. Let's talk a little bit about National Strategy to Secure Cyberspace. Are you satisfied with the results? Are concerned about the loss of Richard Clarke and Howard Schmidt from the Homeland Security Department?
A. I have known Howard Schmidt for a long time and respect him a great deal. Howard and Richard are 1st class individuals and have contributed so much to Homeland Security, so yes, it really is a loss. Homeland has some enormous challenges just to get organized, but I give them pretty high marks so far. Out of everything that is positive, the one thing that I find that is disturbing is on the certification front. DHS is proposing a security certification for individuals within the government. Why are we creating a public sector security certification with our tax dollars when we already have private sector certifications that work well? Even the National Security Agency is leveraging the (ISC)2 for its security engineers.
Q. That answer provides a good segue. In addition to being the CISO for one of the largest banks in the US, you are also the President of the International Information Security Certification (ISC)2 organization, which has developed the Certified Information Systems Security Professional (CISSP) designation, considered to be the Gold Standard for information security professional certifications. Are you surprised at the rate of growth in the number of people with CISSP certifications?
A. We expected it to be pretty common within security professionals, but overall felt it would be a fairly small organization. However, the rise of the Internet and business-to-business commerce has greatly accelerated the need for our certification, so in that context it isn't too surprising. The (ISC)2 has always been international in nature, but the certifications in Europe and the Pacific Rim are increasing rapidly.
Q. Do you think the CISSP is an important prerequisite for CISO/CSO levels? Why or why not?
A. We think that for some, certification is appropriate. The Common Body of Knowledge (CBK) that the CISSP is based upon has ten domains of security knowledge, which provides a global perspective useful to CISOs.
Q. Does the (ISC)2 have other certifications available now or in the works that are appropriate for CISO/CSO levels?
A. I have had a few conversations about this, but it is too early to tell. The Chief Information Security Officer has not been around long enough for us to know what we could do to help them effectively set policy and manage the strategic direction of their enterprises. The responsibilities of CISOs are not uniform. For example, at KeyCorp I have total responsibility for information even if it is stored on paper or fax - not just data in computers. We need to work our way through a lot of these issues related to responsibilities.
Q. Do you feel that the Common Body of Knowledge is being adequately updated to maintain its relevance?
A. We put a lot of effort into the CBK. We reach out to a lot of different constituencies and pull in a lot of non-CISSPs as well, such as auditors and highly technical individuals. As to the relevance, we will sometimes have people ask us why there are not more specific technologies within the CBK. The important point is that the CBK is about concepts, and the exam asks the individual to apply those concepts into practice.
Q. Can we expect any major changes with the (ISC)2, in the next few years? Will we see a lot more certifications?
A. I wouldn't use the words "a lot", but we will add some certifications that we believe are pretty important. One thing we believe the market has demand for is expressing security concepts in architectural terms. We believe an architect-related security certification will be well received globally.
Q. As you reflect on your years in the infosec industry, which trend gives you the most hope - conversely, which trend gives you the most concern for the future?
A. I think that information security is all about people. We can have all the technology we want, but if you don't have the right people making the right types of decisions, you will have problems. One of the trends that encourages me is academia, and the fact that universities are increasingly seeing IT security as something worthy of granting degrees. These programs are encouraging the students to better understand business issues in conjunction with the technology. We are definitely getting a better quality of person working in information security. When I got into this business, security was a stepping stone in a person's career path - now it is the destination.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.