Chief information security officer at the Hypo Real Estate Group, Paul Collins, talks about the balance between risk and control, earning colleagues’ trust, and who’s responsible for changing security’s image in the business.
As CISO, can you explain what your role and responsibilities involve?
I’m responsible for overseeing all aspects of information security for a group of banks. I work as part of the compliance department, independently of IT. I define and update security policy, oversee security changes, and carry out risk assessments.
I’m also responsible for data protection, and this brings particular challenges in some of our international offices due to the nature of the local regulatory requirements.
What does a typical day look like for you: are you very hands-on with security, or is it much more of a management role, where you work closely with the team to deliver IT to the business?
It is a bit of a cliché, but there’s no ‘typical day’. I have to constantly balance priorities, working on long-term strategic planning while also dealing with day-to-day issues, such as change request approval.
We have outsourced our IT infrastructure management, and while I don’t actually make changes to security devices myself, I am responsible for approving any security-relevant changes that are required.
I work very closely with internal IT and our service partners, and also with personnel across our organisation, in particular in Compliance, Internal Audit and Operational Risk.
How extensive are the IT operations that you oversee, and how complex are they?
We don’t have a significant number of users, but they are spread from New York to Tokyo, and this brings certain challenges. Most of our main IT services are delivered from data centres hosted in Europe. We use off-the-shelf products mainly, and have service contracts in place with several IT companies.
Security seems to throw up a new risk every week: how do you respond to the challenge?
Maintaining an awareness of new security risks and countermeasures is a challenge. I get a lot of information from a small number of websites – SANS.org is particularly useful – and mailing lists. I also regularly attend seminars and webinars.
How do you evaluate what threats are just hype and which are the ones you need to take seriously?
Experience is key. Anyone who has been actively involved in information security for a number of years will have developed the ability to differentiate between genuine risks and what (computer security specialist) Bruce Schneier calls ‘movie plot threats’. The significance of the threat varies between businesses and industry sectors.
In assessing risk, it’s important to understand the corporate risk appetite, and also to be able to translate what are often very technical threats into something that makes sense to a manager, colleague or family member.
Which risks are you taking seriously right now?
The Heartbleed bug is a key issue at the moment. Some manufacturers haven’t determined whether their products are affected or not, so it will be awhile before this issue is fully addressed. We have had formal requests from some of our financial regulators to report on our vulnerability to this specific bug so they obviously see it as a significant cause for concern.
The business often perceives security to be like the ‘bouncer’ – arms folded, always saying ‘no’ to what it wants to do. Is this a fair perception, in your opinion?
It’s a very common perception, and in certain organisations fully justified. I will never say ‘no’ – instead the answer is more likely to be ‘your request has significant risks associated with it, so let’s discuss some alternative approaches, or determine how we can reduce those risks’.
The responsibility for changing the image of security lies solely with the security personnel themselves. We need to add value to the organisation, we need to earn trust, and we need to provide value for money. If we can get to a point where our colleagues understand why specific security controls are in place, then the effectiveness of those controls increases significantly.
How should security and IT leaders go about changing that view?
I find security awareness programmes are useful. We do have a formal online training in place, but I’ve also hosted lunchtime seminars – explaining, for instance, the security risks around the use of internet email. I try to provide information that people can use at home, as well as in the office.
I cannot expect people to trust me just because of my job title. I need to earn their trust, and this takes time and effort. I try to be accessible, helpful, and positive.
Have you ever had to be the one to veto an idea from the business which seemed great in theory but wasn’t secure enough in practice?
Yes, although as mentioned previously I don’t actually ‘veto’ as such. I explained in clear terms why the proposed solution wasn’t such a good idea. Usually in such situations the person with the idea simply isn’t aware of or hasn’t considered the potential risks.
You came from being an IT manager to now having a security focus. What are some of the main differences between the roles that you have found?
Obviously, IT security is a specific element of IT so requires a more focused view. As CISO, I tend to focus more on risk than on service, although I always consider the impact on business operation for any security control.
With all of the headlines that things like data breaches and DDoS attacks get, is it easier now to get budget for security initiatives than it used to be?
Absolutely. We have had instances where a particular security solution has been recommended by one of our financial regulators, and in such cases there’s no need to make a business case – it simply has to be done.
News reports of security breaches can be very useful in raising awareness and initiating discussion. If a particular security topic is trending across mainstream media I will often get questions from senior management about how we might be affected and this can lead to some interesting discussions.
Is there such a thing as an ideal state of security, or is it a constantly moving target?
Security is a constantly moving target, but most organisations are not striving towards ‘perfect security’. A perfectly secure IT system is one which is not connected to anything else, has no users, and is powered off.
The challenge is to constantly evaluate the balance between the risks arising and the controls in place, and to ensure that risks are reduced to an acceptable level. The definition of this acceptable level varies significantly from company to company.
Is there anything that keeps you awake at night?
Sometimes, but it’s rarely to do with information security. Having said that, my most pressing security concern at the moment is not one arising from my professional role, but in working out how best I can secure the 22 devices that my children have connected to our home Wi-Fi network.