Good Governance: How to be a Security Leader
In this exclusive interview, Jennifer Bayuk, an information security specialist and former CISO at Bear Stearns & Co., discusses:
TOM FIELD: Hi, this is Tom Field with Information Security Media Group. The topic today is security governance. We are talking today with Jennifer Bayuk, an Information Security Specialist. Jennifer thanks so much for joining me today.
JENNIFER BAYUK: You're welcome. I'm happy to be here.
FIELD: Jennifer, just to introduce yourself to our audience, tell us a little bit about yourself, what you have been up to the past several years and what you are doing now.
BAYUK: I am an Information Security Specialist. I was most recently the Chief Information Security Officer at Bear Stearns before it merged with JPMC. My background is mostly technical. I started in Bell Labs looking at security issues and the public switch phone network. From there I went to a rotation in an AT&T audit, which lead me to Price Waterhouse, and that started my education in the governance and management of security. From there I became head of IT Internal Audit for a financial firm and went back to security because audit, to me, was on the outside looking in and security management and architecture, which is what I went into when I first joined Bear Stearns, was a much more proactive approach. As different reorganizations and things happened at Bear, I ended up as the Chief Information Security Officer, and now I am an independent consultant and I am still looking at the same types of problems that I looked at as a technologist, architect, auditor and manager, but I am looking at them with an independent eye.
FIELD: Very good. The topic is governance and I wanted to ask you, what does governance mean specifically in the information security context?
BAYUK: It all comes down to the tones being set at the top. You know that is an audit phrase, and it comes from COSO -- the Committee of Sponsoring Organizations of the Treadway Commission -- but it applies nevertheless in the security-specific governance case. The top management of a firm, organization, whatever, has got to endorse, acknowledge and support a security program in such a way that the people who are handling data and responsible for executing procedures and things that contribute to the control, the management control, of the data understand that it is a serious responsibility.
FIELD: Now in your experience Jennifer, what are the key elements that a governance program absolutely needs to have?
BAYUK: Well, I have a lot of different publications that keep coming back to the six key elements of any kind of security governance process and they are in a well documented framework that goes in a circle, like a 'plan, do, check, act cycle,' which is popular in all types of management. Security management should be no different.
Security managers have always followed the same types of ways of getting things done that other IT managers and managers in general have. For example, follow the Seven Habits of Highly Effective People, they've won friends and influenced people, they have re-engineered corporations, etc., so security management has the same types of components as any other governance process. And they are:
You have to have some kind of strategy.
Strategy has to be translated into well-defined policy that is agreed upon and approved and authorized.
Policy has got to be documented and projected to those affected by it in some kind of an awareness process because policy without awareness is just a document on a shelf, and it doesn't get you anywhere.
If you have awareness of policy and you are in a role that is handling information, then you should have some kind of implementation in the form of the preventive, detective and recovery access types of controls and once you have some implementation and you believe it reflects your policy.
You have to check to make sure you have some kind of monitoring process.
Your monitoring process invariably will find that not everything is 100% aligned with your security policies, so you will end up with some kind of remediation of compliance process, and if you are constantly remediating things because your implementation shows your are not in compliance with your policy then you to go back with strategy and that completes the cycle.
So the six key elements would be, strategy, policy, awareness, implementation, monitoring and remediation.
FIELD: Very good. Now do you find that this structure differs depending on what size of a financial institution you are, whether you are a JP Morgan/Chase or whether you are a community bank in central New Jersey?
BAYUK: The basic structure, no. I mean, you can have a three-person organization and still follow this process, and you could have a 300,000-person organization and follow this process and be effective with it. So, at that level it is too generic to differentiate. How many people you have and whether you need things like segregation of duties between implementation and monitoring will change and it will reflect the culture and the size of the organization.
FIELD: Okay. That makes sense. Now question, we talk about security governance, but there is also sort of the greater institutional organizational governance. How do you align the two and make sure that they work to the same purposes?
BAYUK: The concept of making sure you are aligned kind of, I don't think is the way to start even though the alignment is very important. It is also important for the human resources department to be aligned with the goals of the overall business process and the corporate objectives and the organizational objectives. So to assume that it is possible to be out of alignment means you are starting out broken, as opposed to starting out working for the corporation, the business, the organization that has decided to sponsor a security program.
So if you are part of the management structure of that organization to begin with, and the security program, the leader of the program gets their authority for implementing process from the leaders of the corporation, then the alignment falls out of making decisions on a day-to-day basis based on what the business needs for information security the same way the HR lead, or the Director of HR, would make decisions on what type of recruitment seminars to go to or what type of people to interview based on the staffing needs of the organization. Does that make sense to you?
FIELD: It does, yes.
BAYUK: All right. So, the alignment should fall out of the management structure; it shouldn't be a separate thing managed separately from the management structure.
FIELD: Well that's a good way to look at it. Let me ask you, in your experience, what are some of the speed bumps that people typically encounter in route to having a successful governance in place?
BAYUK: The tone at the top. The idea that the authority of the security program is for balance through the organization, and the security program doesn't have the buy-in as it were of the entire senior leadership, and so that just means that the misalignment is a little bit askew at the higher levels of the corporation. I think that is the most common pitfall that I have seen, and I am sure that many of my peers would agree.
FIELD: Well, it sounds like it comes back to just what you were talking about in terms of the key elements. If you don't have that strategy in place and work hard to implement it, then you start to hit some of these speed bumps.
BAYUK: Yes. And typically when you first run across the speed bump it will be in the awareness process. The right thinking, dedicated security manager will go out to train an organization, and that organization will say, "it doesn't apply to me."
FIELD: So if somebody goes about trying to either put governance in place or improve governance, what are some of the short and long-term rewards they might look at and set the expectations of the organization to look for?
BAYUK: Rewards from the program itself, the value delivered by the program. One very common value that is added by coordinating governance in a security program ends up being economies of scale where you have very pervasive policy awareness and people all on the same page on what they need to do with security. You need many fewer little point projects and remediation projects throughout the firm to get security into someplace where it appears to be lacking by some maybe auditor compliance process so economies of scale would be the top value that you will get from having a security governance process that is solid.
FIELD: You know what occurs to me Jennifer is we hear an awful lot now about governance being tied to regulatory compliance in a financial institution. In your experience, how does good governance help with regulatory compliance?
BAYUK: I have never seen a senior leader, a CEO, a business unit president, say anything but "I want to be completely in compliance with all of my regulatory obligations, legal obligations and contracts," so there is where you have that overlap, that governance. So if you can have a security program that delivers that, that your senior leaders can take for granted, then that is definitely going to show that those two programs merge. You know, the security program shouldn't be chasing compliance, and there shouldn't be something doing compliance in addition to the program, with respect to the security requirements that is, but that the people who are concerned about compliance should just be able to take for granted that the mechanism used for delivering security are going to be good enough for the governance.
FIELD: Oh that makes sense. Jennifer, one last question for you. If you were to boil it down to maybe a single piece of advice you would offer to a banking/security leader looking to improve governance in their institution, what would you advise them?
BAYUK: Build consensus. There is no room for cowboys in trying to implement risk management and security management processes there is only room for a coordinated effort that is firm wide and universally agreed. So build a consensus would be the number one. If you don't mind my mentioning, I do have a book on the subject, Stepping Through the InfoSec Program and it lists all the different departments and things that you should reach out to if you want to get that type of consensus and know that you are hitting the senior leaders in your organizations that are going to have some influence over that security program.
FIELD: No it's very good Jennifer, in fact, why don't' you offer the URL to your website in case people do want to come and check out what you are about and what you are doing and what you can do.
BAYUK: Sure. It's my last name, Bayuk; www.bayuk.com and under publications somewhere you will see the link to the names of the books and other things that may be of interest.
FIELD: Very good. Jennifer, I appreciate your time and insight today, and I look forward to being able to talk with you on this and other topics again in the future.
BAYUK: Thank you very much, Tom. I look forward to it, too.
FIELD: We've been talking with Jennifer Bayuk, and the topic has been security governance. For Information Security Media Group, I'm Tom Field. Thank you very much.