Careers & People
2/3/2017
12:00 PM
Steven Grossman
Steven Grossman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Talking Cybersecurity From A Risk Management Point of View

CenturyLink CSO David Mahon reflects on the evolution of the chief information security officer, and why today's CISOs are increasingly adopting a risk-based approach to security.

Steven Grossman, Bay Dynamics’ vice president of strategy & enablement, sat down recently with CenturyLink VP & Chief Security Officer David Mahon in a thoughtful discussion about why CISOs are moving from the IT corner into a more operational role, managing the risks that threaten to harm their company’s most valuable data.

This Q&A is part of a Dark Reading interview series with cybersecurity experts by cybersecurity experts.

Decades ago, a new executive-level role emerged in the enterprise – the Chief Information Security Officer (CISO). The original CISO sat in the IT corner, mainly managing firewalls and other fundamental security technologies. Due to the person’s technical expertise, the CISO reported to the Chief Information Officer (CIO), the leading technical expert in the enterprise.

Fast forward twenty years, the CISO has become a more business-centric, board member go-to expert -and no longer reports to the CIO. Today’s CISOs are increasingly reporting to the chief risk officer (CRO) as cybersecurity has transformed into a risk management issue, viewed alongside, if not above, other operational risks to the business.

To get an industry veteran’s point of view on this transformation, I spoke with David Mahon, vice president and chief security officer at CenturyLink. David is responsible for designing and implementing a global security program that includes cybersecurity, critical infrastructure protection, enterprise risk management, physical security, network fraud and abuse, industrial security, international travel security, global threat intelligence, work place violence prevention, executive protection and investigations. In many enterprises, such as CenturyLink, the CRO and CSO roles are interchangeable. Both involve centering their strategic objectives around risk, and both are seeing more CISOs move under their wing.

Steven Grossman: Thank you for taking the time to chat with me, David. Why do you think CISOs should be reporting to CSOs/CROs vs. CIOs?

David Mahon: The main reason is that the CISO profession and industry responsibilities have changed. The CISO profession started in the IT department when cybersecurity was emerging as a core competency. CISOs were mainly called IT security professionals. Over time, as more high profile data breaches came to surface, CISOs increasingly interacted with other C-level executives who were outside of technology such as chief privacy officers and chief legal officers. The cybersecurity ecosystem transformed, going from a primarily technical to a risk management discipline.

Because of that shift, the CIO isn’t the best executive to oversee cybersecurity. The CIO doesn’t have risk management functions, such as Governance, Risk Management and Compliance (GRC), which is a key component of an effective enterprise-wide risk management program.

Steven Grossman: So, in other words, CISOs shouldn’t be making absolute security their goal but instead, effective risk management.

David Mahon: Our role as CSOs, which essentially carries the same responsibilities as CROs, is to enable strategic objectives and risk posture as approved by the board of directors. When a CSO signs off on a project, it’s not about the technology; it’s about what the project will do for the business.  CSOs manage all security and risk functions for the company, which oftentimes blend together, to achieve the risk posture established by the board.

Steven Grossman: Based on what we have seen working with our clients, CISOs who report through the CIO to the board often present technical information from a messaging point of view while those reporting through the CSO/CRO present a more balanced, risk-orientated point of view. As CenturyLink’s CSO how do you work with your CISO, who is on your team, and how do you implement a risk-orientated approach to security?

David Mahon: First, you must understand the strategic plan approved by the board of directors. Visit with each business unit to understand how their tactical plans roll up into the larger strategic plan.  For example, the CTO may have a strategic roadmap that you know will need cybersecurity engineers on the front end. You can start deploying those resources to support the CTO rather than waiting until the CTO launches a project. You need visibility into what each business unit is doing so that you can enable them to also achieve the overall cyber risk mitigation objectives set by the board.

It’s critical to assess where your most valuable data is located and what is the value associated to the applications and systems that store that data. Identifying where your highly valuable assets live will enable you to risk-rank those assets. What is your most sensitive data down to data that is less sensitive? What are the security controls you have in place to protect your highly valuable data? Are they working properly? Where are the gaps? If business units are outsourcing work, who are they outsourcing it to, and how are those users interacting with your valuable data? Identify the top risks for the company and map those with each business unit’s objectives.

Since many information security programs are designed by technical solution-based thinkers, it’s also better to turn to regulatory standards and frameworks like NIST, ISO or HIPPA as a baseline for your risk management program.

These are just some of the steps; there are many others in-between. The key is to broadly look at the risk posture of the company, map those risks to your (and the board’s) objectives and define how to decrease risk incrementally.

Steven Grossman: It is unfortunate that so many enterprises do not know where their valuable information assets are located. In the physical world, that’s like an operations manager not knowing where his/her company’s critical buildings are located. Understanding where your valuable assets live is central to risk management.

David Mahon: When there are thousands of employees, vendors, contractors and assets, understanding your valuable assets - including where they exist and how people interact with them - and being able to measure your risk along with appropriate response and recovery plans for various potential incidents, is a sign of a mature risk management program.

Steven Grossman: What do you think are the biggest challenges CISOs face if they report to CSOs/CROs vs. CIOs?

David Mahon: One challenge is that CISOs are not adequately prepared to address the questions that a CSO/CRO will ask. CSOs/CROs tend to ask global questions to which CISOs respond with technical answers. CISOs lean on their technical acumen and therefore are challenged to look more broadly at such things as threat intelligence, adversaries, and business objectives.

In the end, CISOs who embrace a risk-based approach to security will have a broader view of their enterprise’s objectives and know how to strategically and tactically use their resources to achieve them. They will get a horizontal view of the enterprise, instead of a swim lane, which will enable them to deliver shareholder value and enhance customer experience.

Dave Mahon, Chief Security Officer, CenturyLink
R. David (Dave) Mahon was named chief security officer in April 2011 for CenturyLink, the third-largest communications provider in the U.S. In addition to his CSO role, McMahon is also the company's liaison with the National Security Telecommunications Advisory Council (NSTAC), National Cybersecurity and Communications Integration Center (NCCIC), as well as federal and state law enforcement and homeland security agencies.

Prior to joining CenturyLink, Mahon was a supervisory special agent with the FBI responsible for investigating violations of federal statutes in which the Internet, computer systems, and networks were exploited as the targets of terrorist organizations, foreign government-sponsored intelligence operations or criminal activities.

R. David (Dave) Mahon was named chief security officer in April 2011 for CenturyLink, the third-largest communications provider in the U.S. In addition to his CSO role, McMahon is also the companys liaison with the National Security Telecommunications Advisory Council (NSTAC), National Cybersecurity and Communications Integration Center (NCCIC), as well as federal and state law enforcement and homeland security agencies.

Prior to joining CenturyLink, Mahon was a supervisory special agent with the FBI responsible for investigating violations of federal statutes in which the Internet, computer systems, and networks were exploited as the targets of terrorist organizations, foreign government-sponsored intelligence operations or criminal activities.

Related Content:

 

Steven has over 20 years of management consulting and industry experience working with technology, security and business executives, driving solutions to their most critical and complex problems. At Bay Dynamics, Steven is responsible for ensuring that clients are successful ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JonnyBravo
50%
50%
JonnyBravo,
User Rank: Apprentice
4/21/2017 | 8:54:53 AM
Re:
An interesting story, very informative. And I can not disagree with you.
Winema
50%
50%
Winema,
User Rank: Apprentice
4/21/2017 | 3:37:44 AM
It's a great blog post
It's a great blog post and read it twice for better knowledge. This is an impressing article which gives us good 192-168-1-1.co thoughts and interests to read more article like the same.
Winema
50%
50%
Winema,
User Rank: Apprentice
4/21/2017 | 3:32:31 AM
This is my most visited site now
This is my most visited site now! If your lurking  just go ahead and register and  join the fun!!!
mikeroch
50%
50%
mikeroch,
User Rank: Apprentice
2/15/2017 | 8:05:37 AM
192.168.l.l login
lol, Wonderful point, first finish the coffee then comment here, kewl
kasstri
100%
0%
kasstri,
User Rank: Moderator
2/13/2017 | 1:42:29 PM
keyboard
"Give me a break, Sally. I haven't finished my coffee yet."
ted90
50%
50%
ted90,
User Rank: Guru
2/12/2017 | 6:03:37 AM
192.168.1.1
was looking for this information, thanks to the author of the post, I am glad to join your community!
DonT183
50%
50%
DonT183,
User Rank: Apprentice
2/3/2017 | 10:48:24 PM
A Quarter Right.
Missing inventory is a core failure in firms that avoidable damages their essential risk management: missing data criticality and,missing wanted software inventory. From this the strongest single control of alerting on other than wanted motions of critical data or detecting other than wanted software is lost. This area is essentially about detecting and shrinking the impact of an adverse event. But, inventory also extends to the vulnerable attack surface. The rate of attack generally follows the number of at risk computers. Suppose it is true that industries have reliable trends in the number of computers per staff. The attack surface or rate of damaging attacks per year would grow as the firm grows. A considerable amount of skipping inventory of vulnerable computers, excess inventory of online accessible sensitive data, vendors selling known vulnerable systems getting full price for their wares, skipper hardening of software and configurations a like occur. Consider the number of vendors slow to fix SSL/TLS vulnerabilities even if they knew is was essential to fix for credit card data protection since April 2015. I agree that missing inventory of sensitive data is important. But that is one quarter right. What of missing wanted software inventory, at risk data inventories, avoidablyou vulnerable system inventories? Few firms have any idea what their mean time to repair vulnerabilites really is, what it's 95th confidence interval is or even the avoidable risk created by under funding the resolution or circumventing of automation actually costs them. I can assure you a grocery store manager knows more about the cost of business disruption of the freezer section than many firms know of their business disruption costs due to avoidable vulnerabilty of unwise full price purchase prices paid for known vulnerable software.
DonT183
50%
50%
DonT183,
User Rank: Apprentice
2/3/2017 | 10:47:36 PM
A Quarter Right.
Missing inventory is a core failure in firms that avoidable damages their essential risk management: missing data criticality and,missing wanted software inventory. From this the strongest single control of alerting on other than wanted motions of critical data or detecting other than wanted software is lost. This area is essentially about detecting and shrinking the impact of an adverse event. But, inventory also extends to the vulnerable attack surface. The rate of attack generally follows the number of at risk computers. Suppose it is true that industries have reliable trends in the number of computers per staff. The attack surface or rate of damaging attacks per year would grow as the firm grows. A considerable amount of skipping inventory of vulnerable computers, excess inventory of online accessible sensitive data, vendors selling known vulnerable systems getting full price for their wares, skipper hardening of software and configurations a like occur. Consider the number of vendors slow to fix SSL/TLS vulnerabilities even if they knew is was essential to fix for credit card data protection since April 2015. I agree that missing inventory of sensitive data is important. But that is one quarter right. What of missing wanted software inventory, at risk data inventories, avoidablyou vulnerable system inventories? Few firms have any idea what their mean time to repair vulnerabilites really is, what it's 95th confidence interval is or even the avoidable risk created by under funding the resolution or circumventing of automation actually costs them. I can assure you a grocery store manager knows more about the cost of business disruption of the freezer section than many firms know of their business disruption costs due to avoidable vulnerabilty of unwise full price purchase prices paid for known vulnerable software.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.