Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12:00 PM
Steven Grossman
Steven Grossman
Connect Directly
E-Mail vvv

Talking Cybersecurity From A Risk Management Point of View

CenturyLink CSO David Mahon reflects on the evolution of the chief information security officer, and why today's CISOs are increasingly adopting a risk-based approach to security.

Steven Grossman, Bay Dynamics’ vice president of strategy & enablement, sat down recently with CenturyLink VP & Chief Security Officer David Mahon in a thoughtful discussion about why CISOs are moving from the IT corner into a more operational role, managing the risks that threaten to harm their company’s most valuable data.

This Q&A is part of a Dark Reading interview series with cybersecurity experts by cybersecurity experts.

Decades ago, a new executive-level role emerged in the enterprise – the Chief Information Security Officer (CISO). The original CISO sat in the IT corner, mainly managing firewalls and other fundamental security technologies. Due to the person’s technical expertise, the CISO reported to the Chief Information Officer (CIO), the leading technical expert in the enterprise.

Fast forward twenty years, the CISO has become a more business-centric, board member go-to expert -and no longer reports to the CIO. Today’s CISOs are increasingly reporting to the chief risk officer (CRO) as cybersecurity has transformed into a risk management issue, viewed alongside, if not above, other operational risks to the business.

To get an industry veteran’s point of view on this transformation, I spoke with David Mahon, vice president and chief security officer at CenturyLink. David is responsible for designing and implementing a global security program that includes cybersecurity, critical infrastructure protection, enterprise risk management, physical security, network fraud and abuse, industrial security, international travel security, global threat intelligence, work place violence prevention, executive protection and investigations. In many enterprises, such as CenturyLink, the CRO and CSO roles are interchangeable. Both involve centering their strategic objectives around risk, and both are seeing more CISOs move under their wing.

Steven Grossman: Thank you for taking the time to chat with me, David. Why do you think CISOs should be reporting to CSOs/CROs vs. CIOs?

David Mahon: The main reason is that the CISO profession and industry responsibilities have changed. The CISO profession started in the IT department when cybersecurity was emerging as a core competency. CISOs were mainly called IT security professionals. Over time, as more high profile data breaches came to surface, CISOs increasingly interacted with other C-level executives who were outside of technology such as chief privacy officers and chief legal officers. The cybersecurity ecosystem transformed, going from a primarily technical to a risk management discipline.

Because of that shift, the CIO isn’t the best executive to oversee cybersecurity. The CIO doesn’t have risk management functions, such as Governance, Risk Management and Compliance (GRC), which is a key component of an effective enterprise-wide risk management program.

Steven Grossman: So, in other words, CISOs shouldn’t be making absolute security their goal but instead, effective risk management.

David Mahon: Our role as CSOs, which essentially carries the same responsibilities as CROs, is to enable strategic objectives and risk posture as approved by the board of directors. When a CSO signs off on a project, it’s not about the technology; it’s about what the project will do for the business.  CSOs manage all security and risk functions for the company, which oftentimes blend together, to achieve the risk posture established by the board.

Steven Grossman: Based on what we have seen working with our clients, CISOs who report through the CIO to the board often present technical information from a messaging point of view while those reporting through the CSO/CRO present a more balanced, risk-orientated point of view. As CenturyLink’s CSO how do you work with your CISO, who is on your team, and how do you implement a risk-orientated approach to security?

David Mahon: First, you must understand the strategic plan approved by the board of directors. Visit with each business unit to understand how their tactical plans roll up into the larger strategic plan.  For example, the CTO may have a strategic roadmap that you know will need cybersecurity engineers on the front end. You can start deploying those resources to support the CTO rather than waiting until the CTO launches a project. You need visibility into what each business unit is doing so that you can enable them to also achieve the overall cyber risk mitigation objectives set by the board.

It’s critical to assess where your most valuable data is located and what is the value associated to the applications and systems that store that data. Identifying where your highly valuable assets live will enable you to risk-rank those assets. What is your most sensitive data down to data that is less sensitive? What are the security controls you have in place to protect your highly valuable data? Are they working properly? Where are the gaps? If business units are outsourcing work, who are they outsourcing it to, and how are those users interacting with your valuable data? Identify the top risks for the company and map those with each business unit’s objectives.

Since many information security programs are designed by technical solution-based thinkers, it’s also better to turn to regulatory standards and frameworks like NIST, ISO or HIPPA as a baseline for your risk management program.

These are just some of the steps; there are many others in-between. The key is to broadly look at the risk posture of the company, map those risks to your (and the board’s) objectives and define how to decrease risk incrementally.

Steven Grossman: It is unfortunate that so many enterprises do not know where their valuable information assets are located. In the physical world, that’s like an operations manager not knowing where his/her company’s critical buildings are located. Understanding where your valuable assets live is central to risk management.

David Mahon: When there are thousands of employees, vendors, contractors and assets, understanding your valuable assets - including where they exist and how people interact with them - and being able to measure your risk along with appropriate response and recovery plans for various potential incidents, is a sign of a mature risk management program.

Steven Grossman: What do you think are the biggest challenges CISOs face if they report to CSOs/CROs vs. CIOs?

David Mahon: One challenge is that CISOs are not adequately prepared to address the questions that a CSO/CRO will ask. CSOs/CROs tend to ask global questions to which CISOs respond with technical answers. CISOs lean on their technical acumen and therefore are challenged to look more broadly at such things as threat intelligence, adversaries, and business objectives.

In the end, CISOs who embrace a risk-based approach to security will have a broader view of their enterprise’s objectives and know how to strategically and tactically use their resources to achieve them. They will get a horizontal view of the enterprise, instead of a swim lane, which will enable them to deliver shareholder value and enhance customer experience.

Related Content:


Steven Grossman is VP of Strategy at Bay Dynamics, a cyber-risk analytics company. He has more than 20 years of management consulting, software, and industry experience working with technology, security, and business executives, driving solutions to their most critical and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Black Belt
2/3/2017 | 10:47:36 PM
A Quarter Right.
Missing inventory is a core failure in firms that avoidable damages their essential risk management: missing data criticality and,missing wanted software inventory. From this the strongest single control of alerting on other than wanted motions of critical data or detecting other than wanted software is lost. This area is essentially about detecting and shrinking the impact of an adverse event. But, inventory also extends to the vulnerable attack surface. The rate of attack generally follows the number of at risk computers. Suppose it is true that industries have reliable trends in the number of computers per staff. The attack surface or rate of damaging attacks per year would grow as the firm grows. A considerable amount of skipping inventory of vulnerable computers, excess inventory of online accessible sensitive data, vendors selling known vulnerable systems getting full price for their wares, skipper hardening of software and configurations a like occur. Consider the number of vendors slow to fix SSL/TLS vulnerabilities even if they knew is was essential to fix for credit card data protection since April 2015. I agree that missing inventory of sensitive data is important. But that is one quarter right. What of missing wanted software inventory, at risk data inventories, avoidablyou vulnerable system inventories? Few firms have any idea what their mean time to repair vulnerabilites really is, what it's 95th confidence interval is or even the avoidable risk created by under funding the resolution or circumventing of automation actually costs them. I can assure you a grocery store manager knows more about the cost of business disruption of the freezer section than many firms know of their business disruption costs due to avoidable vulnerabilty of unwise full price purchase prices paid for known vulnerable software.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-07
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism &gt;=v1.1.0 that use the _Previewers_ plugin...
PUBLISHED: 2020-08-07
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via &quot;H2Push off&quot; will mitigate this vulnerab...
PUBLISHED: 2020-08-07
DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG). Affecting all SMG Appliance running releases prior to July 2020. The vulnerability could allow a logged in user with rights to generate DKIM key information to inject system commands into the call to the DKIM syste...
PUBLISHED: 2020-08-07
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
PUBLISHED: 2020-08-07
IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively...