How ‘Security Scorecards’ Advance Security, Reduce Risk

CISO Josh Koplik offers practical advice about bridging the gap between security and business goals in a consumer-facing media and Internet company.

JK: Absolutely. You can put a lot of effort in and not move your grade. I have a few different ways that I acknowledge those bits of progress. I give brownie points on the scorecard like, “investments have been made in this area,” etc. We’ve had to stay regularly involved with the people who are responsible for implementation. We need to keep them honest because it’s not that they are being maliciously deceptive; they are putting a positive spin on things. The other thing people do is that they give you their optimistic six-months-from-now answer. People need to answer in the present tense.

VL:  How do you handle the situation where you have trouble communicating to people who are not primed to worry about security?

JK: I don’t think those people exist in 2016. What people do exist are those who feign that they are absolutely committed to security and they tell you everything you want to hear … and then they don’t do anything. I don’t think this is malicious. Security just falls on that long list of things that they want to do and then they have to make business decisions. Your conversation with them was reduced to three line items on their budget.

VL: So how do you get that crucial buy-in from executives? Is security ever an asset to them?

JK: I frame it as there is a minimum level of security necessary to run a consumer-facing web company in 2016, and we need to make sure our security practices are up to that level. I explained this to our CEO and the CEO of one of our subsidiaries as well and asked if they see security as a marketable feature. They both said there’s no way to use security strategically from a business or marketing standpoint.

Their reasoning was best explained as: “It’s a slippery slope, and dangerous road to go down to say we’re secure because you are creating liability for yourself. If you ever do have an incident, then you have the problem that you claimed you were secure and you were not.”

Personality Bytes


Josh Koplik, Chief Information Security Officer, IAC

Start in security: I grew up in the Midwest, and in 1994, all I wanted was to access the Internet. As I grew older, I landed jobs in tech, and the Internet became more accessible. I did some help desk stuff in college, and I worked as a C developer at a startup in the late ‘90s. I preferred doing more infrastructure-type things. I eventually moved to Fidelity as a security engineer.

Networks versus application experience? Applications because they are harder to learn if you don’t have the background. To understand application security, you have to understand what’s happening everywhere else.

Best career advice to security engineers: As a technician, you are bound to hit a ceiling so at some point, you have to step up and take on leadership roles, learn the ways to navigate an organization, work with constituents, and build support for initiatives.

Advice for a CISO or CSO moving into a newly created role: Don’t build relationships only with the C-level people. Build them with the people who are responsible for implementation, too. When they come to me, I always urge them to help me understand where they are having issues [because] we have to tell the security story together. With the C-level, ask them what they want to see. Keep things simple. Only measure something that you can accurately measure. Only tell a story if you can tell it to the end. 

Biography: Joshua J. Koplik joined IAC/InterActive Corp. in September of 2014 as its chief information security officer. In this capacity, Koplik oversees information security across IAC and its broad portfolio of subsidiary businesses, which include Match, OKCupid, HomeAdvisor, and Tinder. Koplik previously served as director, global information security for Home Box Office, Inc. from 2009 to 2014, where he was responsible for information security & compliance for HBO’s global enterprise. Prior to joining HBO at its New York headquarters, Koplik served as director of technology risk management for Fidelity Investments in Boston. Mr. Koplik completed his bachelor’s degree in computer science from the University of Massachusetts, Boston, and has held a CISSP certification since 2005.

Related Content:

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.