How have your previous positions prepared you for the challenges you face as the Director of Information Security for Exostar?
Iím not sure youíre ever fully-prepared to face the challenges associated with information security because the threat landscape is so dynamic. I think whatís most important is a mix of strategic planning, technical, and analytical skills so that you protect the organization as much as possible proactively, and are able to respond agilely and effectively when the unexpected befalls you.
Iím fortunate that my background has helped me build the appropriate perspective. I received my degree in international politics just as the Internet was taking off. As a result, I immediately was able to apply my planning and analysis mindset to technology. I spent a decade focused on Enterprise Resource Planning implementations, B2B eCommerce consulting, and design and operation of private cloud solutions. These positions gave me the strong technical foundation I needed to make the move into security, where Iíve focused my career for the last 7 years. The mix of a non-computer science education and practical technical experience has proved invaluable as I help Exostar navigate today's advanced threat environment.
Based on your experience, what are the essential qualities every information security leader should possess?
I think information security executives need to be strategic thinkers, understand the underlying technologies, and be able to calmly and practically assess evolving scenarios. The reason I believe this is that most security challenges inevitably occur at the intersection of people, process, and technology.
Being a technical guru simply isnít good enough. Neither is being a good manager that lacks the technical depth to properly address situations. The key to a businessís success is its ability to focus on effective security beyond the traditional IT compliance silo. Thatís especially true for us at Exostar, where we deliver Software-as-a-Service (SaaS) in the cloud for customers in industries including Aerospace and Defense (A&D) and Life Sciences. We face the double whammy of not only protecting our own systems, solutions, and information, but also those of our customers. As you might expect, these customers are concerned about issues such as regulatory compliance and protection of their intellectual property. Security is an essential element of our business and a market differentiator. What I think serves me best in my role is persistence and a solid understanding of the fundamentals.
How do you properly assess the complete risk posture of a large organization? What specific setbacks come from BYOD?
In many ways, large organizations are no different than small organizations Ė they both are subject to threats and must account for vulnerabilities. How risk is mitigated may vary minimally; the biggest difference is that solutions for large organizations must be able to scale.
The bottom line is that every organization faces common and unique sets of risks, and every organization defines its own levels of risk tolerance. The risk posture and corresponding security initiatives must be calibrated in that context.