By DJ Johnson
Roota Almeida, Chief Information Security Officer at Covanta, shares her insights on how security executives are viewed by the C-suite, the recent cyber-attacks on major retailers, growth potential in the role of CISO, and the evolution of information security.
[DJ Johnson] Do you think CISOs get the same access as other C-suite executives?
[Roota Almeida] Frankly speaking, not really (in most organizations)! But there are various factors influencing this. Traditionally, security executives come from a highly technical background and not necessarily speak the business language. In today's world, if a CISO cannot translate requirements and concerns into business jargon it is very difficult to get business buy-in. Barring the Fortune 500 companies; I believe organizations do not view CISO position as a C-level position that reports to the Board or at the least participates in Board meetings. Another reason for this is that it is difficult to quantify the benefits of security initiatives. Security is mostly seen as an expense by organizations, and in doing so certain high risks or threats are underestimated by the business. But again, it is the responsibility of a CISO to translate these Security risks into business risks to be understood by the business and to be adequately funded with budget and resources.
Though, with recent high profile security incidents involving various retailers, CISO position is being viewed differently. In the near future, CISO role will evolve significantly. Organizations will change the way they view security and how it is managed within an organization.
How has the role of CISO changed over the past few years?
The CISO role is not what it was a few years ago. In quite a few organizations there was no CISO role a few years ago. It is great that organizations are now deeming security as an important aspect of running a business and are creating security teams to handle this. CISOs used to be glorified Network and Operations security administrators who took care of the well-being of the network including the firewalls, switches, routers and antivirus updates and OS patching on client computers. No doubt, they still do that but now the focus has changed to look at the big picture and to design a security program that balances business risks and strives to bring it to an acceptable level. Security functions are now growing in scope to include business continuity, disaster recovery, risk management, compliance training, user awareness, etc. I believe this is a significant change within an organizational function in the recent years.
"Within an organization CISO role is perceived to be the one that can take care of any IT risk or vulnerability that exist. In reality, what CISOs strive to achieve is an acceptable level of risk."
How do people perceive the role of a CISO compared to what the role actually focuses on?
CISO role is perceived very differently by the people within the enterprise as compared to clients from outside the enterprise. Outside the enterprise clients believe anything and everything related to security is the CISOs responsibility. For example, after recent security incidents in the news people tend to believe that the compromise happened because the CISO wasn't effective enough. But there are various factors that could result in a compromise; it is not necessarily just IT security incidents. There could be physical security incidents as well, which when coupled with IT vulnerabilities, result in a compromise. Additionally, it also shows that organizations are still not looking at security spending as an important risk mitigator.
Within an organization CISO role is perceived to be the one that can take care of any IT risk or vulnerability that exist. In reality, what CISO's strive to achieve is an acceptable level of risk. I don't believe there is any CISO who can say, "I can address all the IT risks of this organization and if we follow my security strategy we can never be hacked!"
With cyber-attacks on Target, Neiman Marcus and Michaels, are companies taking a closer look at investing in Information Security?
Absolutely! No organization wants to be front page news, especially for a security incident involving their client data. With these recent attacks, business is now taking Information Security pretty seriously. It's no longer a matter of IF we (as an organization) will be hacked, but WHEN we will be hacked. Now every Board wants to know what their organization is doing to protect against such cyber-attacks. This is a good thing, because Information Security initiatives have now reached the board meetings.
Where do you see the most growth potential in the role of CISO in today's society?
In today's world, a CISO needs to have skills to effectively communicate with the board and managers in various parts of the business. The biggest growth potential for the CISO role is to be able to run security as a business and to work with them to enable innovation and growth. Communication is the key, where CISOs need to be able to deliver the right message to secure investment. Instead of technicalities, CISOs must learn to express challenges and solutions in business terms, for example, cost of application downtime, amount of lost revenue due to a compromise.
CISOs need to grow from just a subject matter expert to someone who can advise on how to improve business in a secure manner, someone who is a leader and a facilitator.
Roota Almeida is the Chief Information Security Officer at Covanta, a leader in waste-to-energy and renewable energy projects. Roota has the responsibility of leading all aspects of IT security and risk, including establishing and maintaining global security strategies, architectures, standards, and compliance. She has over 12 years of experience in Information Security, Risk and Compliance and is a Certified Information Systems Security Professional (CISSP).
Prior to joining Covanta, Roota was with Merck & Co., leading Information Risk and Compliance. She was responsible for guiding the development, implementation and maintenance of information security strategy representing more than 50 nations. Additionally, she guided the company in the development and deployment of Safe Harbor certification process and led IT Security Risk Assessments for all applications and vendors.
She has a Master’s degree in Information Systems from Stevens Institute of Technology, Hoboken, NJ. She also has a Bachelor’s degree in Mechanical Engineering from India.