Richard Greenberg, Chief Information Security Officer (CISO) for the Los Angeles County Department of Public Health, described the day-to-day activities of a CISO in his keynote presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in Los Angeles on November 9. In his presentation, "A Day in the Life of a CISO," Greenberg offered insights into how a CISO approaches various information security opportunities and challenges.
No two days are ever identical for a CISO. However, a CISO assesses risk every day and must find ways to limit the possibility of cyberattacks that can cause long-lasting harm to an organization, its employees and its customers.
"We are doing risk assessments constantly throughout the day," Greenberg said. "At work, there's something almost every hour that's a risk that we have to evaluate."
Oftentimes, a CISO is required to look closely at potential phishing attacks. He or she works with employees in multiple departments to find out the source of phishing attacks and educate workers about the necessary steps to limit the risk of such attacks in the future.
"You want to make sure that you receive an entire [phishing] message … and find out from the user why he or she thinks the message may be malicious," Greenberg stated. "Just because the message comes from someone that a user knows does not mean that it is safe."
A CISO also performs extensive interviews with employees to learn about cyber risks across an organization. These interviews enable a CISO to obtain feedback that may prove to be exceedingly valuable.
"Wherever you work, you need to understand the culture of your business and the regulations that you have to follow."
If CISOs can learn how an organization's employees approach cybersecurity, they are be better equipped to deploy effective security protocols. Plus, a CISO who collaborates with workers can empower employees with tips and strategies to manage cyber risk.
Today's CISOs frequently evaluate employee access to various applications as well, because if an unauthorized user gains access to a work application, that user may expose an organization to malware, ransomware and other security dangers.
Ultimately, CISOs are responsible for learning about an employee and providing him or her with access to applications as needed. CISOs must work with supervisors to ensure secure access to applications; otherwise, an organization that empowers all lower-level employees with access to all applications faces significant risk.
"You want to make sure that no one is granted access [to applications] until they are vetted by a supervisor or even a supervisor's supervisor," Greenberg said. "Depending on the level of application, you may want a higher level of approval."
How CISOs partner with an organization's application development team may have far-flung effects.
If CISOs collaborate with an app development team, he or she may be able to identify new security dangers. Furthermore, CISOs can work with app developers to ensure all applications are secure.
"It's really crucial to build a good relationship with the head of app development," Greenberg said. "Because it's really crucial that you know what's going on."
Although CISOs may have extensive technology experience, it generally helps to learn about app development. If a CISO can effectively communicate with an app development team, both parties can work together to bolster app security, thereby reducing the risk of data breaches.
"The majority of CISOs have their background in technology … If you are not one of those people with application development background, you won't be able to speak the language of application developers," Greenberg stated.
Many CISOs are responsible for ensuring data security, as well as guaranteeing an organization complies with myriad information privacy regulation.
"We are doing risk assessments constantly throughout the day. At work, there's something almost every hour that's a risk that we have to evaluate."
CISOs in highly specialized industries like financial services and healthcare must learn about and comply with data privacy mandates. An organization that ignores these standards may face significant penalties. Perhaps even worse, this organization may inadvertently expose sensitive data to cyber-criminals, resulting in revenue losses and brand reputation damage.
"The privacy policies need to be in sync with our security policies," Greenberg noted. "Where you work, there are lots of different regulations that you have to follow."
An organization's culture may play a major role in a CISO's day-to-day success. If a CISO helps an organization foster a culture of collaboration and engagement, he or she ensures that all employees work together to secure sensitive information. In addition, a CISO who understands data security requirements and educates workers about these mandates can further reduce cyber risk both now and in the future.
"Wherever you work, you need to understand the culture of your business and the regulations that you have to follow," Greenberg finished.
ABOUT RICHARD:
Richard Greenberg, CISSP is the Information Security Officer for the Los Angeles County Department of Public Health. Previous positions include Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies/agencies in the private and public sectors.
Richard brings over 25 years of management experience and has been a strategic and thought leader in IT and Information Security for both the private and public sectors. His Project Management, Security Management and Operations, and Policy and Compliance experience has helped shape his broad perspective on creating and implementing Information Security Programs in organizations.
Richard was recently honored as an Honor Roll recipient by ISSA International. He has been selected as a finalist for both the (ISC)2 Americas Information Security Leadership Award in the Senior Information Security Professional category and the Los Angeles Business Journal CIO of the Year in Security.
Richard is the Chair of the Annual Healthcare Security and Privacy Forum in LA. He has been a Chair of several ISSA LA Security Summits, and all four of the AppSec California conferences. He has also served as the OWASP AppSec USA Conference Co-Chair and has been a member of the ISSA International Conference Committee.
Richard is the President of ISSA-Los Angeles and is the OWASP Los Angeles Chapter Leader. He has worked diligently to bring together the various Southern California IT and InfoSec organizations to enhance their collaboration efforts, to help reach new IT and InfoSec professionals.
Richard has been a published author, and has spoken on Information Security individually and on panels, most recently at the Beverly Hills Health IT Summit in Nov 2016 and "A Day in the Life of a CISO" for ISSA in January 2017. He is also a Security Evangelist, helping to spread the word about secure application development and general security awareness.