Setting Tone at the Top: Jennifer Bayuk on Leadership
How do you set the right tone? That's the topic of the new book from former CISO Jennifer Bayuk: "Enterprise Security for the Executive: Setting the Tone from the Top."
In an interview about her book, Bayuk discusses:
Bayuk is an independent consultant on topics of information confidentiality, integrity and availability. She is engaged in a wide variety of industries with projects ranging from oversight policy and metrics to technical architecture and requirements. She has a wide variety of experience in virtually every aspect of the Information Security. She was a Chief Information Security Officer, a Security Architect, a Manager of Information Systems Internal Audit, a Big 4 Security Principal Consultant and Auditor, and a Security Software Engineer. Bayuk frequently publishes on information security and audit topics. She has lectured for organizations that include ISACA, NIST, and CSI. She is certified in Information Systems Audit (CISA), Information Security Management (CISM), Information Systems Security (CISSP), and IT Governance (CGEIT). She has Masters Degrees in Computer Science and Philosophy.
TOM FIELD: What do executives need to know about enterprise security? Hi, this is Tom Field, Editorial Director with Information Security Media Group, and I'm taking today with Jennifer Bayuk, former CISO with Bear Stearns and author of the new book, Enterprise Security for the Executive, Setting the Tone From the Top It's All About Management Control. Jennifer, it's a pleasure to talk to you.
JENNIFER BAYUK: Pleasure to talk to you Tom.
FIELD: So it's been a year or so since we've spoken. Obviously you've written this book in this time, but what are you doing to keep yourself busy these days?
BAYUK: Well, I don't think there could be an information security professional on the planet that's not busy at this time if you read the newspapers. I've been consulting, and I have three areas in my consulting practice. One is for enterprise leaders, and that is the audience that I thought needed this book. I also do consulting in road maps for security products and software devices, and I also do consulting for curriculum and academic research. So, between those three aspects of my current practice, I'm very busy.
FIELD: Well. that's good to hear. Now we talked about this book upfront, Enterprise Security for the Executive. Why don't you tell us a little bit about it and how it came to be?
BAYUK: I had been talking to the Chief Information Security Officers who were my peers, and I found that the most interesting services I had to offer them were pretty much those that were their core competence already. My potential set of clients, I realized, were people who didn't have competent chief information security officers, and they needed to know how to get started in putting together a security program without one. So, that's how I came up with the idea of this book.
FIELD: Jennifer, who is the ideal audience for this book?
BAYUK: It is a person who is responsible for protecting assets or running a business or an organization that relies on assets, but doesn't actually have a good idea of how security works. They may have people who work in security, they generally have been burned by bad attempts or inadequate attempts to secure systems or other information assets, and they are looking for new ways and new things to try.
FIELD: If you could summarize, what would you really want this audience to get out of this book?
BAYUK: I insisted on the words "tone at the top" being in the title. The publisher didn't recognize them as a common phrase, but I knew that "tone at the top" has a nice ring to it and it was adapted in, I guess the mid-80's around the time of COSO, the Committee of Sponsoring Organizations for the Treadway Commission that was looking for ways to make sure that management was in control of processes within their organization in order to limit fraud and limit all sorts of white collar crimes. "Tone at the Top" was seen by them at the time and has been echoed through the years in the literature as the way that you communicate to your staff and to your workforce in general or extended workforce that you care about how the company is run. That you have a personal dedication to making sure that products and services have integrity and that they are reflecting the principles and values of the organizations. That you are very cognizant of share holder value and your custodial role in maintaining the value of the assets that are under your responsibility. So the idea of communicating "Tone at the Top" with respect to the information security and taking everything that people normal think about running their organizations and applying it to the domain of security is what I'm trying to get them to understand. These leaders generally know how to run big organizations and how to get people to do what they want already, they just need to understand that since security is a domain that they need to care about in order for it to work for them.
FIELD: Now, Jennifer, I've written books as well, and I guess what I've found is that it is a lot easier to read one than to write one, would you agree?
BAYUK: Oh yeah, yeah I love reading.
FIELD: What do you find came easiest for you in writing this book?
BAYUK: I think the easiest thing about writing the book was telling the stories. The book has about thirty, thirty or so vignettes of security horror stories, I call them. Security horror stories are things that happen to hopefully other organizations because they were not diligent about security or looking after their responsibilities with respect to security and very systemic or holistic way. So, telling those stories that I have heard myself over the years and that we have all gotten a lot of lessons from as we heard them was the easiest thing for me to. We've told them before and we like listening to them.
FIELD: Now I understand that is one of the unique aspects of the book that you don't really dabble in what people would call, fear, uncertainty and doubt, but that your security horror stories are different. How are they different?
BAYUK: Well, they are different because they are factual statements of what happened. They are not designed to solicit fear within the construction of the book. The book itself is about how to think about security. The security horror stories are simply illustrations. They are not part of the text. They are not designed to be arguments or for someone to change their mind about how they think about security because of a bad thing, because of the fear, uncertainty and doubt. So by putting the horror stories separate from the text, I hope to help the reader understand that any fear, uncertainty and doubt they generate is contextual for that moment and it shouldn't really affect the way they holistically view their security plans, because fear, uncertainty and doubt in response to a single horror story is going to give you a point solution to a single problem. It's not going to help you manage your security posture from day to day.
FIELD: Jennifer, the flip side of my question, we talked about what was easiest for you. What did you find most difficult?
BAYUK: The most difficult thing for me has always been to speak in very understandable layman's terms without resorting to any technology jargon, and as I read and re-read the book and asked my reviewers to read it for me, we eliminated a lot of words like firewalls, and information assurance, and things that come easily to us because of the way we think about security and info sec, but are not easy reading for your general audience. I think it was a very good thing for me to do because in general, I feel I have acquired that skill.
FIELD: So, this is a very accessible book for a business executive then?
BAYUK: It is definitely meant to be, and I've gotten good feedback on it. I know that there have been executives who are passing it around and saying, well this explains what happened to me, this explains my experience with security, and maybe I can really succeed if I take a new approach. So, I've been very gratified to hear those comments.
FIELD: Now you've talked about what you want executives to get from this. Let me ask you, what did you learn from this process of putting this book together?
BAYUK: If I had to say I learned one thing from writing the book, I would have to say that there are a lot of views on security should be run in a systemic, holistic manner that my reviewers brought out angles on security management that were not in my direct experience. For example, the first responder angle, when you have a lot of people's profession in security are protect, detect and response. Response doesn't always mean that you completely recover. In information security we tend to think of our role as protect, detect, recover because we always a scenario where we can get our systems back. So to broaden my prospective on security in order to reach a wider view and a systemic view for the executives, I learned myself what some of the boundaries of my current views were.
FIELD: Well, that is excellent. What would you say are some of the top enterprise security issues that are facing these executives today?
BAYUK: You can tell everyday by reading your page, Tom. That is it is going to be regulatory requirements. Unfortunately, what they don't face and perhaps that they should be facing more is 'How do I preserve my assets so that they're used the way I need them to, to run my business?' That is something that executives don't face directly. They kind of take it for granted in that they are managing the business processes that control assets. Because they spend so much time thinking about security as a exercise in response to a regulatory requirement, they are not really facing the issues. This book is designed to help them face the issues, and it also points out in the chapter on regulatory considerations, that if they face the issue of how to protect and preserve your assets, the regulatory requirements are easy to build into your security program. They fall in line.
FIELD: Jennifer, one last question for you. If you could offer one key tip from your book to tease our audience, what would you offer to help these executives tackle some of their challenges?
BAYUK: One phrase that I wrote in the book that I had said so much in the past, and that I love seeing it in writing and it's been quoted a lot is "Tone exists at the top whether you know it or not". Okay, you have a security posture. The executives should understand that security does have some kind of culture within their organization, and if they don't know what it is, what they need to do is figure out how their staff, how their workforce thinks about security now and do what they can at a personal level to portray their attitude towards security in a positive light, so that the general attitude will come up. The tip, you know if I could put it in a nutshell is: Lead. Lead in this endeavor. There is no activity that can show your staff what they should be doing for security better than the activity that you would do if you actually cared about it. So that is what I would really like them to understand. That people are taking their cues. That this tone that they set about security, whether they are actively setting it or not does exist in the organization, and if they can control it then they can at least influence the security posture.
FIELD: Very good. Jennifer, I appreciate your time and your insight and I wish you good luck with your book.
BAYUK: Thank you, Tom. I appreciate you spending time chatting with me about it.
FIELD: The name of the book is Enterprise Security for the Executive, Setting the Tone from the Top. The author is Jennifer Bayuk. For Information Security Media Group, I'm Tom Field. Thank you very much.