The Well-Rounded Security Pro: Insights from Mark Lobel, ISACA
In an exclusive interview, Mark Lobel of PricewaterhouseCoopers and ISACA, discusses:
Lobel, CISA, CISM, CISSP, is a member of ISACA's Security Management Committee. He has over 25 years business experience, with the first eight in the Entertainment and Media industry and then, after his MBA, with PricewaterhouseCoopers. He is an internationally recognized security and controls professional with experience designing, benchmarking and assessing organizational security strategies and technologies. He is experienced at designing, assessing, implementing and penetration testing enterprise security. Lobel's work has primarily focused on the information communications, entertainment and media and financial services industries. He is the global PricewaterhouseCoopers subject matter expert on security benchmarking and the PwC leader for PCI services in the USA.
TOM FIELD: As we look toward 2010, what is the growing need for professional security education, and what role will risk management play?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. Here to answer these questions today is Mark Lobel with PricewaterhouseCoopers and with ISACA's Security Management Committee. Mark. thanks so much for joining me today.
MARK LOBEL: My pleasure Tom. Thank you so much.
FIELD: Mark just to start out, will you tell us a little bit about yourself, your background and your current roles both with PricewaterhouseCoopers and with ISACA?
LOBEL: Sure, absolutely. I have 25 years of business experience, the first seven or so in the entertainment and media industry, and then a MBA from Boston University, then joined Coopers & Lybrand back then (now PricewaterhouseCoopers), and it has been a little over 15 years, and I have been a partner in the security practice for about five years now. And for ISACA, I am on the Security Management Committee, which is helping guide ISACA in the direction it wants to go and should be going in the information security space. There are bunch of us on that committee, and I am also on the Practices and Guidance Committee as well for ISACA.
FIELD: Well, Mark, there is no doubt that the information security role has evolved significantly just in this decade. How does professional education have to evolve with that changing role?
LOBEL: I think it needs to evolve significantly, and as we mature as a profession in information security, I think some of the additional disciplines that have come into the security realm ,if you will, have to be added to professional security education.
Specifically, ISACA has been working on a model, which we released earlier this year, called the Business Model for Information Security. There are lots of moving parts to it, and it's a great graphical representation of a security framework, but one of the cornerstones of it is people, process and technology - and I don't think that is a surprise for anybody here. But, organization and structure, and the thing that ties people, process and technology and organization and structure are, I'm going to paraphrase it, but unexpected events, enterprise architecture and culture.
Let me just focus on the culture one for example. A lot of security people have come up the technology path. They haven't come up a path where they study organization behavior and sociology. So just one example of how professional education needs to grow: We need sociologists in this security space who understand the current state of organization culture and who are specialized in changing organizational behavior.
I think the sociology point is one; finance and accounting is another. We need to understand the economic realities inside the business to understand some of the pressures that may cause some of the behavior. So, those are two pieces that I think need to be added to the professional education of a security person: a finance and accounting understanding and a sociology understanding.
FIELD: So, Mark, how do you make that happen? What specific recommendations would you make that really would improve security education? I think part of that has to be just where do individuals make time for this?
LOBEL: Sure, and I think it comes from two areas. First, it has to come from continuing professional education for practitioners in the field, and practitioners joining the field from other disciplines. So again, that is something that
ISACA has been looking to create materials, and in fact on the Practices and Guidance Committee we are looking at what materials can be released from these areas, and that sociology culture one is a piece that is under consideration right now. The second point is it comes back to university education; it comes back to the programs that are preparing professionals to be in this field at the beginning of their career. And to that point again, ISACA is working with a number of leading universities, looking at their security education and creating a template for what we think the security professional will need to be a fully-well rounded security professional in the next five to 10 years.
FIELD: Mark, let's talk about risk management as well, and I think you probably can't separate that very far from security education and the information security professional. As the information security professional's role has evolved, what is the role now of risk management in organizations?
LOBEL: That's a great question: What's the role of risk management in an organization? And I think that is directly intertwined with the security organization. So at least how PwC defines it is you have an enterprise risk management umbrella inside an organization that covers all types of risks. So, legal, compliance, regulatory, operational ... If it is financial services, there are other specific risks, you know like market risks and credit risks and so on. If you go with the assumption, which we do, it is baked into the ISACA business model for information security and PwC security practices as well, that security is a risk-based exercise, then (a) you need to have security integrated into your overall enterprise risk management program for an organization, and (b) your security organization has to be taking a risk based approach, doing a yearly risk assessment, identifying what the risks are and then seeing how you can mitigate or protect against those risks and driving your program there versus what I would say the alternative is: a compliance-based approach where you get a checklist and then you tick every box on the checklist.
In our experience however, a compliance-based approach is kind of the tail wagging the dog, and you are not always identifying what is most important to the organization and addressing that in a consistent, coherent manner.
FIELD: Well, Mark, you see lots of different organizations, and more importantly you see their information security cultures. How do these groups--what do they have to do to improve their risk management capabilities to get away from that checklist mentality?
LOBEL: Good question, and I think it is going back to the basics and blocking and tackling of just an overall security strategy. That PwC security atlas approach strategy starts with looking at the risk assessment and then looking across a set of security functional areas that map back international standards because you are going to be asked compliance questions, and there is no point in fighting that. Whether it is ISO, whether it is back to the British, the old British standards, whether it is the Information Security Forum standard of practices, which I think is very good; you are going to be asked compliance to something.
So how do you do that risk-management approach and that risk-management framework starting with the risk assessment and then make sure that you have got an integrative framework to tick off your compliance obligations as part of managing the biggest risks for the organization? So I think to kind of answer your question, what are some of the biggest challenges, I think it is 'Do you have an integrated framework, and have you thought of how you are going to take a risk-based approach?' But make sure you are meeting your compliance obligations without creating a silo for every compliance obligation and duplicating tons of work while not addressing the organizations biggest risks.
FIELD: Let me take you in a different direction now Mark. Frighteningly enough we are about five weeks away from 2010. Looking ahead, what do you see as being the biggest information security challenges for organizations?
LOBEL: From the ISACA perspective and from the PwC perspective, we do a Global Information Security Survey, and some of the big things we have seen--we have just released a few weeks ago--and our 2010 survey, which is looking into next year, I would say cloud computing is, or maybe not number one on the list, but definitely very high because there is a compelling reason to move to a sourced capability from the speed and the dollar perspective. Cloud computing makes a lot of business sense, but people are rushing into it and they haven't thought through the risks.
You know, once you go into the cloud, how do you get your data back out? It kind of comes back to a fundamental framework of looking at the data elements. Do you know what data elements you have? Do you know where those data elements are? Do you know what controls you have over those data elements? And do you know what laws or regulations or compliance obligations you have with those data elements?
So if you start with the risk and take what those highest risks are to the data elements, and then you can answer those four questions of what do you have, where is it and what are the controls and what are the regulatory and compliance obligations. And you look at that from a cloud perspective, well (a) maybe what you have you can't necessarily answer where it is if it is out in the cloud, so you need to be able to get a better answer to that question. Hopefully you know the controls, but again a lot of businesses will rush and put data out in the cloud without understanding the controls consistently; and if you don't know where it is you can say what laws or regulations apply to that data consistently. So I would say cloud is one of the biggest ones.
And then the use of social networking is kind of the second biggest security challenge. The tools are maturing, but not yet mature in that space, and employees are going to use them, and companies are going to use them. There are some cases where you can ban social networking, and that is fine, but once the employee leaves home and still has intellectual property in their head, you can't stop them from going onto a social networking site from their home computer.
So, do people have policies to address social networking? Only 23 percent of the respondents to our Global Security Survey said they had policies associated with it. And then do you have tools and methods to address the risks associated with it? Again, those tools and methods were in the --social networking has moved so fast those tools and methods are being created and deployed but not as consistently and not as effectively as it needs to be.
So the two biggest challenges I would say, you know that's not he top ten but just two of them on the top ten would be social networking security and cloud security.
FIELD: And I get the sense that organizations know what the questions are when it comes to those topics -- that finding the answers might be their big challenge?
LOBEL: No. No I would say that they need to find out the questions. Again, a great example of a company that I was trying to stand up a new business value creating application, specifically around cloud in this example over first cloud computing. And the business owners went to the IT organization and said 'We need a server and we need this and we need this to run this application. We got the application, but we need the infrastructure.' Then the IT department came back and said 'We can't do it in this year's budget; it has got to be next year's budget,' so now we are 12 to 18 months out and it is probably going to be $100,000 to $150,000 dollars. They can probably do it for a little under $100,000 dollars, but that is about the range to stand up the dedicated infrastructure they were going to put in place.
The guys took out their credit card, they went out to a cloud provider, and it was $25,000 to $30,000 dollars, and they had it up and running in four weeks, maybe even a little bit sooner than that. So 18 months at $100,000 dollars, or four weeks and $30,000 some-odd dollars. They got an award from the CEO for moving so quickly.
Now, guess which questions didn't get asked in all that quick drive to business value? What data elements are going, where are they going to be, do we have any compliance obligations, and if we need to unwind being in the cloud how do we get the data back? What about business continuity? What about disaster recovery? Tons of kind of basic block & tackling questions did not get asked, and we are seeing that again and again.
So to your point, do companies know the questions? Maybe they know the questions, but are they asking them and then, yeah, they have got to get the answers and some people have good answers to those questions these days, but not everyone.
FIELD: Sure. Now it is an exciting time for someone to get into the profession. Information security has got the attention of everybody from the President on down. Given that, for someone starting their information security career today Mark, what advice would you give to them?
LOBEL: Oh goodness. I would say you need to be somebody who likes and understands change and is comfortable with change because if you are not, then security may not be the place for you to be, depending on which role and which space you take in information security. I would say consider a broader education, so to the talking points earlier, look at organizational behavior and think about a sociology class, think about a basic finance class, as well as all the technology classes.
I mean look, you have got to understand kind of the control framework, how COBIT would play in, and how an organization would implement that. And I think as we look forward to some of the new standards ISACA has and is looking toward, you are going to see some additional security frameworks and better integration of the business model for information security into the next version of COBIT. So that is something a student should absolutely be tracking and be up on, and as well as all the basic blocking and tackling and confidentiality integrity and availability. So all the basics and I would add some of the next level things for a long-term career in information security.
FIELD: Very good, Mark. I appreciate your time and your insight today.
LOBEL: My pleasure. Thank you so much.
FIELD: We have been talking with Mark Lobel with PricewaterhouseCoopers and ISACA's Security Management Committee. For Information Security Media Group, I'm Tom field. Thank you very much.