CISO Interview Series – Michael Peters
Profile Subject: Michael Peters
Michael Peters has been an independent information security consultant, executive, researcher and author, with more than 25 years of information technology and business leadership experience. His executive positions include Chief Information Security Officer CISO at CrossView Inc. (current), as well as previous positions of CSO at Fifth Third Processing Solutions and Chief Information Security Officer CISO at Colonial Bank.
Michael holds an Executive Juris Doctorate in Cyberspace Law; a certified MBA in IT Management, undergraduate degree in IT Security, CISSP, CRISC, CISM, CCE, CMBA, SCSA and is an ISSA Fellow.
Additionally, he is the author of recently published “Securing the C Level” and “Governance Documentation and Information Technology Security Policies Demystified.”
You’ve been in the information security field for over twenty years. What are the most significant changes you have seen in the field during that time?
Only until very recently, information security was considered by most to be just a niche profession or technological process. This scenario has changed completely in just the past ten years. Information security has been the realm of the Chief No-Way Officers and other security technologists who only offered barriers to business. The reality is that information security must be transformed into a business enabler instead of the business inhibitor it has the reputation be being. What do we need to do within our organizations to change this negative situation and turn it into something with positive business value? We get there when we enable business by eliminating risks to business. We get there by eliminating the threats to the line of business.
Where once the motives of cybercriminals was notoriety, now they are for profit and espionage. Cyber-crime and Cyber-espionage has become a business and not a novelty pursuit for the technologically talented. Cybercriminals are now increasingly sponsored by governments or criminal organizations. Under this situation, criminals are provided with the resources they need to wage cyber-war against some external entity. The opportunity for these events to occur increases exponentially with the complexity of our technology systems, networks, and applications we implement.
You have also functioned in different high level roles both as a consultant, and a CISO. What makes someone good at each role, and are there qualities that you’d need in order to succeed in one role that might be considered a detriment in the other role?
If I could distill it down I’d first say that in each example, a person who listens well to their customers is absolutely critical. When I say customer, which is a generic term I’m using to classify anyone who depends on me for leadership and guidance. It could be the CEO or a client. I need to understand what their needs are and think about how I can help using my expertise or resources.
The second element is on understanding the business, its purpose, its destination. Sure, I could take an educated guess knowing that technological permutations are relatively identical from one company to another, however, what I’d be missing are the subtle differences that make the business unique. Therein lay my opportunities for excellence both in business acumen and technological understanding. All of this knowledge sets us apart from our peers or our competition.
These two attributes are common to both the entry level technologist or to the technologically focused executive. The one difference is that at the executive level you need to understand the business from more than your technological angle but also from other line-of-business aspects.
All the letters at the end of your name are an indication that you feel there’s value in pursuing continuing education and obtaining specific certifications. If someone with relatively little experience in the workplace were considering a career in information security, what advice would you give that person with respect to training? Realistically, what sort of expectations should he or she have regarding career prospects?
It is all dependent upon having a plan. That plan all begins with knowing where point B is. This is a subject I’ve written about in my book Securing the C Level. What career level do you aspire to be in in 5 years, 10 years, and further? What career paths are you interested in pursuing? It’s the point of separation, of delineation that compels one person to rise above a group of peers, above a cast of millions in reality, to achieve more, to accomplish more in life than most people do. I’m convinced that personal achievement and success is largely a function of our deliberate, concerted effort to earn the right credentials, work with the right people, pay our essential dues, and know where you intend to go so that time and opportunities are not wasted. It’s so easy to get distracted along the way. This plan is what I call your personal career progression project plan. Treat your career like a well-executed project plan!
What about someone who has considerable “hands on” experience who is seeking to move into a senior level consulting role or a leadership role? What sort of experience should they be seeking, and what additional training might be helpful?
From a pure credential standpoint, deciding what your ultimate career goals will help you make decisions for certifications and academic degree programs you pursue. In my situation, my executive level career aspirations would put me in a seat around the boardroom table where my peer group would be a collection of other business professionals like the CFO or General Counsel. Understanding that my dominating talents are technological in focus was important, but in order to effectively contribute to enterprise business objectives, other business skills were required. In my case, an MBA with a technological management emphasis was ideal to satisfy the technology executive positions I desired, but also enabled me to stand shoulder to shoulder with the other executives who reported to the CEO.
Again, know where you are going and you will get to point B more effectively and expeditiously. I stopped chasing the plethora of industry certifications because I wanted to rise from the trenches and walk into the boardroom. Focus on executing your well-oiled personal career progression project plan I mentioned already.
OK. But, if pressed, are there any specific certifications you’d recommend for someone not aiming for a CISO role? Someone who’s still relatively early in his or her career?
If a person is interested in security, law, governance, and audit, my hands down certification of choice is still the CISSP. It is the one certification that has become the minimum ticket for entry into emerging and traditional IT opportunities in the facets I just mentioned. If I wanted to stay within the technical trenches, I’d chase those certifications that applies to whatever the hottest technological trend happens to be. I’ve mentioned that you need to know where point B is in order to plot your career trajectory, regardless of whether it is entry level or executive level. Having a plan is essential.
We have discussed that you have two books that were very recently published. In a nutshell, what is each about, and who would benefit from reading them?
The first one is Securing the C Level – Getting, Keeping, or Reclaiming that Executive Title. This book is your road-map for taking charge of your executive career and aspirations. You have the power to create significant positive change in your life. The most important thing we can do in life is have a plan. Our plan should be adaptable and that same plan will serve as the framework for our success throughout our lives. Don’t believe for an instance that your aspirations are not achievable because you would be mistaken. While it may seem that for some people you may know, everything seems to be easy, virtually handed to them on a silver platter, but the reality is that with the appropriate amount of concerted effort and strategic, albeit cunning maneuvers, we have the absolute potential to achieve everything we include in what I will refer to as your personal career progression project plan. The challenge you will master after applying this framework is to secure, maintain or reclaim that executive level corporate position. This book definitely benefits anyone who aspires to be a corporate executive in any field.
The second book is Governance Documentation and Information Technology Security Policies Demystified and it is the professional companion book to the popular global resource, the HORSE Project Wiki, which provides a comprehensive examination of corporate information technology and security governance documents ranging from a corporate charter, policies and standards. This book provides a holistically approachable road map to design, ratification, implementation and maintenance of corporate security program policies. The guidance contained within has been the bedrock for corporate governance within some of the biggest organizations throughout the world. This book definitely benefits anyone who is responsible for corporate IT security policies, audit, governance, and corporate risk management.
It seems that there’s a wide disparity with respect to the approaches many companies are taking to information security. It seems to range from the ostrich approach to locking down information so tightly that it can sometimes hinder internal business processes. What are the potential costs and benefits of the extreme approaches and how does a company figure out how to find the right balance?
I’ve mentioned what I refer to as The Security Trifecta which is comprised of Governance, Technology, and Vigilance and it’s something I elaborate on in my second book. But in brief, it starts with governance documentation which is the foundation for what we do is based upon the written word. We collectively, collaboratively, cooperatively establish standards that are based upon philosophy, legal requirements, best practices, and regulatory demands. The second facet is the technological enforcement aspect. When governance documentation has been established, we set about implementing and enforcing those standards as much as possible through the usage of technology. Some technology implementations allow for the end user to exercise greater choice and control, whereas others strictly enforce our standards taking the human choice element out of the mixture. The final facet of The Security Trifecta involves vigilant teamwork. We all know that the reality is that nothing works very well without teamwork. Controls and standards break down without careful tending just like weeds take over our gardens without vigilance. We must regularly review our security standards validating their relevancy and we will remain agile to adapt to the changing business landscape putting into practice carefully considered revisions to our ongoing security program. The Security Trifecta is an effective and logical approach to information security I developed over the course of my career. The interesting thing is that the conceptual approach may also be applied to any other business process making it formidable to say the least.
From a business impact perspective, taking the ostrich approach puts extreme risks on the business setting the stage for breaches and loss of intellectual property or sensitive data. Just one event can bankrupt a corporation and there is solid evidence to verify and quantify that statement available today. Conversely speaking, security controls that are too rigid impede business effectively choking the life out of it. Security practitioners must remember why they are employed for a particular company; it’s what the company does and not what they do for the company.
How does a CISO justify the cost of a robust information security organization? For the CISO who works for a company that’s just struggling to stay afloat, what can he or she realistically do to help the organization without creating a financial burden?
The Return on Investment, aka ROI, is an essential financial measurement for any business venture and one that must be positive, or at least neutral, in order to demonstrate the viability of the proposition being examined. There are certain essential business functions however that does not provide a return on your investment; and two of those functions would be legal representation and security, both physical and digital.
They are not investments providing a return, like a business application or commerce site. Security expenses if utilized correctly, earn their keep in risk avoidance which does translate into tangible financial savings. Security is about avoiding losses associated with business risks, not about financial return.
The traditionally difficult part about getting funding for security and legal expenditures is collecting accurate quantifiable measurements to base our propositions on, fortunately, there is such a mechanism for accomplishing this and it is to leverage the mathematic power of the Annualized Loss Expectancy (ALE) which is the expected monetary loss that can be expected for an asset due to a risk over a one year period of time. An important feature of the ALE is that it can be used directly in a cost-benefit analysis.
To provide hopefully a brief explanation of how it is calculated, there are two factors that comprise the ALE. They are the Single Loss Expectancy (SLE), which is the percentage of the asset you are attempting to protect that would be lost in a single exposure, and the Annualized Rate of Occurrence (ARO), which is the frequency the loss event occurs in a year. Those two factors multiplied together give you’re the ALE (ALE = SLE * ARO). For example, suppose than an asset is valued at $200,000 and the single cost of exposure is $50,000. Your SLE is now defined as $50,000 right? How many times in a year do we expect this exposure event to occur in a year? If we expect an exposure to occur once every year, then ARO is 100% whereas if we think there is a 50/50 shot, our ARO is now 50% right? For discussion purposes, let’s suggest we think there is a 50/50 chance an exposure might occur so our ARO is .5. With our SLE equaling $50,000, multiplied by our ARO of .5, the ALE is $25,000. In my example, if you were to spend more than $25,000 for risk mitigation or avoidance by purchasing some security product, insurance or some legal service, you are spending too much.
What do you think are the challenges on the horizon that experts in the field are just beginning to think about?
We now live in a global community brought together by technology. In a sense, there are no longer borders, boundaries, or countries, just technically driven transactions. Once our market place consisted of what were predominately localized transactions and interactions. Now everything has changed. We conduct business with our partners from anywhere around the globe thanks to digital communication networks. As with any endeavor in this life, our risk exposure potential increases exponentially with our increase in these activities. Not that taking risks is bad or that increasing our potential exposure is a negative thing, on the contrary! We increase our opportunities and potential by taking risks.
The best approach is one that is well informed and with our eyes wide open. The challenge is to not be overwhelmed by it but to keep its essence in perspective. From a security practitioner’s standpoint and from a business executive’s standpoint, there are really three well defined pragmatic steps to take that enable us to achieve success. I call this The Security Trifecta which is comprised of Governance, Technology, and Vigilance. Security does not need to be complicated, in fact, by maintaining a clear perspective on the challenge; we distill holistic solutions that reduce business risks.