Joyce Brocaglia: Recruiter's View of Evolving Role of CISO
RICHARD SWART: This is Richard Swart with Bank Information Security.com. Today weâ€™re interviewing Joyce Brocaglia, President and CEO of Alta Associates Inc. Founded in 1986, Alta Associates is widely acknowledged as the leading search firm in IT risk management information security and privacy. Having successfully partnered with Global Enterprises for 20 years, Alta Associates has built world class IT risk and information security organization. Ms. Brocaglia is sought after for her deep knowledge of market conditions, business intelligence and her ability to create industry alliances. With over 20 years experience acting as a strategic advisor to her clients, she has gained the trust and respect of the industryâ€™s most influential executives. In September of 2003, Information Security Magazine honored Ms. Brocaglia with a Women of Vision Award naming her one of the 25 most influential women in the information security industry. In 2003, Ms. Brocaglia also founded the Executive Womenâ€™s Forum on information security, privacy and risk management. A groundbreaking event for women executives in the information security industry to exchange ideas and best practices. Their website is www.informationsecuritywomen.com.
This afternoon weâ€™ll be talking with Ms. Brocaglia about the evolving role of the information security officer. Good afternoon, Joyce. How are you?
JOYCE BROCAGLIA: Hi, Rich. Great.
RICHARD SWART: Good. First question we have for you is how is the role of an information security officer evolving and what advice would you give to concurrent security officers or IT professionals who aspire to the ISO rule?
JOYCE BROCAGLIA: Well what I can tell you is that in over two decades what Iâ€™ve been doing recruiting it certainly is an evolving role. What weâ€™re seeing is that corporate culture has shifted quite a bit from placing a value on information security to valuing information risk and this is what has caused a large change in the information security officerâ€™s role and itâ€™s forced them to evolve from purely a technologist role to much more of a strategist role. You know when we started finding CISOs we usually look for the most technical person in the room and now we are replacing those technical focused managers with executives that take a much more holistic approach to technology and risk management. So our clients are asking us to find executives that understand things like operational effectiveness and governance and partnerships and they really possess strong leadership skills and I think there are a number of things that are causing that or driving that evolution, kind of a growing reliance on technology, the fact that there is a tidal wave of new regulations that are really forcing senior executive management and board of directors to take notice of information security. The general public is way more savvy and aware of issues regarding the privacy and protecting their personal data. I know I find on TV all the time of some incident of data loss and people want to know that their online transactions, their banking, their purchases, all that are secure and I think you know finally companies are recognizing that. If they address security and privacy in their organization the right way and they respond to incidences properly itâ€™s going to have a direct impact on shareholder value. So all of those things have really kind of forced CISOs to elevate their game.
In terms of what would I tell a current or aspiring CISO probably to focus on people and process and then to consider how the technologies and the products that they use securely support their objectives of their particular organization. I have a lot of conversations with CISOs and they kind of always talk to me about reporting structure and wanting a seat at the table and I try to express to them that good leadership skills are really one of the biggest ways that they can make a difference in terms of being invited to the table but they have to recognize that in order to be invited back to the table they have to have good table manners and by saying good table manners I mean they have to be able to step out of their comfort zone and do what it takes to gain business understanding and to perform an executive level type of presentations and a lot of professionals are challenged with that that come from a technology background and they have kind of a conflict between their desire to move up in the organizations and their instincts to remain in what Iâ€™ll call their comfort zone and by doing that they create their own glass ceiling. So I think if I gave anybody advice it would be you know by no means should they turn their back on technology but they have to start thinking about technology in terms of how it supports the business and they have to think about getting out of their comfort zone and going to charm school and learning some of the executive presentation skills that they are really going to need since this is a much more savvy position than it was years ago.
RICHARD SWART: It sounds like the role has significantly changed over the past few years. Are there any absolute must haves or critical success factors that an ISO has to have?
JOYCE BROCAGLIA: I mean I think if we look at it from a taxable standpoint. You know they are looking for someone that can manage and create the implementation of enterprise wide solutions. Clearly as I said they are very interested in folks that have a thorough understanding of the business. I think in financial services is particularly key. You know they need to have a strong awareness of regulatory, legal and privacy implications and again in the financial services industry you know Basel II, SOXs and GLBA and itâ€™s so highly regulated I think itâ€™s key for them to understand the compliance implications of all of these regulations and statutory things that they have to do. I think on the softer side they really need to understand have the ability to develop relationships and be able to communicate and sell ideas effectively to their senior management and from an approach standpoint I think this whole concept of looking at things from a technology risk management approach is really very important. You know they need to understand that security is not a technology issue, that itâ€™s a business issue and our clients are looking for people that can come on board that have the ability to build a departmentâ€™s credibility. So you know they really are keen on that elevation of skill set, not just from a technology stance but from a much broader sense of executive level skills.
RICHARD SWART: Would you have any particular advice for a recent college graduate or someone looking to enter the field of information security? I mean they really are describing it as very different in the tradition conception of information security over the past few years. How is the best way to get the experience they would need to land a position in this area?
JOYCE BROCAGLIA: Well you know theyâ€™re coming out of school with probably a very solid set of skills. I do a lot of work. partnering with Carnegie Mellon. Thereâ€™s a lot of universities like that that now have degrees and master degrees in information securities specifically. So I think that the students are graduating probably better equipped than ever from a technology standpoint. I think itâ€™s important for them to recognize that itâ€™s their technology skills that are going to get them through the door but itâ€™s how much of value they bring to businesses and how much theyâ€™re able to enable those businesses thatâ€™s going to get them promoted and whatâ€™s going to get them recognized is how theyâ€™re able to differentiate themselves. So even if theyâ€™re the most technical developer you know the fact that they continue to take stock of their ideas effectively and that they have a broader view of how what you know how and when their pieces of puzzle fits into the bigger picture I think is going to bring them the most recognition and allow them to kind of climb the corporate ladder of success.
RICHARD SWART: Thereâ€™s been a lot of discussion about the convergence of security with other roles in organizations. Do you see this happening and if not what are the unique challenges that an ISO faces that essentially make that a separate role within organizations?
JOYCE BROCAGLIA: You know I think there is a lot of speculation about the conversion of physical and cyber security and as certainly there are a few companies doing it but my experience is that more often than not these two departments are kept separate. I think the skill sets and the responsibilities of the CISO and the CIO are pretty dramatically different as are the skills of the people that pursue them. You know folks that are CSOs typically come from the law enforcement or protection or military background and have responsibilities for you know fraud or executive protection, facilities management investigations. You know CISOs have typically grown in the technology world. They have a broader based understanding of applications and infrastructure and compliance and regulations and most companies need these two departments but there is very few people that are really capable of doing both jobs effectively and what Iâ€™m seeing more and more of is that there is a huge tendency for these two groups to partner and to create effective overall security programs and alliances because the convergence is abounding in terms of the fact that a lot of the things that information security officers deal with from a technology standpoint the technology is really laced into all of the physical things that the CSO is dealing with, whether itâ€™s access into the building or whether itâ€™s incident response, whether itâ€™s forensics and investigations. So you know the two totally are intertwined and I think that they have to have a very good relationship for any overall security or risk management program to be effective but for most part weâ€™re still seeing CISOs report traditionally to a CIO or a CTO and occasionally they do report to a CSO. A lot of times when I see the CISO reporting to a CSO theyâ€™re not usually given the title of CISO. They might be given the title of a director or information security you know manager or information security officer.
RICHARD SWART: The last question I have for you is how successful have women been in achieving the ISO level in organizations and what are some of the enabling events or resources that women can use that want to break into this field?
JOYCE BROCAGLIA: You know Iâ€™ve seen a dramatic change in the number of women that now hold positions of influence in information security and privacy and risk and all of the related areas and you know perhaps some of that is due to the fact that as we discussed itâ€™s no longer key that the most sought after skills is just a personâ€™s technical depth. I think the fact that this role is becoming a much broader and theyâ€™re looking for folks with broad business acumen who can manage through influence, who can communicate effectively, who have strong collaborative styles and who can multi task a lot of demanding people and deliverables. You know I think that some women naturally possess some of these skills. Iâ€™m not saying that theyâ€™re not technically competent they certainly are. I just think that itâ€™s been traditionally a male-dominated field and more and more women who have come into fields are being recognized not only for the technical skills but their executive management skills as well and theyâ€™re now you know leading the charge and I think that theyâ€™re contributing greatly to you know kind of the secrets of the black box being revealed and theyâ€™re being much more of an integration between technology and businesses and you know have a very good and forward thinking affect on that collaborations effort.
RICHARD SWART: Thank you for your time today, Joyce, and we certainly appreciate your interview.
JOYCE BROCAGLIA: Thank you. It was a pleasure speaking with you.