Lessons in security leadership: Jamil Farshchi

The 2011 CSO Compass Award winners discuss prioritizing investments, learning lessons the hard way, and much more

The mission of Los Alamos National Laboratory is to develop scientific and engineering solutions to the biggest challenges facing the United States. More than half the lab's $2 billion operating budget goes to nuclear weapons design, and it's the job of CISO Jamil Farshchi to protect the institution's classified and unclassified information. In less than two years, Farshchi and his team have created and implemented a strategic planning framework that aligns the lab's security with its mission.

CSO: What is unique about the security challenges you face at Los Alamos National Laboratory?

Jamil Farshchi: Protecting and handling classified matter effectively is our most interesting challenge: How can we keep our nation's intellectual property safe while making it accessible to those with the proper clearance and the need to know? The implications of a breach could be huge--not just for the nation, but for the whole world.

What is the most difficult or rewarding accomplishment of your career?

My most gratifying accomplishment was at NextWave Wireless, where I was charged with building an information security program from scratch. I supported security integrations following several mergers and acquisitions, managed our SOX 404 compliance and installed the security foundation. It was a dynamic, energized environment, and it was my first time leading a security program. Looking back, it was a great time.

[Also read Information security, value creation and the balanced scorecard by Farshchi and Ahmad Douglas]

What has been the biggest change to the CSO role in the past few years?

The shift from a purely technology focus to one that is more business aligned. Take cloud computing. The typical security function might not want to take on that level of risk. But the opportunities for business are limitless and are starting to drive security into a new mind-set. Rather than security as a gatekeeper, it's security as an enabler--how are we going to partner to implement this securely?

There are still a lot of security practitioners who think our job is exclusively to reduce or eliminate risk. But to reduce risk, you have to implement controls, which constrain productivity and therefore limit business growth. Rather than single-­mindedly trying to reduce risk to zero, we need to start seeking a balance.

Can you name one of the biggest mistakes you've made during your security career and what you learned from it?

I used to believe that simply making a mistake would be career-ending in the security field. I've since realized that making mistakes is a necessary component of learning and improvement, as long as we aren't repeating the same mistake. It has been proven that meaningful innovation is the result of many small failures that are incrementally improved upon to finally produce the big idea. If, as leaders, we do not tolerate mistakes, we will put a ceiling on our potential and will fail to achieve greatness.

What are three fail-proof principles of security leadership?

First, focus on the customer. Unless you can listen and apply what you hear to your security strategy and investments, there's no way to create a competitive advantage.

Second, strive to balance risk and value. Again, it's not about driving risk to zero, it's about balancing risk with the productivity and innovation value that the business creates.

Third, be sure to align incentives appropriately. If you seek to build an agile and aligned security program, you should reward your workforce for finding minimally intrusive methods of reducing risk, and even for eliminating unnecessary controls when possible.

What are two things about security or security leadership you wish you'd known 10 years ago?

It's critical to understand the technical aspects of security, but it's only a small part of the role. You need to have competence in a number of other disciplines as well. Having business acumen and communications skills are key, but understanding other fields, such as psychology, education, statistics and economics, contributes to differentiating a complete security leader.

What is the most over-hyped topic in the security field?

Governance, risk and compliance tools. They can improve your operational efficiencies relative to your compliance capability, but I don't think they provide much in terms of understanding risk in the enterprise or helping to truly protect the organization.

What will be the next big topic in the security field?

Applying quantitative methods to risk management. Security folks tend to want perfect answers and perfect data, which I think is why we haven't been able to meaningfully quantify risk to date. But we don't need absolutely perfect information--in fact, any level of risk quantification will be a dramatic improvement.

[Learn more in The great IT risk measurement debate]

Here's an example: patch management. If 100 "high" vulnerabilities are found throughout your corporate network, what does that mean? Security practitioners have assumed it means we need to reduce that number to fewer than 100, and ideally zero. What if the cost of eliminating those vulnerabilities is $10 million, but the entire corporation only generates $5 million in revenue? Through quantitative methods, we can better link security decisions to what matters to the business. We might find that only 5 of the 100 vulnerabilities affect business activities that create real value and focus our scarce resources on those. The potential for long-term impact on the security practice is enormous.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityLos Alamos National Laboratory

More about etworkISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mary Brandel

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place