The 2011 CSO Compass Award winners discuss prioritizing investments, learning lessons the hard way, and much more
The mission of Los Alamos National Laboratory is to develop scientific and engineering solutions to the biggest challenges facing the United States. More than half the lab's $2 billion operating budget goes to nuclear weapons design, and it's the job of CISO Jamil Farshchi to protect the institution's classified and unclassified information. In less than two years, Farshchi and his team have created and implemented a strategic planning framework that aligns the lab's security with its mission.
CSO: What is unique about the security challenges you face at Los Alamos National Laboratory?
Jamil Farshchi: Protecting and handling classified matter effectively is our most interesting challenge: How can we keep our nation's intellectual property safe while making it accessible to those with the proper clearance and the need to know? The implications of a breach could be huge--not just for the nation, but for the whole world.
What is the most difficult or rewarding accomplishment of your career?
My most gratifying accomplishment was at NextWave Wireless, where I was charged with building an information security program from scratch. I supported security integrations following several mergers and acquisitions, managed our SOX 404 compliance and installed the security foundation. It was a dynamic, energized environment, and it was my first time leading a security program. Looking back, it was a great time.
[Also read Information security, value creation and the balanced scorecard by Farshchi and Ahmad Douglas]
What has been the biggest change to the CSO role in the past few years?
The shift from a purely technology focus to one that is more business aligned. Take cloud computing. The typical security function might not want to take on that level of risk. But the opportunities for business are limitless and are starting to drive security into a new mind-set. Rather than security as a gatekeeper, it's security as an enabler--how are we going to partner to implement this securely?
There are still a lot of security practitioners who think our job is exclusively to reduce or eliminate risk. But to reduce risk, you have to implement controls, which constrain productivity and therefore limit business growth. Rather than single-mindedly trying to reduce risk to zero, we need to start seeking a balance.
Can you name one of the biggest mistakes you've made during your security career and what you learned from it?
I used to believe that simply making a mistake would be career-ending in the security field. I've since realized that making mistakes is a necessary component of learning and improvement, as long as we aren't repeating the same mistake. It has been proven that meaningful innovation is the result of many small failures that are incrementally improved upon to finally produce the big idea. If, as leaders, we do not tolerate mistakes, we will put a ceiling on our potential and will fail to achieve greatness.
What are three fail-proof principles of security leadership?
First, focus on the customer. Unless you can listen and apply what you hear to your security strategy and investments, there's no way to create a competitive advantage.
Second, strive to balance risk and value. Again, it's not about driving risk to zero, it's about balancing risk with the productivity and innovation value that the business creates.
Third, be sure to align incentives appropriately. If you seek to build an agile and aligned security program, you should reward your workforce for finding minimally intrusive methods of reducing risk, and even for eliminating unnecessary controls when possible.
What are two things about security or security leadership you wish you'd known 10 years ago?
It's critical to understand the technical aspects of security, but it's only a small part of the role. You need to have competence in a number of other disciplines as well. Having business acumen and communications skills are key, but understanding other fields, such as psychology, education, statistics and economics, contributes to differentiating a complete security leader.
What is the most over-hyped topic in the security field?
Governance, risk and compliance tools. They can improve your operational efficiencies relative to your compliance capability, but I don't think they provide much in terms of understanding risk in the enterprise or helping to truly protect the organization.
What will be the next big topic in the security field?
Applying quantitative methods to risk management. Security folks tend to want perfect answers and perfect data, which I think is why we haven't been able to meaningfully quantify risk to date. But we don't need absolutely perfect information--in fact, any level of risk quantification will be a dramatic improvement.
[Learn more in The great IT risk measurement debate]
Here's an example: patch management. If 100 "high" vulnerabilities are found throughout your corporate network, what does that mean? Security practitioners have assumed it means we need to reduce that number to fewer than 100, and ideally zero. What if the cost of eliminating those vulnerabilities is $10 million, but the entire corporation only generates $5 million in revenue? Through quantitative methods, we can better link security decisions to what matters to the business. We might find that only 5 of the 100 vulnerabilities affect business activities that create real value and focus our scarce resources on those. The potential for long-term impact on the security practice is enormous.