ISE® North America Academic/Non-Profit Award Winner 2011
My story is unlike many others you will hear because I do not come from a background of being a Chief Information Security Officer. I actually am a Chief Risk & Compliance Officer. I became very curious and interested in learning about Information Technology when I began working with the University of California. I began working with our Information Security teams at various campuses and medical centers around the University. This work got me invited to speak at a conference in San Francisco to the CISO Executive Group because they were beginning to get more interested in, not only IT risk management, but enterprise risk management and really learning how to think about how IT fit into the overall framework of the organization. This was my introduction into the CISO community.
With that introduction, came my introduction to the ISE® Awards program. Someone from the CISO community took notice of the work I was doing with the University and suggested I submit for the Information Security Executive® of the Year Award. At that point, I had not even thought of it but I decided to do the submission. My submission focused on the challenges of insuring cybersecurity and my journey along the way. At that time, there was not a lot available in the marketplace, so I built relationships with my Information Security team and developed a reverse underwritten insurance policy – the first one of its kind. It was very unique and cutting edge. It was a policy that was the spirit of what every CISO was trying to do. To my surprise, I was selected. I felt really lucky that these wonderful, talented and smart people would let me into their club. I felt enabled and empowered to learn about IT Security and to just learn! It made me hungry to learn more.
After that first ISE® experience, I was hooked. I knew this was where I wanted to be and that being there was a game changer. I was able to start conversations with CISO’s and gain knowledge and information that was just invaluable. A few years later we were working on decentralizing our payroll system with a large IT organization. Their normal business contract did not provide any indemnity or any insurance coverage for the University. I met with their attorneys twice to try to come up with some kind of solution to provide protection to the University to no avail. Then it hit me… I was going to ISE® West and I would bring the contract with me. Even though the contract was not the topic of the Roundtable, the CISO’s who attended provided me some of the best information. They told me the solution and the language that I needed to put into the contract so I was able to afford the protections to the University. It was very exciting to see our data insured on someone else’s systems as a result of advice I received from my colleagues and friends from ISE® Programs.
Since I am not a CISO, I have a difference perspective and I think there is an invaluable opportunity for chief risk officers to get more involved. More and more chief risk officers are either working for IT companies or they are getting closely involved with IT security or IT operations. The CISOs want to understand what I do, how I think and how I present information to the board from the risk perspective. I have been advocating to risk managers that they need to partner more with their CISO’s. I think there is a huge opportunity here to connect and collaborate and make organizations stronger.
I strongly advocate for risk managers or risk officers to build a relationship with your CISO or IT Security team. Get involved in IT security training and partner on a project. Use that project to submit an ISE® Project award. The more time and energy you put into that relationship the stronger your teams will become in support of your enterprise.