Information Security Agenda - Kevin Richards, President of ISSA

With Howard Schmidt's appointment as national cybersecurity coordinator, his role as president of the Information Systems Security Association (ISSA) has been filled by Kevin Richards, a risk management advisor with Crowe Horwath.

In an exclusive interview, Richards discusses:

Top agenda items for ISSA in 2010;
Biggest information security threats;
Best opportunities for information security professionals.

Richards has served on the ISSA International Board since 2003, initially in a global chapter relations capacity and then as the international vice president since 2007. A past president of the Chicago ISSA Chapter, Richards is an information security and risk management advisor for Crowe Horwath with more than 18 years of experience in information security, business continuity and enterprise risk management. His expertise ranges from risk analysis and program design to information security and business continuity program development and leading practices.

TOM FIELD: What's on the agenda for the newly appointed President of ISSA?

Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am privileged today to be speaking with Kevin Richards, who has just been appointed to replace Howard Schmidt as President of ISSA.

Kevin, thanks so much for joining me.

KEVIN RICHARDS: Thank you for having me.

FIELD: Just to get us started here, why don't you tell us a little bit about yourself and your roles both with ISSA and elsewhere?

RICHARDS: Okay. Well the ISSA, as you mentioned I am the new ISSA International President. I have been in the information security and information risk management space for 18 years, going on 19 years, working for a lot of organizations in an advisory capacity to help develop security frameworks and information risk management approaches on how to better protect their organization.

So, within my role with ISSA I am fortunate to, as you mentioned, step in for Howard as he ascended to the White House, and in that capacity I will be the Chairman of the Board of Directors, as well as being the lead executive over the ISSA International organization to provide guidance to our management company and the operational components of the ISSA; that is my volunteer job.

My day job is I am with the risk advisory practice for Crowe Horwath and I am a leader in our security and privacy team, which includes things like security, privacy, business continuity and information risk management.

FIELD: Very good. Now Kevin for those that don't know enough about the ISSA maybe you could tell us a little bit about the organization.

RICHARDS: Sure. The ISSA is a great organization. It is the world-leading information systems security professional association. Our goal is to really create a global trusted community for security professionals to network, collaborate, to provide education and knowledge sharing to really help our members meet their goals within their organizations to protect their environments and really promote leading practices within information security.

We have got 10,000 members around the world. We have a wonderful, strong chapter organization. We have got 141 chapters in 38 countries.

FIELD: Now, Kevin, you mentioned the immediate challenge, which is replacing Howard Schmidt. Give us a sense of the scope of that job and what that means to you and to the organization.

RICHARDS: Sure. It is funny. I have been asked this a few times: How do you replace Howard Schmidt? I don't really replace Howard he has been a luminary in our field for so many years, it is a little bit of basking in the light of what he has been able to accomplish. So I think replacing is going to be tough because of what he has done and where he has been.

From an operational perspective, he has been great over the last three years when I have been serving as the Vice President of ISSA. He has been generous with his time to give me insights on the operational facets of ISSA and the things that make it tick and how it needs to run.

I will be facing the biggest challenge, because Howard was tireless in his travels. He would travel 300 days a year and had the opportunity to meet ISSA members and security professionals around the world, and one of the areas that I need to be able to fill in is how do I get that same or as close to the same level of access as possible? My global travel budget, I don't think, is as big as his was from his private practice or his day job prior to going to the White House, so I think those are going to be the biggest challenges, being able to be in as many different countries around the world the way he did.

But fortunately, he is going to be carrying a little bit of a banner even at the White House. He is committed to helping out and making sure that ISSA gets good visibility within the U.S., and whenever possible he is still going to be able to promote the values of what ISSA is, and it is still a very special organization; so that's good.

FIELD: Kevin, give us a sense of what the top agenda items are for the organization this year.

RICHARDS: Okay. So 2010, as we enter into this new decade, first and foremost we need to continue to highlight a lot of the great things we have already in place. As I mentioned, we have a phenomenal global chapter organization. With these 141 chapters we have the ability at a very local, personal level to deliver world class content for knowledge sharing and education. I think we need to continue to support, promote and grow that chapter organization.

We recently launched a captive portal environment called ISSA Connect, which is still in its fledgling stages. It has been live for a couple of months, and we are starting to get some great content, we are seeing some great collaboration amongst our members there, so we are going to continue to promote that to enhance the capabilities and really support our memberships in our chapters worldwide.

We have a world-class CISO executive forum where we bring in leaders of many organizations on a quarterly basis in-person for a day and a half to two-day long seminar/workshop type events where they can talk about current trends, current events, new challenges. We have had a great response in the U.S., and we want to continue to grow that group.

We have the rest of our 10,000 members where we are continually looking for ways to provide new values. I think that we are going to continue focusing on the training and knowledge sharing and personal advancement of all of our members, but we are continually looking for new areas to provide value to them.

Beyond the things that we are already doing, we have some pretty lofty initiatives to move forward, and we have our magazine called The ISSA Journal, which we recently moved into a more digital format. We are trying to find new ways to try and expand that digital footprint, whether it is on our ISSA Connect environment, looking at ways to make it really effective and efficient on the various eBook readers, whether it's the Sony, the Kindle, the pick-your-flavor.

This year we are re-instituting our annual conference, and it is going to be in September, based in Atlanta. We are going to have a traditional conference knowledge event. We are going to bring together our chapter officers in a global chapter officer congress and work it together with our CISO forum. So I think that is going to be a great, great event in September.

We have a great membership now, but we need to continue to find new areas to grow. We have some opportunities internationally that we want to consider as we look for new audiences that are either entering into the information security space, or maybe didn't have a great exposure to ISSA. So we have a pretty focused effort over the course of the year to continue to look for those audiences and show them our value proposition, and hopefully if we can do a good job they will want to join our community.

FIELD: Kevin, I am going to ask you to draw from your day job as well and give us a sense of what you see as the top information security threats today?

RICHARDS: It is a crazy landscape out there, and when you look at it, I think that there are a few kind of fundamental areas that organizations are struggling with and really need to come up with a good answer for.

The first one I would call information risk, and I have few components within that. The first is understanding what information, what data do I have as an organization? Is it privacy data? Is there some kind of regulatory impact to that data? Is it intellectual property? The things, the bits of information that I have that I need to protect, do I know where it lives? Is it on file servers? Is it on laptops? Is it in motion, whether it is being transmitted via email or sitting on a jump drive or some other mobile device, a phone? Is it moving and then how am I protecting it?

Organizations are struggling with getting that inventory of what is it I have, where is it, how am I protecting it and what is the impact to the organization if it gets lost. Because of that, we have had a channel into really getting an understanding of what is my real exposure here. So I think organizations are struggling getting their arms around that.

As I mentioned, we have got this explosion of mobile technologies, whether it is smart phones, whether it is thumb drives, define where the endpoint is. Is the endpoint part of the cloud? Is the endpoint a laptop? Getting your arms around what is it I am trying to protect.

The days of having a set perimeter that I could build a wall or I could a moat or I could build another castle with a larger wall with larger defenses - that has been gone for years, and with this explosion of technologies I think that organizations are really having challenges trying to define that endpoint and define a security strategy that enables the business but allows them to meet their security and risk management objectives. So I think that is still an area that is still a big threat area that we are seeing organizations trying to get their arms around.

I think internally one of the areas that is a big challenge leads to really decision support, which is how do I bridge the gap between my traditional information security infrastructure and the organizations enterprise risk management framework so that I can explain to the business: here are my exposures, both technical, process, and getting management's understanding and buy in and commitment to get the appropriate funding to build those protection area controls in place. So, the threat is sometimes the lack of understanding from an executive level as to what my real exposures are, and I think there is a big area for the profession to bridge that gap so that things are being protected in a way that best supports the businesses risk objectives.

FIELD: Kevin, that is well said. I want to take you in another direction now. You know, we have heard a lot in the past year from government certainly about cybersecurity and then opportunities in healthcare, with HIPAA and the HITECH Act. Where do you see some of the best opportunities today for information security professionals?

RICHARDS: The recession and the economy aside, there is a huge push and a huge need for information security people. You mentioned healthcare with the HITECH provisions in the Recovery Act. Organizations are having to get their arms around 'Do I have the appropriate technical and administrative controls in place to protect protected healthcare information?' And healthcare organizations are struggling with that.

The expansion of that law to cover business associates is creating a market of people that didn't necessarily have to have this stringent of controls in place, and they are trying to get their arms around where is the data that I need to protect, how am I protecting it? And then you have the other formative piece, will it pass an audit? So, I think for security professionals there is a huge opportunity there.

There is continuing opportunity in really every industry. Financial services, which tends to lead the industries from an information security perspective, those banks are starting to focus again on how do we grow the business and how do we protect the business, and we are seeing a very strong commitment to information security within the financial services space.

Even areas that are non-traditional from an information security perspective, the utilities and energy space -- there is a recent requirement called CIP (Critical Infrastructure Protection), where the standards for all the electricity grid on cybersecurity and what needs to be protected if they have critical infrastructure components for our electrical grid. That is being extended to the Nuclear Regulatory Commission, and so we are seeing a push in those spaces as well.

We are even seeing areas in transportation, for the railways for example. We are seeing that a lot of the switching signals are happening from centralized points and being spread over a wireless network to the various railroad tracks around the world, and they are asking, 'Well, could someone intercept this command and change the switching signals so that trains are going into the wrong tracks?'

So, we are seeing across industry a heightened awareness that this is not only important, but it is critical. It is critical for business success. It is critical from an industry perspective, and it is not just great for the bottom line, it is great from a nationalistic infrastructure protection perspective as well.

FIELD: Kevin, one last question for you. You certainly have been in the profession for a long time now, and you have seen it evolve. If you were to boil it down, what advice would you give to somebody entering the information security profession today?

RICHARDS: That is a great question. So. if someone were coming into the profession today, I would say first you need to understand that information security is both a technical challenge as well as a business challenge, and that you have to be able to live in both worlds to be very, very successful.

From a technical side, you need to understand the fundamentals of how things work. When I started in the security space, I grew out of a network management component, and we were looking at packets and how a packet traversed the network and how a packet interacted with applications. It was very comforting to know that the wire never lies. If I saw different kinds of attacks across the wire, there were characteristics that I knew. If certain things were in a certain way, that was an attack. It was very simple, and understanding the fundamentals of how a packet worked, I could understand how that impacted networking devices, and I could understand how that would impact an application space.

So, from a bottom up perspective, or technology up perspective, that is an important area for new security professionals to understand. How do things work? How do things tick? And more importantly, how would someone try to manipulate things in ways you didn't expect?

Now the challenge, and I think this is the challenge moving forward for our profession as well, is why should I care if I am an executive? What is the impact to my business? What processes are going to be impacted by that attack? So the concepts are the same; there is this technical flaw, whether it is SQL injection or cross-site scripting or a buffer overflow.

Okay, those are all great technical speak things, but how does it impact my transaction processing? How does it impact my manufacturing? How does it impact my yield management? And let's talk about this in a way that I can make a business decision as to why this is relevant, why this is important, and help me determine how much do I need to invest to protect that? I think that is an area that most information security people have had challenges, converting that technical component into a business-relevant area or opportunity.

So, what I would tell that professional is: Understand how the watch works, as well as be able to tell time and be able to tell the business why time to market matters. And if you can bridge those three, you are going to be a wonderfully successful information security professional. Not to say that you are not in those specific areas, but I think that is where the value will be long-term within an organization.

FIELD: Kevin, that was very well said, and I appreciate your time and your insight today.

RICHARDS: My pleasure. Thank you very much for having me.

FIELD: We have been talking with Kevin Richards, the newly appointed President of the ISSA. For Information Security Media Group, I'm Tom Field. Thank you very much.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.