INTERVIEW: Former SEC CSO Joins Scalable Software

In her last job as chief security officer at the U.S. Securities and Exchange Commission (SEC), Chrisan Herrod had to be extra careful with the agency’s cybersecurity efforts. Not only does the SEC have to comply with government rules on information security, but the agency also follows the security rules in the Sarbanes-Oxley Act, the 2002 law requiring officials at U.S. companies to detail the internal controls involved in their financial reporting.

As the chief enforcement agency for Sarbanes-Oxley, the SEC needed to be a shining example of compliance and security. Herrod, a former IT security officer at GlaxoSmithKline and Fannie Mae, kept the SEC in good standing between August 2003, when she joined the agency, and her departure about a month ago. On Monday, she starts a new job as chief consultant of compliance solutions at Scalable Software, a vendor of IT products aimed at regulatory compliance and asset management.

She spoke this week to IDG News Service about her job move and cybersecurity. An edited transcript of that interview follows.

IDGNS: Why did you decide to leave the SEC?

Herrod: I had 20 years of federal government service [including posts at the Defense Information Systems Agency and the National Defense University], and I wasn’t going to get any better retirement benefits. It was a good time for me to go back to the private sector.

IDGNS: Why Scalable Software?

Herrod: We used Scalable’s Command Center automated compliance monitoring product at the SEC to help us comply with Sarbanes-Oxley and the cybersecurity requirements in FISMA [the Federal Information Security Management Act]. I really believe in this type of product in terms of being able to manage the complexity of compliance. My real passion right now is compliance management issues, and I think Scalable has a better way to do this.

IDGNS: What’s the state of cybersecurity both in government and the private sector?

Herrod: Overall, the state of cybersecurity is fairly mediocre. From a baseline perspective, we haven’t come a long way in the process-and-people side of the equation. Technology continues to improve, but even the best technology products require a lot of user savviness. A lot of technology requires the training of users and administrators.

I just don’t think we’ve achieved the next level of cybersecurity. We’re still in release 1, or maybe release 2.

IDGNS: Why do many government agencies continue to struggle with cybersecurity, including the low marks this month from the House Government Reform Committee?

Herrod: The government crucified itself for putting the responsibility for cybersecurity in the IT arena, instead of requiring agencywide responsibility. Information assurance is not a technology problem.

IDGNS: Yet, some agencies, including the SEC, seem to have few problems. Why?

Herrod: The SEC had a couple of major things going for it. First, the SEC is a small agency, with only about 4,000 employees. Secondly, the SEC didn’t have a lot of major applications it was running; it had only 18 major applications. A lot of larger agencies have dozens of major applications they’re responsible for in FISMA. We also pulled information security out of the data center, and focused on a holistic approach to security, including physical security.

IDGNS: What advice would you give to compliance officers at federal agencies or private companies struggling with compliance?

Herrod: Agencies and the private sector just need to take a breath, step back and realize what regulations apply to them. They have to look at it as a program, not as a stove-pipe fix that doesn’t affect the rest of the organization.

From an information security perspective, the best thing they can do is examine their processes. Such as, can they have better access-management processes? If they do something considered as better process management, they could eliminate half of their audit items.

-Grant Gross, IDG News Service

Keep checking in at our CSO Security Feed page for updated news coverage.