• United States



by Dave Gradijan

Reuters CSO on Enterprise Architecture and Governance

Dec 29, 20069 mins
CSO and CISOData and Information Security

For the past five years, George Wang has been keeping a tight ship at Reuters. Previously chief information security officer (CISO), Asia, and later joint global CISO, he was the organization’s veritable gate keeper, responsible for keeping the bad out and the good in.

Today, he is group head of the chief architecture office, Reuters Asia, and what that means, in his words, is that he’s “going broad,” having “gone narrow and deep.” And according to The Global State of Information Security 2006, a survey by CIO and CSO magazines and PricewaterhouseCoopers, security positions are becoming established within the organization, with executives climbing the corporate ladder: 38 percent of respondents have been in their jobs for at least five years, and more are reporting to the CEO or the board, more frequently than to the CIO.

“Going broad” for Wang means that his new role concerns far more than security issues alone. “Vendor relations, enterprise architecture, governance, for example,” he says, ticking them off on his fingers. He sees a trend gradually affecting more CISOs, where IT security operations move from their area of governance to the IT operation department’s, under the CIO.

He sees this as a way for IT security personnel to stay relevant, because having security as only part of a wider spectrum of skill sets, as opposed to managing IT under the security department, is less limiting and allows them room for growth in a relevant space. “And on the management end,” he says, “Security should be a part of the business process. A lot of times in the past, when security was run within its own department, the security people had difficulty translating their critical needs exactly to the business managers, because they were seen as just a safety measure, a security function. “When you make it a business concern, you make it relevant and tactile,” he says.

For that reason, the CSO is becoming the bridge, a connector between the business and what makes the operations tick. Managing security is, after all, managing risk, he says, and you can’t do business without a measure of risk involved.

The CSO evolution

Globally, the role of the chief architecture officer (CAO) is seen more often in Western countries, but we’re slowly seeing more appear in Asia. Wang sees a “smallish trend” of security people expanding their profile to include business-driven concerns, and views the change in job scope as natural, a result of growing strategic developments in Asia.

Moving the organization’s internal IT security operation workings back under control of the IT operation department away from the CSO’s office is a growing trend among organizations with a definitive plan for security to feature high up in management’s eyes.

Observing a similar movement in Reuters, Wang now reports to the global CAO in London, from his base in Asia.

Reflecting upon the change of staff under him and the corresponding loss of a sizeable IT security department, he talks about creating value for the company in the new role.

“You need to be seen as valuable, and a large part of that is in the positioning of your work in the company’s value chain and in the communication,” he says. “The funny thing about people is that if nothing bad happens after a while, your budget starts getting cut.” Staying relevant and broadening areas of governance follows that step; Wang pushes the message of security as a pathway to growth for the company, but patience is key.

“The slower rate of delivery makes people wonder if the investment is worth it at times. It takes about five to six years to see significant results,” he says. For that reason, it takes someone from the bits-and-bytes crowd to step up and translate that to the language of dollars and cents.

Wang’s combination of technological know-how and a master’s degree in business administration is surely coming in handy. “It’s got to be someone who’s familiar with the systems and processes, who can also see how that isn’t a means to an end but a business mover,” he says. “The security professional sees beyond the business level and ties it all back.”

Director of corporate information systems at NCS, Bok Hai Suan, agrees: “The hardest thing is to make everyone see the invisible threat. You invest in security so that nothing serious will happen to your operations. Over time, as the number of security incidents go down, you don’t feel the threat as much—you don’t want to, because that means an outage has occurred.” He gets around this by knowing where potential threats may lie, so that the appropriate recommendations can be taken.

“Moreover,” he says, “Real data speaks loudly.” Doing his homework of monitoring network security closely and presenting trend reports to the management helps win votes over to his cause. “The numbers help people see the size and complexity of a problem,” he says—to “see” the invisible.

Beyond the books

It must be tempting at times for the tech-savvy guy with his own budget to go a little trigger-happy when faced with all the technology options out there. Wang acknowledges this and says he often has to move past what’s “cool” and return to the question of whether it’s useful. While he says, with a laugh, that selfishly he’d wish for more power and autonomy to be given to the security department, he admits that the department needs to be integrated tightly and seamlessly with the rest of the corporation for it to work well.

“Like building security and its maintenance, IT security is of utmost importance. Operations would be impacted severely if either failed to work,” he says. “But you don’t have a chief building officer.”

This ubiquitous nature of security he talks of seems idealistic, but it’s a goal he feels is already within grasp. His weapon of choice: education. Holding training sessions for the staff is only a start; he wants them to develop habits that will make their digital tracks better covered and safer.

Understanding the impact of practices will go a long way in underscoring security’s implicit belonging within the framework. The education will also defeat the notion of the security department as policeman: “Security is everyone’s responsibility. No one person can mind everybody’s tracks, after all,” he says.

Though people are more aware of security threats these days, Wang doesn’t believe in legislation being quite sufficient. “It’s just a starting point to lay the groundwork. Sarbanes-Oxley, for example, is not a risk-based model, so I don’t see it covering the full picture,” he says.

The safe image

He is thoughtful, when asked if a big security department is a mere PR statement. “I think it’s useful even at that level to drive home messaging,” he says. “Messaging both internally and externally, so that people out there know we’re serious about security, and also that our staff understands our commitment to such efforts. It sets the tone, yes.”

At NCS, the collective expertise of its senior-level executives is pooled together to form a security council, on which Bok sits, as representative of the IT arm. Set up for security risk management, the council comprises representatives from building management, the IT and human resources departments and watches over physical, information and personnel security. Bok says: “Customers expect you to have the proper set-ups and infrastructure in place, in the times we live in.” The times are characterized by a growing number of threats such as 9/11, SARS and the avian influenza, he adds.

In the light of these threats, a security council is essential in ensuring business continuity. Customers, too, judge the quality of a vendor’s service by how well-developed its security infrastructure is, as testament of the latter’s commitment to their security.

Is this, then, yet another PR move? Bok feels there is only a limited extent to which the PR value of such extensive security efforts can reach: “Security is a real need. It’s a business requirement. It’s not just a big show; customers often want to see your security audit reports, view the corresponding policies and so on. You’ve got to take it seriously for your customers to take you seriously,” he says.

One word: Educate

His recommendation to customers is similar. First, establish security policies, so the company’s direction is set. Next, have a look at proper physical infrastructure: “You might need to beef up defenses around the company, have guards 24 by 7, that sort of thing,” he says. Then, set up monitoring systems for both the building—closed-circuit television cameras—and information infrastructure, such as spam filters and virus scanners.

“The point is,” he says, “everything’s got to work together. You can’t separate one aspect from the others. You’ve got to examine your security holistically, from the infrastructure to the systems to the people.

“If there’s an IT security incident, for instance, it’s usually tied to someone who’s done something. So you have to involve HR if it involves your staff. And if it involves someone from the outside, did you have good perimeter defense?”

People are still the main point from which to begin, he says. “It’s usually some individuals who are the weakest link, and everything gets compromised.”

Bok’s remedy echoes Wang’s—education. “If everyone’s aware of security precautions, the job of security warden is made much easier. You may have the best infrastructure in place, but if it is compromised by the staff unwittingly, all your efforts go down the drain.”

-Victoria Ho, CIO Asia