CISO of the Week, Allan Alford, CISO at Mitel
Allan Alford is Chief Information Security Officer (CISO) at Mitel, previously CISO at Forcepoint and CISO at Polycom. With 30 years’ experience in IT and Engineering, Alford has a long history with product security as well, having served as Pearson’s Product Information Security Officer (PISO), and as Sr. Director of Product Security at Polycom.
Alford writes articles on various security topics, is frequently interviewed on the same, and is a regular speaker at various security events. A perpetual learner, Alford is currently pursuing a master’s degree in Information Systems and Security from Our Lady of the Lake University and received a bachelor’s degree with a focus on leadership from DePaul University. Alford also holds a CISM certification.
Why did the role of CISO appeal to you?
The CISO lives at the intersection of security and business. Earlier in my career, I left IT Operations to join Engineering in order to be more directly tied to the business. I then built a successful product security program, and drove it into the entire product delivery process. Working with all the various departments involved in conceiving, creating and delivering products to the market, I got a taste of what it was like to be a business enabler while representing security. After that success, it only made sense to become a CISO.
How do you communicate information security issues to the board?
As a business enabler, I try to speak of security issues in business terms. I frequently state “upstairs” that security is risk and that risk is a business matter. The ultimate goal in presenting to the board is to provide a working model that allows them to adjust risk appetite and see the resulting costs, or to adjust budget and see the resulting risk posture. It is my job as CISO to know those costs and risk models, and their job as the board to decide where in that balance the business is willing to reside.
How can CISOs better understand a business’ needs?
I am a huge advocate of forming a cybersecurity council, with vice presidents (and above) from every facet of the business. The CISO should chair such a council and work very hard with his key security practitioners (also on the council) to educate and inform the business about information security. But the real purpose of the committee is to learn from the business. Security is frequently at odds with business needs, and it is imperative for the CISO to experience these conflicts and pain points firsthand. Done right, this council is much more than a “checkbox” steering committee. It should become the heart and soul of information security in the business, and should ultimately own security decisions.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
If one tracks trends in the news, or listens to every vendor pitch, one will quickly feel overwhelmed by the flood of negative information. The secret is to step back from all that noise (while still keeping an eye on it for true disruptions) and to focus internally on the one thing that really matters: risk. By measuring risk, and by creating programs that drive security around risk, one drives a successful security program. If one’s program is not mature enough to be truly risk-based, even a compliance-based approach is better than reacting to all that noise and churn.
How can CISOs balance security and innovation?
Innovation happens. There is no stasis in business. Any program a CISO launches, maintains or manages, is a program that must overlay with innovation and change. Reserving budget to educate one’s team is an important step toward adapting to innovation. Maintaining a pipeline into the vendor community to learn about next-generation solutions is another important step. As technology changes, business changes around it. Security technology must in turn change as well. Seeking out disruptors, vendors who truly offer new solutions to new problems, or innovative solutions to old problems, is key.
What is the best way to foster an image of information security being there to help supporting the business rather than talking about raw technology?
As I mentioned above, a truly empowered and educated cybersecurity council is one very vital step towards this goal. Regular meetings with peers around the business is another important step. Know their challenges. Feel their pain. Offer them a chance to participate in the finalization of security programs and rollouts. Always couch security in business terms or in terms of risk. The technology choices are there to fulfill business needs, not to shape them.
I’m focused a lot lately on vendor relationships, and on leveraging the vendor community as a source of education and awareness of innovation. I used to be a CISO in the security industry, and as such, I was extraordinarily informed as to trends, players, and solutions. More than many other industries, the security industry is self-aware. I had a pipeline of information about industry solutions, even from non-competitors, and I found that pipeline to be valuable. After experimenting with several models, I have elected to carve two hours out of every week to meet with vendors who can show me that they are true innovators or disruptors. I am ingesting a lot about the industry in this way, am learning a great deal. It is ultimately helping me plan for strategic projects. I have announced on LinkedIn that I am “letting the vendors in” but have also requested a specific format for a very short and sweet pitch via LinkedIn messaging. When vendors follow my request in this regard, I find that I can very quickly determine who is worthy of that two hours a week. I highly recommend this process for CISOs who are feeling disconnected from the innovations of the industry.