CISO of the Week, James Rutt, CISO for Dana Foundation
Jim Rutt, CISSP, CISM, CISA, CGEIT, CRISC, C|CISO, CCSK, is the Chief Information Officer at the Dana Foundation. His responsibilities include providing strategic planning for information and technology management and overseeing all back office technology operations necessary to support the Foundation. Jim is an early adopter of cutting edge cloud security solutions, having led Dana through a complete cloud transformation three years ago. Jim has frequently spoken to peer organizations on corporate cybersecurity strategy and risk management, and also advises early stage technology companies on their sales strategy to the financial and healthcare sector.
Jim is a graduate of Stetson University, where he received a B.B.A. degree. He has 21 years of technology experience (spanning financial, healthcare and pharmaceutical sectors) and has been at Dana for seven years. Jim has presented at multiple CIO and leadership conferences, and has been quoted in the Wall Street Journal (among other publications) for his view on mobile security and governance.
Jim is President and Chairman of the Board of Technology Affinity Group (TAG) and is Vice President and Board Director for the New York Metro Chapter of the Cloud Security Alliance and is a member of Society for Information Management, SIM Foundation of NJ, CIO4Good, as well as a founding advisory board member of BWG Strategy LLC, a Work-Bench Venture Capital Mentor/Advisor, advisor to Lightspeed Ventures, a Silicon Venture capital company, and board advisor to multiple startups including Baffle, Axonius, Minerva Labs and Pixm.
What is your overall approach to information security?
Coming from the perspective of an infrastructure background, my approach to security is grounded in a governance framework driven by a continuous risk management operational position. Choosing a solid framework like the NIST CSF, and employing good quantitative and qualitative risk measurements, help to drive the selection of controls we use to keep risk at an acceptable level, as dictated by our board.
How do you convey the board the message that with regards to cybersecurity you can minimize the risk but you are ever going to be 100 percent secure?
This message is not as difficult to deliver and be received by your board, as long as you articulate this in business terms to which the board is already familiar. For instance, most boards and board members understand that risk is inherent in every strategic action taken by the organization. Any new business initiative carries with it a certain amount of risk, and most boards understand this. It’s no different when explaining new security initiatives, as long as you deliver the explanations in business/risk terms already familiar to most oversight functions on the board.
In an information technology environment where personnel are taking on increasingly complex responsibilities, what do you think is the role of cybersecurity awareness training?
Awareness goes in lockstep with preparedness. The CISO’s role in facilitating and developing appropriate awareness programs and training must come with the understanding that these efforts must minimize interference with personnel’s ability to efficiently complete their tasks. Without causing undue fear, awareness needs to convey the responsibility of line personnel to be aware of the possible vectors of action that threat actors may use socially to maliciously effect the organization.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
Many of the cybersecurity issues discussed in the mainstream news relate to breaches or exfiltration of sensitive or regulatorily-protected data out of their respective organizations. The most value a security professional can extract from these reports are an understanding of how these breaches were affected, in order to 1) prepare appropriate countermeasures where possible, and 2) review their respective incident response procedures and ensure that they are prepared to respond should the same vector of attack be successful in their own organization.
How do you make sure you know what new projects are on the road map and that security is baked in from the process side?
Its important as a CISO to gain credibility with your business unit functions to be “invited to the table” early enough in the project development phases so that security-related concerns are baked in to the project requirements. In order to gain that credibility, as a CISO, you must ensure your own house is in order and that you can demonstrate a good grasp of managing security and risk in business terms that your business counterparts can understand. By demonstrating this ability, I’ve built my credibility with my business units to the point that I’m proactively consulted on all projects being considered on a steering level discussion.
How important is being able to communicate with your colleagues?
It’s vitally important that not only you understand how to “de-tech” communications and learn to communicate with them in familiar terms, but also that you convey the proper tone in communications concerns, risks, and opportunities. The CISO role (and security in general) often carries a stigma of being the “Chicken Little/sky is falling” role in an organization due to the often highly emotional narratives given to cybersecurity concerns, which weakens credibility. By communicating in risk terms and using analogies that business units can easily understand, the tone of the rhetoric can be brought down to a strictly business level discussion where cooler heads prevail, and the risk of cybersecurity is understood and treated just like any other business risk.
The growing complexity of threats, combined with the geometric increase in compute assets our organization acquires, will certainly keep cybersecurity as a top 3 concern for our respective boards for the foreseeable future. However, as the old saying goes, “Techniques may change, but principles never change”. By adopting a framework-based approach to cybersecurity while integrating innovation and continuous risk management, we can definitively demonstrate to our respective organizations our ability to manage the risks of this ever changing landscape.