I was recently interviewed by the CISO Executive Network and my friend Bill Seiglein.
Perhaps others will find it interesting.
MEMBER INTERVIEW: Mark Silver – CSO at First Advantage
A–I came to infosec in the late ‘80s as a journalist writing about technology and consumer applications. Security wasn’t a major focus then. In the ‘90s, I got involved in traditional infosec by joining a new government department in Queensland, Australia, focused on technology and its use in the enterprise. My team and I focused on R&D in the security space. We were one of the first organizations to conduct assessments and implementations of a Public Key Infrastructure (PKI), iris scanning, finger/whole-hand biometrics, retina scanning, and general network security. I saw a huge increase in security awareness after 9/11, and it was certainly one of the undivided centers of attention when I joined Siemens in 2003 as CISO for the Americas.
A–I was fortunate to head a program I know was instrumental in changing how Siemens did business. The most fundamental change and the one I’m proudest of was introducing risk-based management to infosec using the principle of business enablement. When I got to Siemens, infosec was largely regarded as “those people who constantly say no to the business.” I adopted the mantra “information security is a process-proven business enabler.” It took about a year for us to live and breathe this, but all along I got good feedback from the business about changing attitudes.
And two technology examples: 1) introducing smart cards and PKI, which were instrumental in applying physical access controls consistently across business units to give executives who traveled a consistent way to enter multiple business areas; and 2) developing a comprehensive program to detect and remove malware. Remember, viruses and malware were among the biggest threats many businesses faced then. We also introduced critical application management and security zones to networks: the more critical the application and the more sensitive the data contained, the more rigorous the controls placed in the secure network zones.
A–I see only upsides. If both truly are symbiotic, then having both report to one place lets us implement strategic and systemic controls with the most potential for protecting information. As the business consolidates, rightsizes, and goes through exercises, having both functions collaborate with the facilities function lets the business minimize risks and maximize opportunities to use its workforce effectively—no more turf wars or confusion about roles and responsibilities. In short: the buck stops with me.