CISO, CISO responsibilities, chief security officer

2014 CISO of the year, Shawn Burke, describes his CISO responsibilities amidst a world full of internal and external security threats.

As Sungard Availability Services’ Global Chief Security Officer, Shawn Burke is responsible for security governance across the enterprise and real-time protection of the Company’s global infrastructure. His responsibilities include overseeing security strategy, compliance, physical and cyber security, policy, and operations support. Shawn brings more than 18 years of service provider-oriented expertise and advises on infrastructure evolution and product direction. He is a Certified Information Systems Security Professional (CISSP) and was named Chief Security Officer of the Year in the Info Security Global Excellence Awards. In this interview, conducted by Sue Poremba, he discusses key Chief Information Security Officer (CISO) responsibilities.

Q. Tell us about your background.

At the core, I’m an entrepreneur, and working for IT service providers for the last 18 years has kept my innovative spirit alive. I have roots as a network engineer and recall the days of customers asking more about bandwidth capacity than security. Today as the Global Chief Security Officer for Sungard Availability Services (Sungard AS), I’m responsible for security governance across both enterprise and customer domains. This means my role is heavily integrated at a fundamental level with business initiatives and the overall risk management process. During my three years with Sungard AS, we have continued to evolve our security program to effectively minimize risk.

Q. When looking at CISO responsibilities, where do you begin?

I would begin with the responsibility to educate yourself constantly. Like many of my colleagues, I had to learn security on the job. In my early days as a CISO, I was constantly reading books and articles about security and then would use that information to help me justify the budget I needed to create an effective security program. And here’s the most important point: I’ve never stopped this practice. This is not a “static” area of business: the threats we face are changing all the time and the complexity of our systems is growing. To rise to the challenges before us, CISOs must actively seek out information to increase their knowledge and expertise.

Q. It sounds like a CISO must be very adaptable – is that true?

Absolutely. In fact, adaptability is the second key CISO responsibility I want to draw attention to. For example, previously, IT would control everything with regard to security across devices. But as mobile devices proliferated, I realized that giving employees more responsibility for security – gradually giving them more control of their security practices and requiring them to use certain security tools – made them more security conscious. This change required an emphasis on education to help employees become smarter about their behaviors, and demanded new policies and procedures to be implemented within IT.

Q. How do you address the new threats that exist today?

Greater security risks mean that I now meet regularly with upper management to discuss security plans. That is a critical responsibility for every CISO. We need to share information about security and discuss how threats have shifted. Executives need to know where threats come from and what is at risk. Thanks to incidents like the Target breach, there is more of an emphasis on third-party vendors and being more diligent in ensuring they take their own security seriously. Essentially, the more that is known, the more willing everyone is to do their part to protect the networks and data.

Q. What is the key CISO responsibility as it relates to external threats?

Our responsibility as CISO’s is to have the right perspective: namely, we must assume that someone is always trying to get in. Security controls have to go way beyond firewalls and filters. We cannot sit passively, waiting for an alert that there’s been a potential breach. Our security measures must be aggressive, proactive, and comprehensive.

Q. On the other side of the equation, what is the key CISO responsibility as it relates to internal threats?

I would say that our responsibility here is education. Most insider threats are not malicious; employees are not the “bad guys.” But employees can accidentally click on the wrong link or open a malicious attachment by mistake. So we have a responsibility to educate our employees: the more employees know about security, the better the chances that they’ll avoid those mistakes that can lead to a security nightmare.

Q. What’s the bottom line for a CISO today?

The thing about security is that threats are always evolving. What was learned on the job when I started seven years ago has to be updated to meet the security threats of today. A CISO always has to be willing to keep learning and keep restructuring security programs to stay on top of whatever the bad guys think up next.

Related Solution: Security

This article was originally posted on Forbes BrandVoice.