What is your role with Pioneer Investments?
I’m chief information security officer for all Pioneer companies, operating in 27 countries, with more than 2500 employees.
What are the biggest information security challenges that you face?
Doing more with less; optimizing our department’s time. We also need to work with the business by making sure we don’t impede them in a way that prohibits them from making money. Even though [Pioneer Investments] is a relatively small organization, it’s flat, and from a political challenge perspective, its complex.
How do you balance the need for security, and your compliance requirements, with also being a business enabler at the same time?
We have to allow people to continue to do their job unimpeded….everybody is trying their best to make the company money – that’s why we are in business. We are doing our best to remain behind the scene, enact the compliance and regulatory enforcement we need, but not have the user know we are even there until they need to.
Let’s talk about the technology you need to deploy at Pioneer. What about working in the finance vertical makes what you do unique compared to a CISO in other sectors?
What we are able to leverage from a technology perspective is pretty phenomenal. Take, for example, this whole integration with [ForeScout] CounterAct – I have not seen it done anywhere else in the industry, and I have been doing this for over 25 years. I have not seen this level of integration.
We also use a hardware-based APT [advanced persistent threat] product called Bromium – relatively new in the industry – and we have been working with that since the first release. We have helped them define that on how not to impact the user experience and do its job.
What are your main drivers for access control and network visibility solutions?
The main drivers include that we have to do more with less, increased endpoint visibility, and make more intelligent decisions about the controls that we enforce on the end points.
There are compliance aspects, with operations in 27 countries. We must have the flexibility to apply a particular policy, not just at a baseline across the board, but flexibility based on particular locations. With our current technology solutions, we are able to do that at the network layer, and also at the end point layer.
What criteria do you use to evaluate potential vendors and their technologies?
I will speak specifically for NAC [network access control] in this context. The company has to have a track record of doing this specifically. We had to have the ability to enact very strict policy. It had to integrate well with our existing infrastructure.
Do you actively look for what new or emerging security vendors are offering in terms of technology?
I’ve never been one to run with the pack. It isn’t the newness or the ‘wow’ factor, but the fact that these products work. What they do, they do very well – and they do very effectively.
The baseline criteria are not based on any particular vendor. There are other big-name vendors out there that offer NAC and APT technology, but they do not give me half the capabilities and integration aspects that I get with the combination of CounterACT and Bromium.
How do you justify purchasing particular solutions to your board, and then evaluate how effective those have been going forward?
Everyone is always chasing the mythical creature, ROSI – return on security investment. But this [NAC] has been fairly easy to demonstrate return on investment: both from the time-saving aspects that we have, as well as the verification of our existing technologies out there that integrate with it.
One example is that we ask: What is the annualized loss expectancy for a particular security incident? There are a lot of point solutions that promise you the moon and the stars, but they (1) don’t integrate with your enterprise, and (2) you don’t have the real-time intelligence to systems that don’t support it.
Another example is what we call the X-pocalypse, which is still in the pending stage. XP went out of support, and there are a ton of systems from the business perspective that can’t just be pulled off. Our NAC allows us to apply granular policy to those particular systems you can’t get rid of; it allows you to monitor their access; and it allows the flexibility for non-supportable technologies under XP – such as advanced persistent threat technologies – to coexist and work. So essentially what you are doing is using the protected systems to protect the unprotectable systems.
A recent report cites the finance sector as the slowest to migrate off of Windows XP, how has this been a challenge for Pioneer Investments?
We’ve been 99% XP free since April 7th, but [NAC] allows us, for that handful of systems, to enact the right controls, make sure they are monitored, and make sure they have limited access. Most of the time the reason we can’t move off of Windows XP is because of application support.
Do you have any examples that demonstrate the value of your technology solutions, and NAC in particular? Any examples you can point to where a security incident has been prevented?
That pretty much happens every day. It’s always the little things that add up, but the real value to be demonstrated is through the compliance aspect – and compliance will typically roll up, in most organizations, through the head of risk. When you demonstrate a value to another department that rolls up through the same organization, and they are speaking the laurels of the things that you are doing as making their job easier, than that speaks mountains.
You mentioned that you don’t have much of a BYOD concern because of the finance vertical you work within. What is the BYOD policy at Pioneer Investments?
We are using Good Technology, and that’s pretty much it. You need email? Then you get Good, and that’s it. If it’s a Pioneer-owned device, then that goes into our asset inventory and we can apply controls appropriately. If you want to bring in your iPad or Kindle, then it’s not getting on our network. It’s not only because of regulations in finance, but because we at Pioneer are not comfortable with a lot of the back-end security controls of many of the cloud providers right now – for example, iCloud or Dropbox.
When a Heartbleed comes up, or any other widespread vulnerability incident, where do you start in evaluating your organization’s exposure to it?
Well the first thing I’m not going to do is cry that the sky is falling. We look at these on a case-by-case basis, no matter how bad the threat is being portrayed.
Generally the first thing I will do is put out an email communication to our users – one that informs them about the threat and what the security team is doing to address the situation. Then we look at our level of exposure, and then the level of risk.
Do you worry more about internal or external threats?
I worry more about the things that I don’t know. I know a tremendous amount, and I have a tremendous amount of confidence in everything that we are doing, but I’m sure there are some things that are going on that we just don’t know about – that kind of worries me.
If I had to choose between internal threats and external threats, I can always fire the internal threat. But I can’t fire the external threat. If everyone is on the same page, and no one is trying to do anything malicious, and you have the controls in place to catch the potential internal malicious stuff, then it’s less of a concern to me than the external threats.