Being Chief Information Security Officer for one of the largest brewers might seem like an intractable challenge but Mark Brown, Global CISO at SABMiller, is working hard to ensure his risk management style creates lasting business success.
“I don’t think enough CISOs ask the business about its appetite for risk,” says Brown, looking back on his first two years in the role and comparing his approach to that of his IT peers. “CISOs need to re-educate the technology and business community, so information risk management is the new lingua-franca of the security worker.”
Brown speaks from a position of considerable experience. Having previously worked as a Security Manager in the IT industry, and as an Intelligence Analyst for Her Majesty’s Forces, Brown became Group CISO at SABMiller in January last year.
The brewing giant operates in 75 countries, employing more than 70,000 people. Brown has a worldwide remit to move the organisation from a traditional and reactive means of IT security to a more proactive approach, which uses technology tools and global processes at a holistic and global level.
Key priorities currently include a network and firewall simplification project, alongside BT Global Services, which allows Brown to make sure legacy technology meets the standardised demands of modern business requirements. He also pays close attention to compliance.
Rather than relying on a reactive approach to security management, Brown takes a detective and preventative attitude that is governed by a strong comprehension of business risk.
We’re not a regulated bank, we can take more risk - and working in emerging markets means we
“We have to be business-focused and we want to be an enabler. As a blue-chip company, our business is extremely global and we operate in a disparate range of cultures. When we look at security, we think about brand reputation and how we can make sure information isn’t leaked that might affect our market capitalisation.”
Brown says a business-enabled approach to information security management must articulate the c-suite language of risk, rather than the traditional technical idioms of IT security. Rather than relying on a series of technical point solutions to lock down access, Brown uses a series of established business processes to define how data can be exploited.
A good example comes via Brown’s approach to the management of mobility. Apple iPhones have been used across the organisation for two years and are particularly prevalent in Latin America. Not being as heavily regulated as other sectors means SABMiller has been able to think quickly about how mobile technology is used to achieve business aims.
“It’s about doing things simpler and better, and to reduce cost where possible,” says Brown, who says his team have considered carefully how mobile devices are used securely. Process-driven issues actually produce more complications than security considerations, and Brown says CIOs need to be aware that traditional legal guidelines are unlikely to be sufficient.
“Your existing policy set for acceptable use will not work in the consumer age,” he says. “The traditional IT helpdesk will not know how to manage non-Windows systems. Consumerisation has to be balanced against risk and, if you implement a buy-your-own-device strategy, you have to think about who will be responsible for areas like patch management.”
Brown takes a similar stance to the cloud, encouraging other IT leaders to see the rise of on-demand computing as a means to reset security policies and to reinvigorate the business appetite for technology. “I fundamentally believe we have a once-in-a-lifetime opportunity,” he says.
We must recognise the opportunity and think differently; we can help, not hinder, the business
Funding for IT security is traditionally justified for specific particular projects. Yet Brown says the confluence of consumerisation and the cloud means security professionals can finally use real business aims to justify the implementation of key information management systems, such as data leakage prevention, network access control and virtual platform technologies.
The message, then, is clear: justify security measures through business processes. Brown, of course, recognises that some IT leaders will have to work harder than others to justify their new approach to working. While each organisation has a particular culture of operating, the diverse global reach of some firms - including SABMiller - means CISOs must take account of regional variety and local talent.
Brown says a Global CISO cannot possibly understand all variations in rules and regulations around the globe. He encourages his peers to empower staff regionally, so employees are not just subservient to the centralised headquarters but are able to fulfill the information flow at the local level.
Further detail is provided through Brown’s own approach to information security management. His regional reports take a 12 to 18-month outlook, considering what the business aims to do next year and how that objective will be reached given the current information management strategy.
Brown overarches such discussions and takes a 24 to 36-month timeframe, where he looks to the future and works with the business to match demands for growth against the broader appetite for risk. “My job is all about translating potential information security issues for the business around culture and economics, and making those concerns manageable in a day-to-day context,” he says.
When it comes to trends during the next two to three years, Brown says organisations will continue to be challenged by a range of cyber threats and consumer-led changes. He says CISOs must think about how security adds value to the business: “It’s all about a controlled revolution and seeing problems before they happen.”
Mark's three top tips for IT leaders looking to manage security
1. There is no such thing as IT security – Only think of security in IT terms and you will implement a series of point solutions that fail to match business demand. A true security metric is a documentation of the impact on a business metric.
2. Think like the business – If you do not consider everything in relation to broader strategic aims, you will not be able to help the organisation meet its objectives. Talk to the c-suite and understand what they are trying to achieve.
3. Get out and feel the business – You need to understand why the organisation is doing what it is doing. A good CISO speaks to employees, always appreciating how a problem affects the front-end and the production level.