In San Francisco, Elsevier's David Cass met Eleanor Dallaway to talk privacy, compliance, and what it takes to be a successful CISO in 2014…
A biology major turned CISO, David Cass is the most softly spoken and unassuming security executive that I’ve had the pleasure of meeting. Surprisingly young in comparison with many of his peers, his experience and insight into the industry are notably impressive.
Now senior VP and CISO at Elsevier, a Reed Elsevier company, Cass took two hours out of his busy RSA Conference schedule to talk me through his career journey thus far.
Having grown up in New Jersey, Cass joined UPS as a network engineer, while he was still attending Lebanon Valley College in Pennsylvania. When the audit department advertised openings, Cass migrated and started working more heavily with computers – discarding his biology major. His next move was working for Max Blau & Sons in Newark, New Jersey, where he was essentially tasked with building their networks.
Security was only mildly on the agenda then, he tells me, with the focus on maintaining connectivity and basic passwords.
"Not much was connected to the internet, just the email system, so there was a lower, less exposed surface area"
And Then There Was Data
In 2002, Cass took the position of senior manager and area IT leader at PricewaterhouseCoopers. His role was to aid internal IT operations, work with consulting groups, and support the desktop teams. It was at this point, he notes, that security was starting to be recognized as more of business issue. “Information was more sensitive, and all of a sudden it wasn’t just our information, but our clients’ information which we had to protect.”
In 2002, Cass recalls, “you owned and ran your own data centers, so there was still a higher degree of control”. Outsourcing was minimal and therefore you maintained responsibility for all of your end-to-end IT operations, “so it was easier to evangelize security when you were in control from end-to-end.”
By the time Cass joined JP Morgan Chase as vice president of risk management for the technology group in the summer of 2006, “outsourcing was big, and indeed the whole operation was much bigger”. By this stage, Cass had completed his first master’s degree; an M.S.E. (Master of Science in engineering) from the University of Pennsylvania.
This qualification would serve Cass well within his present and future roles, giving him the knowledge and skills to understand the business leadership team’s strategy and direction. “At the end of the day, the business needs to accomplish its goals and innovate, and it’s my job to figure out how to enable it to do that”, Cass tells me. “If I don’t understand what the business is trying to do, or the rationale, I can’t engineer a strategy to help”, he says.
One of the most important aspects of his current role, Cass considers, is as a translator. “The business doesn’t want to hear that you have cross-scripting or SQL injection issues. The real risk to the business of something like that is losing the content of that database, or worst-case scenario, a breach. The business understands that aspect of it, so [it’s my job] to convey that message, and work with them.”
Fighting Fire with Strategy
Between his tenure at JP Morgan Chase and his current role at Elsevier, Cass served as senior director of infosec risk and governance at Freddie Mac, the US Federal Home Loan Mortgage Corporation. Cass joined Freddie Mac in 2009, when the company was being overseen by the Treasury Department in the wake of the housing crisis. He was tasked with "re-doing the entire information security practice and create the entire security strategy. There were literally hundreds of findings in the Congressional report that we were brought in to address”, he recalls.
Cass describes the challenge as “a very good experience”. When I ask what was the most significant lesson he took from the role, he considers the question before answering: “How to address problems from a tactical and strategic point of view...How to implement quick fixes, while ensuring they stay effective over the long term. At that point, after we came in, we had to fill the whole security strategy.”
If that wasn’t challenging enough, Cass also studied for his second master’s qualification – an MBA from the Massachusetts Institute of Technology, Sloan School of Management. He later graduated a year into his Elsevier role in the summer of 2012.
Compliance has been a key component of Cass’ various roles throughout his career, and as such, is a recurring topic in our interview.
The financial sector, he says, is “always the leader of the curve” when it comes to compliance because it has to deal with more severe regulators, fines and penalties “compared to a lot of the other industries where you don’t have the same degree of regulatory scrutiny.”
Surveying regulatory risk is key, Cass tells me. “Consider the regulatory risk in terms of what could possibly happen, and what’s the customer impact? It’s easy for a customer to switch banks, for example, causing a loss of revenue stream and a general loss of confidence.”
The banking industry continues to experience an increase in scrutiny, Cass tells me, “but there’s more and more regulation moving into other industries, having an impact on those that have traditionally been much less regulated”, he says.
As CISO at Elsevier, a large international media company, regulation needs to be considered in relation to each specific geography. This is especially poignant, he observes, when it comes to privacy.
Privacy by Design
“The EU has always taken a much stronger look at privacy, making sure that companies have more responsibility”, Cass considers. “Traditionally in the US we’ve been more about the opt-out model versus the EU’s opt-in model.”
The increased regulations, he tells me, “are making sure that large companies are putting more scrutiny on what information they’re collecting, what they’re doing with it, and who has access to that information.”
The increased regulations, of course, are partly thanks to Edward Snowden. “The Snowden revelations have put additional scrutiny on programs like Safe Harbor and the information that is being collected.”
At Elsevier, Cass informs me, Snowden has encouraged additional scrutiny, although being an Anglo-Dutch publishing and information company, there has always been a focus on privacy practices as a true global organization. “We’re trying to practice privacy and security by design, making sure we’re transparent about whatever we’re collecting.” Further, he says, Elsevier is minimizing the data it gathers, “collecting only the personal information we need to, and ensuring transparency in our privacy statements.”
“The biggest focus”, he adds, “is on the different EU privacy directives and how we interact with the data protection authorities. You can’t do privacy without security in a digital world.”
Elsevier belongs to the Reed Elsevier group, which is also the parent company of Reed Exhibitions – Infosecurity magazine’s publisher – Lexis Nexis, and RBI. “I have peers in each division, but there’s no one CISO”. Reed Elsevier does have a chief security officer, however, and the divisional CISOs (or equivalents) meet quarterly. “It’s essentially an information security committee. In some ways, our companies are very different so it’s not necessarily a 'one-size-fits-all' model”.
Spending a fairly significant amount of time on the road, Cass juggles a lot of speaking arrangements with his day job, and also finds time to guest lecture. “It’s important to give back to the industry. Part of our job is bringing people up, discussing what we’re seeing in the industry, and raising the visibility of the industry as a whole.”
Cass reports to the Chief General Counsel at Elsevier, which he declares highly successful and “a very progressive and proactive approach”. The reporting line gives him a seat at the table with the CIO, increasing his visibility.
Aligning Security with the Business
Having the CISO report to the Chief General Counsel was one of the recommendations given to Elsevier in a PwC report they commissioned right before Cass was recruited. “The report made recommendations about what the information security team should look like and how it should be structured. There was a basic plan: get a CISO, start the staffing of the department”. This, of course, was when Cass was hired.
“At this time, the company had begun its transformation into the digital world”, and Cass was tasked with building an information security team and program from scratch. His first task on joining the organization was to learn all about the business, “because you have to understand the business in order to know what to protect.”
Starting from the ground up meant that Cass’ initial focus had to be on “tactical blocking”, but three years later, armed with an excellent team and a stronger alignment with the CIO, the focus has switched to long-term strategy. “We’re big cloud users, so that changes the way we have to do information security in general. The perimeter has gone, so we have to focus on how we protect the application and the data no matter where it is.”
His biggest challenge, Cass explains, is ensuring that the information security team and policy are truly aligned with the business. “We have such a diverse application portfolio, because we have a mixture of legacy, things that are new, things that are very progressive, things that are out in the cloud, and out in mobile applications. The challenge is working out the right level of protection, and knowing what to protect, because you can’t protect everything”, he admits.
The nature and culture of Elsevier’s business means that it is not acceptable to “lock people down” or ban social networking on instant messenger, for example. “In our industry, there’s an expectation that you can access whatever you want. One of the biggest challenges for information security is understanding the way that people work has fundamentally changed, and adapting to that.”
Despite this challenge, Cass insists that his current role is his dream job. And I, for one, am pleased to hear this, confident that our very own CISO is where he belongs, and that our organization is safer because of David Cass.
Beware of the Phish
Training and awareness, while one of the most important things you can do as a CISO, is also one of the hardest things to do effectively, Cass explains. “I can’t stop them from clicking on things at home and releasing them onto the network”. The key, says Cass, is to constantly train the users. He is planning an internal phishing program this year to “increase awareness among users. Nobody thinks they fall for that stuff, but so many people do”. His planned phishing exercise will, he hopes, serve as a gentle reminder.
Another of Cass’ ongoing challenges is to build security into the SDLC (secure development life cycle). “We’re helping our developers to become better at secure coding”, he explains. “When developers go to school, very few are taught secure coding.”
“Whoever thinks they haven’t had a breach hasn’t been in the industry for long enough or doesn’t know better. It’s not if when it comes to breaches, it’s when. But not helping the business to innovate, that’s to your detriment.”David Cass, senior VP and CISO at Elsevier, a Reed Elsevier company
Cass and his team are therefore launching an application security center of excellence to impart this knowledge on the development teams and “get them to take more ownership and accountability for the quality and security of the code that they develop.”
Cass and I discuss the skills gap in the industry, and he admits that hiring people with the right skills is definitely a challenge. Nine of Cass’ 11 hires at Elsevier have worked for him in the past and he refers to them as “a set of proven talent, highly skilled and highly experienced.”
He has a mix of technical and business minds on his team, and Cass tells me that those in the more senior roles typically have a mix of both. “It’s more important to have both skillsets the more senior you are”, he says. “I want to make sure they’re comfortable speaking to the business and just as comfortable speaking to the highly technical people.”
During his career, Cass has witnessed the evolution of his role as CISO. Today, he tells me, it’s all about enabling the business. “Information security has traditionally had the reputation as the people you don’t want to go to because you know they’re going to say no.” Once upon a time, he reflects, a breach would have ended your career as CISO. But now, he says with confidence, failing to help the business innovate will be the killer to your career.
Despite this challenge, Cass insists that his current role is his dream job. And I, for one, am pleased to hear this, confident that our very own CISO is where he belongs, and that our organization is safer because of David Cass.