Print Page   |   Contact Us   |   Sign In   |   Register
ISSA International Conference
Blog Home All Blogs
Search all posts for:   


View all (11) posts »

Embracing Change Q&A with Eric Cowperthwaite

Posted By George Hulme, Friday, October 26, 2012

We sat down with Eric Cowperthwaite to ask his advice on how enterprise security professionals need to embrace and manage change in their organizations. Cowperthwaite is chief security officer for Providence Health & Services, a large Catholic not-for-profit healthcare organization with more than 25 hospitals in the Pacific Northwest and Alaska, Eric is responsible for providing strategic and operational leadership in the management and delivery of enterprise security. He was also recognized by ISSA as Security Professional of the Year this year.

ISSA: The theme of the show this year is about how security needs to embrace change in their organizations.  What do you see as some of the technological drivers of change underway, and what does this mean for user productivity? 

Eric Cowperthwaite: The business world is in midst of a huge transformation. Between the economy, technology, and globalization, the world’s going to change dramatically.  And on the technology side we’re clearly going through another game changer similar to the original computer revolution. 

The computer revolution was all about productivity changes. This revolution is all about information. We need to not think that cloud computing and big data and all of that technology is going to make us more productive. I don’t think it’s going to. What it’s going to do is make massive amounts of information available, and it’s going to allow us to decide what information’s important. 

And it’s going to do this at huge scale and affordability. Five years ago you could get your hands on massive amounts of information but you had to build a huge data warehouse that cost you tremendous amounts of money to run. We’re at the edge now of being able to get that same sort of information and data for a tenth of the price of building those old multi-terabyte data warehouses.

It feels like we are on the verge of an information singularity. What do you think all of this change will mean for enterprise security?

Cowperthwaite: I can see to the edge of the curve which is this insane amount of data availability, but I don’t think we know what it really means yet. Just like in the 1950s when they were first building mainframe computers and programming them for business needs - nobody knew what that was going to lead to. Nobody could of foreseen the 1990s.

As for the impact on security, I think that security people are in denial.  Security people are still thinking of these things as discrete issues. They think of the BYOD, cloud computing, big data, and the spread of social media as discrete phenomenon. But they’re not. They are aspects of the the information revolution. 

And too many security people think that they can control these trends. They think that they can establish policies about social media utilization and that’s actually going to work as a control. 

Interviewer: What advice would you offer to security professionals when it comes to managing change in their environment?

Cowperthwaite: You have to embrace change, because I promise you your business is going to drive down this road just as fast as they can. You can scream and yell about security problems and productivity and it’s going to actually cost more to do BYOD. You can say those things until you’re blue in the face. They don’t care, they’re going to do it. They are going to do BYOD. They are going to use social media. They are going to go contract with cloud computing providers because it’s faster, stronger, better from their perspective. They can do their business better and that’s what they care about.

Now once you accept this, you can also look for ways to use these technologies to enhance your own job. Rather than spend $1 million on an on-premise GRC tool and $100,000 worth of servers in your data center, perhaps you can find a GRC delivered as a service that you can deploy quickly and inexpensively. It’s what the business is doing. Why can’t we do that in information security too? Why shouldn’t information security take advantage of these things?  So embrace change in the organization, and use these trends to improve your own processes and services.

How do you help the organization reduce risk while embracing change? Do they vet cloud services and provide their users a catalogue of approved services? Can there be a list of approved devices for BYOD, but if something is too insecure, not permit those devices? Or, if a cloud service isn’t up to grade, perhaps provide users more secure alternatives?

Cowperthwaite: Yes. Exactly, and the converse of that is that you’re helping your business to do what is needed more securely. You aren’t getting in the way of them doing their work effectively and doing what they need to do. 

You are helping them to be better, stronger, faster in a secure way. When you do that everybody wins. So instead of denying change, figure out how to use it to your advantage. Help employees do what they need to do securely, and help the organization to make wise risk decisions.

This post has not been tagged.

Share |
Permalink | Comments (0)
Community Search
Sign In
Sign In securely

1/25/2018 » 1/26/2018
January CISO Forum Scottsdale 2018

Women in Security Special Interest Group Monthly Webinar Series

February 2018 Women in Security - Denver Chapter

Copyright © 2016, Information Systems Security Association, All Rights Reserved
Privacy PolicyCopyright Information