Preface

Many organizations failed to survive the information technology revolution. Many more will not survive the current wave of technology-driven innovation—and the threats and vulnerabilities that come with it.

To thrive in complex, highly-connected global markets, organizations need bold business strategies that use technology to achieve competitive advantage. The enterprise information risk and security team can either hinder these strategies or help drive them. Effectively managing information risk and security, without hindering the organization’s ability to move quickly, will be key to business survival. That is why, three years ago, I changed the mission of Intel’s information risk and security team to “Protect to Enable.” It is also why I am writing this book.

In January of 2002 I was hired to run a program called Security and Business Continuity. This program was created after the events of 9/11 and the Code Red/Nimda viruses during the summer of 2001. It was primarily focused on the availability risk concerns at that time. I had no technical security background but had been with Intel close to 10 years in a variety of business-related positions that were mostly in finance. It became apparent to me in those first few months as I was learning that the world was going to start dramatically changing and a “perfect storm” of risk was beginning to brew. The following picture is what I put together to explain that to my manager, Intel’s CIO, and anyone who would listen to me.

In February of 2004, I left this program since we were mostly done with the effort to deal with the availability risks. I left to run our system’s Sarbanes-Oxley compliance efforts. My finance background, the variety of business roles I had previously held, and my time being around IT for so many years as well as the effort I had led in 2002 and 2003 made it a natural fit. But I had something else haunting me, which was this picture. I wasn’t haunted by the fear of the risks that could occur, but rather it fueled my sense of curiosity and triggered in me a passion to figure out how to navigate this storm of risk. So in 2005, once our initial SOX compliance efforts were complete, I went back to information security but with a drive and desire to try to link all the main elements of information risk, security, control, and compliance activities together to deal with this spiral of risk. So for the past 7 years, this has been my quest. In this book, I will cover many things I have learned in the 11 years that I have been managing various aspects of information risk and security, at Intel. I will share ways to think about risk, ways to look at governance. I will explore internal and external partnerships for information sharing and collaboration that can make a difference. I will share the examples of things we have done within Intel and things we are looking to do to better manage our risks and enable our IT users. Finally, I will look to the future as well as share my perspectives on the skills required for the 21st-century CISO.

Managing Risk and Information Security: Protect to Enable is a journey, but there is no finish line. Our approach to managing information risk must continue to evolve as rapidly as the pace of business and technology change. My hope is that people will read this book and begin their own journey.