A Week In The Life Of A CISO: Rizwan Jan, VP & CIO, Henry M. Jackson Foundation
Security Involves Everyone, Says 2,800 Employee Non-Profit CISO And CIO
Add bookmarkRising to the level of Chief Information Security Officer of a 2,800-employee non-profit organization doesn’t happen overnight, and sometimes it doesn’t happen by design.
Such is the case for Rizwan Jan, whose first career choice wasn’t in IT.
“I was really into art and architecture, and I wanted to go to school for that,” Jan told our sister site Enterprise Mobility Exchange in an interview. “But my parents really weren’t into it and suggested I go in a different direction.”
Jan went to Frostburg State University in western Maryland and obtained a degree in finance, but admits he “hated it after college.” It was then he realized a knack for a different industry after speaking with his uncle, who worked for the IT department at Verizon.
Jan began his IT career like many others. With plenty of self-teaching, he worked in a help desk role, then desktop support, and later “fell into security.” Fast forward to 2016, and Jan found himself taking on the newly-built CISO role at the Henry M. Jackson Foundation for the Advancement of Military Medicine (HJF), a global nonprofit organization created by U.S. Congress in 1983 to assist in accelerating the progress of military medicine through research and development.
See Related: Insiders Are Most Common Threat Actors In Healthcare
When you’re tasked with building a security department and program from the ground up, as Jan was at HJF, the week-to-week operations start off a bit amorphous, but grew to have structure and pointed objectives, the CIO said. Rizwan created a consistent routine for himself in the two years that he held the CISO role before moving into the CIO position for HJF.
Jan hits Monday morning at 5 a.m., checking and responding to emails before leaving for the office. Thanks to a short commute, Jan is in the office by 7 a.m. and logs into the enterprise risk compliance platform, scanning for incidents in a top-down approach, from critical to low.
From there, Jan and his team of 10 direct reports begin looking at security exceptions, assessing risks and deciphering why security was an issue in that instance, and how to fix it. Jan spends the early part of the week meeting with team leads, including the cyber threat intelligence, penetration testers, and other team leaders from different departments such as privacy and legal teams.
“Security involves everyone,” Jan said. “This is an enterprise problem, not just an IT problem.”
Creeping toward the middle of the week, Jan finds himself at the new hire orientation giving a presentation to recently on-boarded employees. “I have to be in those meetings and speaking with those new hires,” he said. “It’s easier to speak with those folks and teach them about keeping the enterprise secure from day one. It’s harder to break the older culture of employees who’ve been around for a long time.”
Jan also finds himself sitting in on the communications team meetings every two weeks, hoping to change behaviors of the workforce and lending materials in the way of brief articles for better awareness and education.
Each Friday includes a sit-down as the Foundation’s CIO, where Jan provides weekly metrics, including incidents, incident responses and phishing tests deployed to employees, to name a few. “(The CIO) gets a good holistic view of weekly risk posture,” Jan said. “Those stats and metrics trickle up to the executive board and CEO.”
See Related: Case Studies: Cyber Security Protects Sensitive Data
Jan leaves the office around 4 p.m. each day, but logs on from home and continues to monitor and respond to emails until about 6:30 or 7 p.m., he said. “I don’t wait for phone calls (off hours), but I’ll check emails periodically on weekends.”
Of course, if there’s a major security incident or deadline that needs to be met, it’s all hands on deck and basically all previously scheduled meetings and events are thrown out the window.
“The day to day stuff goes down the toilet,” Jan said. “With critical incidents, we try to remediate and fix within 72 hours. It’s usually one to three days where people are just scrambling around and everyone is wearing multiple hats. We’ll get back to normal mode once everything is fixed.”
So what does the future of security look like for Jan and the Henry M. Jackson Foundation?
“We’re following NIST and looking at an 18-month view,” Jan said. “We’re in the infancy stage, trying to crawl before we walk. We’re constructing a risk management framework and are in the tier one stage. Right now we’re a reactive security program; but we want to become adaptive, be able to check dark web, use a SOC, et cetera.”
Jan’s vision is full scope, looking to create threat modeling from an application standpoint and make app security stronger, among other ventures. For now, though, Jan will continue to keep the Henry M. Jackson Foundation secure while undertaking the task of building out a more robust team and framework going forward.
See Related: Go Phish Yourself: Non-Profit Tests Employees, Improves Security