ascending to the uppermost peaks of information security i...
TRANSCRIPT
8 CIO Digest April 2008
Governance and information security as-sumes unique and virtually unparalleled meaning for a global enterprise such as MGM MIRAGE that operates in “the most
regulated industry in the world.” Add the requirement for 24×7 IT operations supporting more than 67,000
employees and delivering services to millions of guests annually, and the challenge becomes as daunting as the
climb to the highest peaks of Mount Olympus was for the ancient Greeks.
Enter Myrna Soto, the vice president of IT governance and chief information security officer (CISO) at MGM MIRAGE, who approaches the “climbing” challenge with a combination of “mountaineering gear” that includes Six
Sigma, industrial psychology, best practices from the Project Management Institute, an MBA, and more. And leveraging each of these different tools in concert with one another, Soto has been able to build synergies between the business and IT.
Opening the “black box”In her prior role as vice president of business operations and the Project Management Office, Soto served as the champion and liaison between IT and the business, working with her team to define, build, and roll out a series of business models and frameworks. With these in place, CIO Tom Peck pinpointed a new challenge for her as the head of IT governance and security in 2006.
And while MGM MIRAGE had “a very solid foundation as far as its security assets, information
Ascending to the Uppermost Peaks of Information Security
Ric
ha
Rd
cu
mm
ing
s/c
oR
bis
By Patrick E. Spencer
Mapping a Successful Path from Strategy to Execution
EXCLUSIVE INTERVIEW
I T
symantec.com/ciodigest 9
security was always a little bit of a ‘black box’ to many in the larger organization: no one really understood what went on in the group…it was like a mystery to many,” Soto reports.
“Information security is one area [of IT] that is very difficult to truly understand and appreciate,” Soto continues. “Very often the security of our organization is considered to be the physical security: the buildings, the locks, the surveillance systems, and so forth. But when we think about information security, and the transmission of our data and our assets, it can be difficult for the staff not attached to the technology to understand what that really means.”
In addition to an MBA and a Masters in Certification in Project Management from George Washington University, Soto holds a Master of Science in Industrial Psychology. This broad background—particularly the training in industrial psychology—affords Soto a special view as she connects the dots between the business and technology. “Those in the business and those in IT don’t always speak the same language,” Soto asserts. “Utilization of some of the core principles of industrial psychology involving human motivation and how people understand different concepts has allowed me to filter out the ‘white noise’ by personalizing information security investments—in terms of both time and budget.”
With this approach, Soto and her team can now execute on their initiatives the same way as with any other project within the company. “When you look at projects that are pretty much self-contained to the IT infrastructure, they may not have typically carried the same charter with the business in terms of status reporting and visibility,” Soto says. “This we have completely changed. Now, we aggressively market our accomplishments, highlighting them to the executive committees,
ensuring that the audit committee understands the business value of the different initiatives—it’s a highly supported and very visible area for us right now.”
Measuring success with Six Sigma Early in her career, Soto recognized the importance of using project management standards to architect and manage IT initiatives. “The project management discipline, or the practice of project management, has served as my ‘fabric’ for 15-plus years,” Soto notes. “When I think about what we do in IT, and even in the business, at some point or another, everything could be considered a project. However, the principals of project management haven’t always been focused on information security. I’ve found them very useful when looking at ROI for a particular business model or continuous process improvement from a process engineering standpoint.”
While serving in a senior leadership role at American Express, Soto was introduced to Six Sigma. “We’ve taken Project Management Institute (PMI) best practices and overlaid them with the DMAIC (Design, Measure, Analyze, Improve, Control) model from Six Sigma for a hybrid approach,” Soto explains. She and her team exercise extreme diligence on how they structure their technology investments, and Six Sigma and PMI standards help ensure they are mapping the right technology investments to core business strategies and requirements. “With DMAIC as our interpretive lens, we look at tollgates before we go too far down the path,” Soto adds. “And this is proving very useful; we have been able to prioritize projects
and even eliminate some that simply didn’t make business sense.”
Consolidation drives strategyTrends around technology consolidation extend to information security, something that has not gone unnoticed by Soto and her team. “When you look at information security, there have traditionally been various boutique-point solutions—whether data loss prevention, encryption functionality, etc.,” Soto notes. But due to pressures from customers seeking less complexity and lower costs, in addition to merger and acquisition activities, “these solutions are being brought together and bundled so that the IT investment landscape is easier to understand,” Soto explains. “As a result, the integration opportunities in information security are much friendlier now—and our larger strategy is based on this framework.” This means that MGM MIRAGE now looks at enterprise solutions versus silo-based point solutions.
When Soto was named VP of IT Governance and CISO, information security responsibilities and functions were spread across multiple groups. Peck determined, at the time, that he could drive
Nuggets on
MGM MIRAGE
s
Industry: Entertainment and developmentFounded: 1986 (formerly MGM Grand, Inc.; changed to MGM MIRAGE in 2000)Properties: 17 destinations, with 50% investment in 4 othersEmployees: Over 67,000 worldwideRevenues: Over $7.7 billion (2007)
“Those in the business and those in IT don’t always speak the same language.”
—Myrna Soto, VP of Governance and CISO, MGM MIRAGE
Podcastcheck out the Executive spotlight Podcast with Myrna Soto at go.symantec.com/soto
10 CIO Digest April 2008
EX
CLU
SIV
E IN
TE
RV
IEW
various synergies and efficiencies by collapsing all of the functions around Soto. “The IT governance piece covers not only the governance of the structure of our security practice, but the PMO—the way we manage our technology investments, the way we structure the execution of our projects,” Soto comments. “We thus packaged everything under one umbrella—compliance, information security, and project management.”
And consolidation is driving tangible business value. “There were instances where we had over-coverage,” Soto recalls. “Most companies would say I have a vulnerability point here; I don’t have a coverage point here, and so on. That really wasn’t the case
for us. We took a look at all of our technology decisions to ensure we were leveraging all of our systems to their fullest potential and getting full advantage of the data we were generating from our monitoring and reporting points—namely, that we’re actually making something of it other than just the metadata.”
Compliance happensFollowing the consolidation of these different functions, Soto and her team began to look at different opportunities and strategies and determined that compliance would be a secondary priority. The premise was based on the understanding that compliance happens if the correct security standards and processes are in place. “Compliance is very important to us as a company,” Soto notes, “but if we have the right security practices in place, then it simply happens.” This inverted model is an innovative approach to security and compliance. Soto elaborates: “Some organizations use the compliance piece as the driver for their different initiatives. But unfortunately, when you use compliance as the ultimate driver,
then it becomes a mandate— a set of boxes that simply need to be checked.”
In Soto’s view, however, when organizations lead with security best practices, then they tend to start branching off and discovering other opportunities that likely would not have been uncovered with a compliance checkbox approach. “If I only focus on the requirements, then all I’m going to do is what is asked of me,” Soto quips. “However, if I look at it from a broader sense, I may not only satisfy the requirement, but I may be able to satisfy a bunch of requirements and add business value.”
Mapping the challengesWith the right methodologies and strategic frameworks in place, Soto and her team began to map out the different challenges. The first related to data correlation—threat intelligence captured by data collectors—and the aggregation of these into a central repository and dashboard.
The second flowed from Soto’s inverted approach to information and security; she wanted to streamline data collection through
> Symantec Residency Services> Symantec Consulting Services> Symantec Endpoint Protection 11.0> Symantec Security Information
Manager> Symantec Control Compliance Suite > Symantec Database Security> Symantec Network Access Control> Symantec Enterprise Vault> Vontu Data Loss Prevention
Symantec Solutions at MGM MIRAGE
s
Myrna Soto, VP of IT Governance and CISO, MGM MIRAGE, on the spiral
staircase in the miX, an uber-stylish astral lounge, atop THEHotel.
ma
RK
Es
PE
RTi
symantec.com/ciodigest 11
enhanced security information management. This would, in turn, drive efficiencies around compliance tracking and reporting. But this is not as easy as it sounds: while MGM MIRAGE faces some of the same IT challenges as other publicly traded companies, it also must address unique requirements. “We have regulatory items that are must-do’s that a lot of other companies don’t even need to consider,” Soto explains. “But it is just the nature of our business.”
The final area involves endpoint security. As with regulatory compliance, MGM MIRAGE faces some unparalleled challenges when it comes to this issue. “For most organizations an endpoint is a computer,” Soto notes, “and this is the case for MGM MIRAGE as well. But we have many other types of endpoints—everything from PCs to point-of-sale devices.”
Getting from strategy to executionCoalescence around an information security strategy focused on consolidation and standardization prompted Soto to engage with a select group of technology providers with core competencies in multiple areas. And as Soto has mapped out her technology strategy, she has engaged Symantec Residency Services and Symantec Consulting Services for assistance in addressing issues around compliance with the PCI (Payment Card Industry) standard, IT policy management, and security management. “We’re leveraging Symantec Residency Services and Symantec Consulting Services to help define and map out our strategies in these different areas,” Soto explains, “and we plan to continue drawing upon their support as our relationship with Symantec matures.”
In the case of endpoint security, Soto is particularly excited about the integration points between Symantec Endpoint Protection 11.0 and Symantec Network Access Control. “The nature of our business, the size of our company,
the enormity of our endpoints, and the magnitude of opportunities to engage in our network creates significant endpoint protection challenges,” Soto says. And while MGM MIRAGE had done a great job of protecting those endpoints, Soto and her team are seeking to drive greater efficiencies with an endpoint protection solution that would centralize policy management and centralize remediation across all different types of endpoints. “The combination of consolidated and structured protocols in Symantec Network Access Control and the ability to manage those security policies from a centralized console using Symantec Endpoint Protection 11.0,” explains Soto, was an attractive point in her team’s decision to migrate its previous endpoint security infrastructure over to the Symantec technology solution.
The ability to have a centralized depository of compliance data is also an important objective for MGM MIRAGE, and Soto and her team plan to use Symantec Control Compliance Suite, including its Policy, Entitlement, Standards, and Response Assessment modules, in conjunction with Symantec Security Information Manager, as part of this larger strategy. And as database security is an important requirement for the MGM MIRAGE team, Soto expects to augment the company’s existing security infrastructure with Symantec Database Security later this year.
Email and document retention policies also fall into Soto’s charter, specifically regarding the issues of legal discovery and forensic investigations. As a result, when the IT operations team rolled out Symantec Enterprise Vault for email archiving and e-Discovery, she and her team partnered with the operations team to define the accompanying data retention policies.
Scaling to new heightsIn antiquity, the Greeks did not dare to scale to the uppermost peaks of Mount Olympus out of reverence for the 12 gods of Greek religion who made their home and fortress
on Mytikos—the highest peak on Mount Olympus. Instead, they would climb to Profitas Ilias, an area below the peaks, and make sacrifices to the gods. Soto and her team departed Profitas Ilias long ago, however, and they are quickly climbing the “face” of information security using a unique mix of strategies and tactics. And at their current rate of ascension, they will soon be enlightening the gods on the nuances and intricacies of information security. n
Patrick E. Spencer (Ph.D.) is the editor in chief for CIO Digest and the author of a book and various articles and re-views published by Continuum Books and Sage Publications, among others.
Making Diversity
a Reality at MGM MIRAGE
s
Myrna Soto is passionate about the issue of diversity in IT.
Named one of the “Most Impor-tant Hispanics in Technology” by Hispanic Engineer and Information Technology Magazine in 2008 and a member of Women in Technology International (WITI) and the Hispanic IT Executive Council (HE&IT), Soto actively works to ensure the next generation of women and minorities understand their career opportunities in IT. Her efforts includes mentoring college and teenage women and persuading them that there is a viable career path for them in IT. “We have a very diverse population in our IT department, leaders from all walks of life,” Soto says. “When we talk about diversity at MGM MIRAGE, it is less about ethnicity or gender but inclusion as a whole.”
As Soto notes, diversity is a core initiative for MGM MIRAGE. In December 2001, the MGM MIRAGE Board of Directors established the Diversity Committee of the Board that rolled out a diversity infrastruc-ture consisting of a Corporate Diversity Council, Property Diversity Councils, a Purchasing Diversity Council, and a Construc-tion Diversity Council. For more on diversity at MGM MIRAGE, go to www.mgmmiragediversity.com.
ma
RK
Es
PE
RTi