EXCLUSIVE INTERVIEW
Ascending to the Uppermost
Peaks of Information Security
Mapping a Successful Path from Strategy to Execution
8 CIO Digest April 2008
Sigma, industrial psychology, best practices from the Project
Management Institute, an MBA, and more. And leveraging
each of these different tools in concert with one another, Soto
has been able to build synergies between the business and IT.
Opening the “black box”
In her prior role as vice president of business operations
and the Project Management Office, Soto served as
the champion and liaison between IT and the business,
working with her team to define, build, and roll out a
series of business models and frameworks. With these
in place, CIO Tom Peck pinpointed a new challenge for
her as the head of IT governance and security in 2006.
And while MGM MIRAGE had “a very solid
foundation as far as its security assets, information
Richard Cummings/corbis
IT
Governance and information security assumes unique and virtually unparalleled
meaning for a global enterprise such as
MGM MIRAGE that operates in “the most
regulated industry in the world.” Add the requirement
for 24×7 IT operations supporting more than 67,000
employees and delivering services to
By Patrick E. Spencer millions of guests annually, and the
challenge becomes as daunting as the
climb to the highest peaks of Mount Olympus was for
the ancient Greeks.
Enter Myrna Soto, the vice president of IT governance
and chief information security officer (CISO) at MGM
MIRAGE, who approaches the “climbing” challenge with
a combination of “mountaineering gear” that includes Six
“
Those in the business and those in IT
don’t always speak the same language.
”
—Myrna Soto, VP of Governance and CISO, MGM MIRAGE
ensuring that the audit committee
understands the business value of
the different initiatives—it’s a highly
supported and very visible area for
us right now.”
Measuring success
with Six Sigma
Early in her career, Soto recognized
the importance of using project
management standards to architect
and manage IT initiatives. “The
project management discipline, or
the practice of project management,
has served as my ‘fabric’ for 15-plus
years,” Soto notes. “When I think
about what we do in IT, and even in
the business, at some point or another,
everything could be considered a
project. However, the principals of
project management haven’t always
been focused on information security.
I’ve found them very useful when
looking at ROI for a particular
business model or continuous
process improvement from a process
engineering standpoint.”
While serving in a senior
leadership role at American Express,
Soto was introduced to Six Sigma.
“We’ve taken Project Management
Institute (PMI) best practices and
overlaid them with the DMAIC
(Design, Measure, Analyze,
Improve, Control) model from
Six Sigma for a hybrid approach,”
Soto explains. She and her team
exercise extreme diligence on how
they structure their technology
investments, and Six Sigma and
PMI standards help ensure they
are mapping the right technology
investments to core business
strategies and requirements. “With
DMAIC as our interpretive lens,
we look at tollgates before we go
too far down the path,” Soto adds.
“And this is proving very useful; we
have been able to prioritize projects
and even eliminate some that simply
didn’t make business sense.”
Consolidation drives
strategy
Trends around technology
consolidation extend to information
security, something that has not gone
unnoticed by Soto and her team.
“When you look at information
security, there have traditionally been
various boutique-point solutions—
whether data loss prevention,
encryption functionality, etc.,” Soto
notes. But due to pressures from
customers seeking less complexity
and lower costs, in addition to merger
and acquisition activities, “these
solutions are being brought together
and bundled so that the IT investment
landscape is easier
to understand,”
Soto explains.
Check out the Executive Spotlight
“As a result,
Podcast with Myrna Soto at
go.symantec.com/soto
the integration
opportunities
in information security are much
friendlier now—and our larger strategy
is based on this framework.” This
means that MGM MIRAGE now looks
at enterprise solutions versus silo-based
point solutions.
When Soto was named VP
of IT Governance and CISO,
information security responsibilities
and functions were spread across
multiple groups. Peck determined,
at the time, that he could drive
Podcast
s
security was always a little bit
of a ‘black box’ to many in the
larger organization: no one really
understood what went on in the
group…it was like a mystery to
many,” Soto reports.
“Information security is one area
[of IT] that is very difficult to truly
understand and appreciate,” Soto
continues. “Very often the security of
our organization is considered to be
the physical security: the buildings,
the locks, the surveillance systems,
and so forth. But when we think
about information security, and the
transmission of our data and our
assets, it can be difficult for the staff
not attached to the technology to
understand what that really means.”
In addition to an MBA and
a Masters in Certification in
Project Management from George
Washington University, Soto
holds a Master of Science in
Industrial Psychology. This broad
background—particularly the
training in industrial psychology—
affords Soto a special view as
she connects the dots between
the business and technology.
“Those in the business and those
in IT don’t always speak the same
language,” Soto asserts. “Utilization
of some of the core principles of
industrial psychology involving
human motivation and how people
understand different concepts has
allowed me to filter out the ‘white
noise’ by personalizing information
security investments—in terms of
both time and budget.”
With this approach, Soto and
her team can now execute on their
initiatives the same way as with any
other project within the company.
“When you look at projects that are
pretty much self-contained to the IT
infrastructure, they may not have
typically carried the same charter
with the business in terms of status
reporting and visibility,” Soto says.
“This we have completely changed.
Now, we aggressively market our
accomplishments, highlighting
them to the executive committees,
Nuggets on
MGM MIRAGE
Industry: Entertainment and
development
Founded: 1986 (formerly MGM Grand,
Inc.; changed to MGM MIRAGE in 2000)
Properties: 17 destinations, with 50%
investment in 4 others
Employees: Over 67,000 worldwide
Revenues: Over $7.7 billion (2007)
symantec.com/ciodigest 9
EXCLUSIVE INTERVIEW
Myrna Soto, VP of IT Governance and
CISO, MGM MIRAGE, on the spiral
staircase in the miX, an uber-stylish
astral lounge, atop THEHotel.
s
Symantec Solutions at
MGM MIRAGE
> Symantec Residency Services
> Symantec Consulting Services
> Symantec Endpoint Protection 11.0
> Symantec Security Information
>
>
>
>
>
Manager
Symantec Control Compliance Suite
Symantec Database Security
Symantec Network Access Control
Symantec Enterprise Vault
Vontu Data Loss Prevention
10 CIO Digest April 2008
for us. We took a look at all of our
technology decisions to ensure we
were leveraging all of our systems
to their fullest potential and getting
full advantage of the data we were
generating from our monitoring and
reporting points—namely, that we’re
actually making something of it
other than just the metadata.”
Compliance happens
Following the consolidation of
these different functions, Soto and
her team began to look at different
opportunities and strategies and
determined that compliance would
be a secondary priority. The premise
was based on the understanding that
compliance happens if the correct
security standards and processes
are in place. “Compliance is very
important to us as a company,”
Soto notes, “but if we have the right
security practices in place, then
it simply happens.” This inverted
model is an innovative approach
to security and compliance. Soto
elaborates: “Some organizations
use the compliance piece as the
driver for their different initiatives.
But unfortunately, when you use
compliance as the ultimate driver,
then it becomes a mandate—
a set of boxes that simply need to
be checked.”
In Soto’s view, however, when
organizations lead with security
best practices, then they tend to
start branching off and discovering
other opportunities that likely would
not have been uncovered with a
compliance checkbox approach. “If
I only focus on the requirements, then
all I’m going to do is what is asked of
me,” Soto quips. “However, if I look at
it from a broader sense, I may not only
satisfy the requirement, but I may be
able to satisfy a bunch of requirements
and add business value.”
Mapping the challenges
With the right methodologies and
strategic frameworks in place, Soto
and her team began to map out
the different challenges. The first
related to data correlation—threat
intelligence captured by data
collectors—and the aggregation
of these into a central repository
and dashboard.
The second flowed from Soto’s
inverted approach to information
and security; she wanted to
streamline data collection through
MARK ESPERTI
various synergies and efficiencies by
collapsing all of the functions around
Soto. “The IT governance piece
covers not only the governance of
the structure of our security practice,
but the PMO—the way we manage
our technology investments, the
way we structure the execution of
our projects,” Soto comments. “We
thus packaged everything under one
umbrella—compliance, information
security, and project management.”
And consolidation is driving
tangible business value. “There
were instances where we had overcoverage,” Soto recalls. “Most
companies would say I have a
vulnerability point here; I don’t
have a coverage point here, and
so on. That really wasn’t the case
Getting from strategy
to execution
Coalescence around an information
security strategy focused on
consolidation and standardization
prompted Soto to engage with a
select group of technology providers
with core competencies in multiple
areas. And as Soto has mapped
out her technology strategy, she
has engaged Symantec Residency
Services and Symantec Consulting
Services for assistance in addressing
issues around compliance with
the PCI (Payment Card Industry)
standard, IT policy management,
and security management. “We’re
leveraging Symantec Residency
Services and Symantec Consulting
Services to help define and map
out our strategies in these different
areas,” Soto explains, “and we plan
to continue drawing upon their
support as our relationship with
Symantec matures.”
In the case of endpoint security,
Soto is particularly excited about
the integration points between
Symantec Endpoint Protection
11.0 and Symantec Network
Access Control. “The nature of our
business, the size of our company,
the enormity of our endpoints, and
the magnitude of opportunities
to engage in our network creates
significant endpoint protection
challenges,” Soto says. And while
MGM MIRAGE had done a great
job of protecting those endpoints,
Soto and her team are seeking to
drive greater efficiencies with an
endpoint protection solution that
would centralize policy management
and centralize remediation across
all different types of endpoints.
“The combination of consolidated
and structured protocols in
Symantec Network Access Control
and the ability to manage those
security policies from a centralized
console using Symantec Endpoint
Protection 11.0,” explains Soto,
was an attractive point in her team’s
decision to migrate its previous
endpoint security infrastructure over
to the Symantec technology solution.
The ability to have a centralized
depository of compliance data is
also an important objective for
MGM MIRAGE, and Soto and her
team plan to use Symantec Control
Compliance Suite, including its Policy,
Entitlement, Standards, and Response
Assessment modules, in conjunction
with Symantec Security Information
Manager, as part of this larger
strategy. And as database security
is an important requirement for the
MGM MIRAGE team, Soto expects
to augment the company’s existing
security infrastructure with Symantec
Database Security later this year.
Email and document retention
policies also fall into Soto’s charter,
specifically regarding the issues
of legal discovery and forensic
investigations. As a result, when
the IT operations team rolled out
Symantec Enterprise Vault for
email archiving and e-Discovery,
she and her team partnered with
the operations team to define the
accompanying data retention policies.
s
enhanced security information
management. This would, in
turn, drive efficiencies around
compliance tracking and reporting.
But this is not as easy as it sounds:
while MGM MIRAGE faces some
of the same IT challenges as other
publicly traded companies, it also
must address unique requirements.
“We have regulatory items that
are must-do’s that a lot of other
companies don’t even need to
consider,” Soto explains. “But it is
just the nature of our business.”
The final area involves endpoint
security. As with regulatory
compliance, MGM MIRAGE faces
some unparalleled challenges when
it comes to this issue. “For most
organizations an endpoint is a
computer,” Soto notes, “and this is
the case for MGM MIRAGE as well.
But we have many other types of
endpoints—everything from PCs to
point-of-sale devices.”
Making Diversity
a Reality at
MGM MIRAGE
M
yrna Soto is passionate about
the issue of diversity in IT.
Named one of the “Most Important Hispanics in Technology” by
Hispanic Engineer and Information
Technology Magazine in 2008 and
a member of Women in Technology
International (WITI) and the
Hispanic IT Executive Council
(HE&IT), Soto actively works to
ensure the next generation of
women and minorities understand
their career opportunities in IT. Her
efforts includes mentoring college
and teenage women and persuading
them that there is a viable career
path for them in IT. “We have a
very diverse population in our IT
department, leaders from all walks
of life,” Soto says. “When we talk
about diversity at MGM MIRAGE, it
is less about ethnicity or gender but
inclusion as a whole.”
As Soto notes, diversity is a
core initiative for MGM MIRAGE. In
December 2001, the MGM MIRAGE
Board of Directors established the
Diversity Committee of the Board
that rolled out a diversity infrastructure consisting of a Corporate
Diversity Council, Property
Diversity Councils, a Purchasing
Diversity Council, and a Construction Diversity Council. For more on
diversity at MGM MIRAGE, go to
www.mgmmiragediversity.com.
Scaling to new heights
on Mytikos—the highest peak on
Mount Olympus. Instead, they would
climb to Profitas Ilias, an area below
the peaks, and make sacrifices to the
gods. Soto and her team departed
Profitas Ilias long ago, however, and
they are quickly climbing the “face”
of information security using a unique
mix of strategies and tactics. And at
their current rate of ascension, they
will soon be enlightening the gods
on the nuances and intricacies of
information security. n
In antiquity, the Greeks did not dare
to scale to the uppermost peaks of
Mount Olympus out of reverence
for the 12 gods of Greek religion
who made their home and fortress
Patrick E. Spencer (Ph.D.) is the editor
in chief for CIO Digest and the author
of a book and various articles and reviews published by Continuum Books
and Sage Publications, among others.
symantec.com/ciodigest 11