Donna Ross, the chief information security officer (CISO) for Radian Group Inc. (NYSE: RDN), is a proponent of risk-based approaches. If an organization is not continually looking forward and using metrics to understand possible security concerns, she explains, the organization ends up solely treating symptoms and putting out fires. “Plus, being proactive is much more fun,” she says. “You get to spend time with your family and not work nights and weekends. I guess some people like to run on adrenaline, but I think that gets old.”
This proactive style matches Radian’s own attitude toward security. The company says it is “committed to home ownership” and offers services that span the real estate spectrum. Four years ago, the company, which holds nearly $7 billion in assets, gauged that it needed more information security. While many companies come to this realization only after a breach, Ross notes, Radian “saw security was important before it had to be.”
Ross was honored to be hired as Radian’s very first CISO and believes deeply in the value of her role. “When you don’t have an officer, you are just buying tools and throwing money at security,” she says. With a CISO comes strategy.
“We are responsible to protect information entrusted to us,” Ross says. The way she enacts that responsibility is less about individual tools and more about services: the technology, people, processes, and metrics that create an evolving system. For example, she explains, a tool might be antivirus software. Her team’s services, on the other hand, include software along with entities like partners, procedures, protocols, staff, and other technology. Analytics power Radian’s model. “Protecting the data that powers the analytics is critical,” she notes.
“Knowing that data protection is top of mind for Donna and her security program has made Netskope’s partnership with Radian successful,” says Jason Clark, chief strategy officer for Netskope. “Together with Donna, we’ve helped Radian achieve compliance while extending into the cloud.”
Along with systems strategies, the CISO involves administrative duties around budget, planning, performance, and ongoing investments. It also includes team leadership. Like security processes, she has a clear strategy for building great teams: hire people smarter than you, look in nontraditional spaces for people, provide great culture and training, be flexible and make a place that is welcoming, and, most importantly, have fun.
Within security teams, Ross also emphasizes the importance of diversity. “To solve problems, you can’t all think the same. You must be able to come to different solutions,” she says. “Everyone needs to have a voice.”
Looking through different lenses means more complex perspectives and, thus, better security. Following her own advice, Ross has built a diverse team located around the country. She also works to create partnerships that feed new ideas. For example, Ross says that the team works with new firms every few years to help with penetration testing. Superiority of one company or another does not drive the changes. They come from Ross’s commitment to new experiences and tools.
At Radian, the CISO also participates in a larger ecosystem. “My mission is to protect Radian,” she says. “If I can expand that to think about protecting the larger financial industry, that’s good. I can take lessons and share them broadly.
“To enable the business, I must understand it,” she continues, highlighting her goal to constantly gain new insights. She sees her role as business focused and integrates her team into the overall model at Radian. A core tenet of her methods is, “Security should not be the best-kept secret in the company. Our job is to be at the forefront and not be invisible.” Instead she asks for transparency and feedback.
“Security should not be the best-kept secret in the company. Our job is to be at the forefront and not be invisible.”
To best support and inform the business at large, along with integration, Ross tries to answer questions with sentences that begin with, “Yes, but . . .” She wants everyone to grasp possible outcomes in terms of financial realities. As she proactively identifies concerns, she responds with whole-system approaches that include staff training and focused hiring. “All products tie back to one overall corporate strategy,” she notes.
Ross, who is active in women in tech organizations and still coaches former reports from previous jobs, is always happy to also offer advice to individuals not yet in security and is excited to have more people join the field. She notes that there are many positions in security and not every employee needs to be technical. While “tech skills can be taught,” she suggests building soft skills like communication and listening. Finally, she says, “Find a mentor and advisor, and don’t underestimate the power of getting a volunteer or intern position.”
For people already in the industry, Ross cautions the importance of self-care. “Mission is important. Health is important,” she says, championing, once again, a proactive model that has enabled her to enjoy a successful career in security while also being a mother and grandmother.
The job of a CISO never ends. “We just keep doing what we do every day,” she says, boiling down the massive complexity of what she does every day to a simple idea. “I keep good people from doing bad things.”
CompuGain congratulates Donna Ross on this very well-deserved recognition. Her deep understanding and leadership in Information Security, Technology and Risk Mitigation makes her an invaluable asset to Radian. CompuGain is proud to be a Radian partner, sharing a common vision of innovation, IT enablement and modern application and platform delivery.