Donna Ross – Radian Group

You know the cyberthreats are out there, only you can’t see them. So you wait, praying your defenses hold up, building your walls ever-higher.

It’s a view that has long been standard in cybersecurity circles, with institutions from hospitals to governments emphasizing their preparedness for the inevitable attacks. But what if hunkering down is no longer good enough?

“Security can’t be an afterthought or add-on,” says Donna Ross, the senior vice president and chief information security officer (CISO) for Philadelphia-based Radian Group. “It has to be a part of the culture, and we’ve worked hard to make sure that guides what we do and how we do it.”

Home fires

Since signing on in 2016, Donna Ross has intensified Radian’s efforts to protect its most valuable resource: The hundreds of financial service firms nationwide that the company provides with mortgage insurance.

Like any new CISO, Ross first assessed Radian’s security posture, putting the company’s four-pillar approach—protect, detect, recover and manage—squarely at the fore.

She sized up the company’s vision for security, evaluated its personnel in this area, and voraciously reviewed reports and test results. Then Ross did what she calls “gap assessment,” or determining what capabilities were needed to execute her vision. She identified two roles in need of filling. One was a chief security architect to oversee the wider security apparatus—its programs, platforms and vendor partnerships.

The second was what Ross calls the “Threat Hunter,” someone capable of roaming Radian’s networks and systems, spotting threats that may otherwise go unnoticed.

“There are a great deal of tools and subscriptions you can buy to help you identify threats, and those are certainly critical to our overall strategy,” Ross explains. “But we needed someone internally that knows the Radian environment well enough to spot threats in advance.”

For each threat, real-time analysis is used to determine the potential impacts on Radian’s many business lines. At that point, Ross will deploy a threat-specific playbook, allowing Radian to take “a proactive approach to blocking and tackling.”

“We’re always looking at what’s going on in the world, to get ahead of anything that might be out there,” Ross says. “Our tools tell us what we need to do in order to course-correct and protect our infrastructure.”

Eyes on the prize

More broadly, Ross has advocated for a redoubled approach to what she calls “end to end security services.” That means accounting for everything from user identity to operations to encryption standards, with no code or credential left unchecked.

According to Ross, the goal is to gain insights into the whole lifecycle of a particular security process. Based on the resulting metrics, Radian can determine whether a given investment—a phishing education program, for example—is working.

“We’re trying to run security like a business, by looking at the value each initiative brings,” Ross says. “In most cases, it’s more advantageous to create a service than it is to buy another tool or component.

There are long-term plans, too. Specifically, automation has been a critical component of Radian’s application security protocol. Whenever the company introduces a new, internet-facing tool—say, a mobile app—Ross’ team runs a program to ensure the coding is as airtight as possible. If holes are detected, a dashboard alerts team members.

“We’ve made security a part of our company culture,” Ross says. “We’re not evaluating our posture on a yearly or even a monthly basis; we’re doing it every day.”

While the company has had a security team for years, with staff dedicated to each of the company’s businesses—Radian, Clayton, Red Bell, ValuAmerica and Green River Capital—Ross was the first to don the title of CISO, a position with oversight of all of Radian’s legal entities.

Building blocks

For the SUNY Brockport and Rochester Institute of Technology graduate, being a trendsetter is par for the course. Beginning as a project manager at Prudential in 1991, Ross’ career trajectory would include stops at GMAC and tech giant Corning, where she served as director of IT and risk management from 2008 to 2015.

After a stint as CIO for health care startup Accolade, Ross was hired by Radian. Her mandate was raising the bar on the company’s IT security, and helping the business run more smoothly. Last year, she gave a panel talk at the 2017 CISO Executive Summit in Philadelphia, entitled “Cool Jobs in a Hot Tech Market.

Needless to say, the message was a bit more serious in tone and scope.

“The stakes in information security have never been higher, but that lends itself to lots of opportunities,” Ross says. “The more we can share ideas about the collective threats we face, the better off all us will be.”