An Interview With Amy Ma

Chief Information Security Officer

Schulte Roth & Zabel LLP

There is no one-size-fits-all model, however the corporate leaders need to realize that the best organization chart is the one that can most effectively make your program work.

With over 15 years of experience in information security management, certifications in various industries, serving on the IAPP CIPM Advisory Board, and having received the Outstanding Achievement Award from ISACA, Amy leads strategic security initiatives for the prestigious law firm headquartered in NYC.

In an interview, she discusses challenges that she has faced throughout her career in IT, and strategies that can mitigate the risks of cybersecurity threats and attacks.


Q: What cybersecurity challenges do you foresee as a technology leader that might have you modify a security policy and why?

A: The biggest challenge are really the human element and cultural norm.  With the disappearing technology defined perimeter, human element and effective leadership will play the most important role for the success of the security program. Ultimately, security issues are magnified reflection of the business and leadership issue.


Q: What strategies do you find most helpful that help develop a business plan to identify threats and help build cyber resilience?

A: Obtain consensus on the strategic goals; build alliance with wide professional association (pa); apply a phased-based approach; celebrate little wins; leverage collaboration; review progress timely.


Q: How do you determine the risks versus rewards of cyberspace, and involve key internal and external stakeholders in security matters?

A: Align with business strategy, build consensus, leverage collaboration and prioritize.


Q: What are the top cybersecurity risks and threats that the industry has faced within your career?

A: It has never been a fair game for security leaders.  Security issues had been viewed as IT problem for quite a while, until the industry realized that it was not working.  Organizations struggle to position the security executive appropriately in the organization chart even nowadays. There is no one-size-fits-all model, however the corporate leaders need to realize that the best organization chart is the one that can most effectively make your program work.


Q: In the event of a data breach, what tools do you use to mitigate the advanced risks and threats of the attack?

A: We should apply tools throughout the lifecycle of an incident response process (Identify, Protect, Detect, Respond and Recover).  Based on my past experience, preparation can be very cost effective  such as regular response plan review & table-top exercise; annual breach readiness assessment; retainer agreement; target workshops for technical staff, communications and executives, etc.  The more prepared we are, the more calm we will be during the crisis. I would also like to emphasize the importance of Lesson-Learned sessions, which I had found to be very effective.


Q: How has information security changed since the beginning of your working life?

A: Security emerged as a technology issue more than a decade ago, being viewed as the secondary support function only to pass the audit. It took a while for the industry to realize that security is such a vital function of the business.  Now it is the golden age for security industry.  Security is growing to the integral part of the business success; security leaders are gaining and retaining the seat at the board room. It is amazing to see that seasoned security leaders are growing to be more sophisticated and capable business leaders.


Q: What new challenges do you expect to develop in the next five years regarding information security?

A: With the rapid advancement of mobility and IoT, it will be a big challenge for security leaders to balance among the technology innovation, user productivity and security objectives.  In addition, the talent scarcity make it crucial for security leaders to be able to coach and manage resource effectively.


Q: Why have you decided to join us at the CIO & CISO Strategy Meeting and what would you like to share at the meeting?

A: My past experience has proved multiple times that strategic planning is a must for the success of the security program. I am very selective about industry events, but strategy discussion is definitely an event I would not miss.

You will have the opportunity to meet and network with Amy Ma at the CIO & CISO Strategy Meeting, April 30th, in New York, during her session on the Shift in Corporate Cybersecurity Strategies.


Still not registered?

We have still few seats available and if you are interested in attending please visit Link to Registration Page or Contact Jason Walter: 

Remember to follow and like us on LinkedIn and Twitter #CIOCISONewYork2019