Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
"They said, 'Everyone calls an application a different thing. I said, 'Let's have a meeting and define something. I'll call it an application and you guys call it whatever you want, but we're going to count how many of those things we have.' "
He says simple program and project management are missing, because information security is overly focused on technology and not on planning."That type of stuff was the basics that you had on the CFO side." The CFO sees everything in terms of risk assessment.
What are the potential gains and what are the exposures? What is the potential return and how much can we lose if a loan or investment goes south? What will this new technology or this new service cost us and what can we expect in revenues-and when? What controls do we need for regulatory compliance and do they properly mitigate risk to the business? Because he is grounded in risk assessment and business, the CFO has the ear of upper management- he's one of them-and will be much more receptive to supplicants who "get" business.
The IT-based CISO-especially if he is comfortable there-likely has less insight into the business and will have trouble selling new security programs and technologies to business people who think in terms of risk/reward and cost/benefit.
"If the CISO is a technology person, more often that not, he doesn't have enough gravitas with senior management to get their attention, to make them aware of a business issue," says Eric Holmquist, VP and
Requires Free Membership to View
director of risk management at Advanta Bank.
The CISO can be reduced to trying to sell insurance to executives who are not convinced of the risk. The CFO understands that he must be able to take his special knowledge, translate it into business terms and communicate effectively to the investor community outside the organization and the board and management within.
"I have the financial information, and I have enough of financial background that I know what makes sense," says Stiglianese."And, I'm going to make it easier for other people to understand."
At Citigroup, for example, the CFOs have business backgrounds, with "enough financial expertise to know what makes sense." They call on their financial experts to give them the information they need.
This was first published in January 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation