Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
In parallel, Stiglianese says that in larger organizations, CISOs are moving into this role as business/ risk managers, communicating with business groups and management on their own terms. They have sufficient tech savvy and rely on experts with the technical background.
 |
|
|
|
|||
|
|
|
|
|||
| ||||||
Requires Free Membership to View
|
Warning Signs | |
||||
|
|
|
|
|||
| ||||||
|
|
|
|
|||
|
Before taking a job as CISO, make sure the company you are about to join is fluent in risk management.
Eric Holmquist, VP and director of risk management at Advanta Bank, offers three signs that an organization doesn't take risk assessment seriously: * Information security is positioned as an IT issue, and IT is being asked to manage something it has no control over and isn't a technology issue. * The tone you hear is "just follow the guidance." You can never set regulatory expectations as your measure of success. That's always the minimum standard. You must exceed that. * You see anecdotal evidence that people just give lip service to risk assessment, and that sloppy practices are acceptable culturally. If there aren't exceptionally good controls around data in motion, controls of third parties, etc., you have a big problem. "If there isn't a tone from the top setting information security as a high priority, you're cooked," Holmquist says. --NEIL ROITER
|
||||||
| ||||||
|
|
|
|
|||
| ||||||
| ||||||
COMPLIANCE AND RISK
CFOs have always had to deal with regulatory controls,
but not in as public and dramatic a way. The
CFO was required to make sure the company was in
compliance with GAAP standards, report to various
agencies and make sure external auditors would
approve financial statements.
But all this happened pretty much behind the scenes, says Stiglianese. Regulations such as SOX have changed the dynamic, drawing intense interest from investors on the outside and the board of directors within. When he started at Citigroup, the regulatory reporting group was under the CFO's office, but "as things have become more highlighted and spotlighted, you bring in a different level of talent to handle the regulatory reporting side."
GLBA created a similar environment for the CISO, but while regulatory change came gradually to the CFO, the CISO was thrust abruptly into the spotlight.
"The CISO," Stiglianese observes,"went from zero to 100 miles per hour instantly."
This was first published in January 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation