Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
The upshot is that while CFOs understand the regulatory environment, how it affects the business and how it fits into the risk equation, CISOs are still learning.
"Coming from the financial background, with what we were doing with the compliance function," says Stiglianese, "I saw I was spending a lot of money in areas where I really didn't generate risk, and probably wasn't spending enough to mitigate areas that were riskier."
These are critical considerations. In contrast, there's the CISO, who comes to management with a shopping list of technologies he says they need to comply with PCI or meet the security requirements of SOX, GLBA or HIPAA. The checklist, rather than risk-based, approach will probably pry some dollars loose. However, it won't serve the best interests of the company, which may or may not be technically compliant, and is not significantly more secure than it was before the purchase.
Consider that the intent of these regulatory controls is to protect your company, its customers, its investors and its partners.
"Compliance is about protecting something, some resource, typically," says Dick Mackey, vice president at SystemExperts. "If you fall victim to compromise because your controls aren't good enough, you didn't achieve the goal or intent of the regulation."
The premise is that there is risk here. Address compliance within that context, so that compliance flows from your risk assessments, rather than being bolted
Requires Free Membership to View
on.
"When you come up with compliance policy that's
based on risk, you have to come up with something
that works in all cases," says Stiglianese.
That's key to avoid overspending and
devoting redundant resources to comply
with each regulatory requirement, especially
in large organizations, where compliance
may become fragmented among various
business units.
"One of the first things you realize is that we
[financial institutions] are more heavily regulated
than most," says Anish Bhimani, managing director
for security and risk management at JPMorgan Chase.
"So, how do you demonstrate compliance across a
number of varying sets of requirements?"
This was first published in January 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation