Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
"Compliance is black and white," says JPMorgan Chase's Bhimani. "However, the way some of the regulations are written requires interpretation by the regulatory authority.
"SOX 404 is a classic example-it's maybe 150 words long. Our goal has always been to assume the strictest interpretation unless you hear otherwise."
DOTTED LINES
The relationship between the CFO and CISO varies
from one organization to the next.
For compliance, in larger organizations such as Citigroup, the CFO may rely on the CISO to provide metrics to support internal audit and, in turn, rely on audit to evaluate the security/compliance controls.
In smaller-not to say small-less complex companies, the relationship may be more direct.
"I look to our IT director to help assess if we have the proper controls, and if controls we are thinking of implementing will actually provide the integrity we are looking for," says First Capital's Hogard. "We want to make sure that before we invest the dollars our plan will actually be effective."
Often, the CFO is the one giving thumbs up or thumbs down to the CISO's spending requests. The CISO will be far more successful if he's one of the new breed of security officers who's grounded in the business and risk assessment.
"I was somebody who basically denied investing in a lot of proposals and then spent three years getting the proposals passed," says Stiglianese.
"The interdependency is more of the CISO on the CFO than the
Requires Free Membership to View
reverse.When I was CFO, as long as I
was not having any information security breaches, I
didn't mind if I never saw the CISO come in asking
for money."
Nonetheless, as a CFO he would have been more receptive to funding requests from CISOs, now that he understands their importance.
"The proposals weren't articulated in a way I could understand. They made no sense to me, so we didn't make the investment. I learned there's a need for a more efficient way to communicate between the two functions."
This was first published in January 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation