Interview: Protecting data and IT assets in a recession - Information Security Magazine

Interview: Protecting data and IT assets in a recession

Today's economic climate may mean belt tightening for many security officers, but Anthony Meholic already learned how to do more with less when he joined Republic First Bank after working at global powerhouse JPMorgan Chase. The senior vice president and information security officer at the bank, which serves the greater Philadelphia area, knows what it takes to protect corporate assets in a tough economy.

How do you think the economic downturn will affect security budgets? It's always been a real chore to justify an information security budget because you can't put a monetary figure on the return on the investment. Information security is there to make sure nothing [bad] happens, so if you're doing your job, nothing [bad] is happening. Given that you're already starting behind the eight ball, the economic upheaval in the banking industry is just going to put more of a burden on security professionals to get more funding. They'll have to learn how to live with less. Take good stock of your resources, the skill sets of your team, your networking infrastructure and see what you can do within the limited budget that you'll be getting.

Can outsourcing help? It's certainly part of the picture. Going from JPMorgan to Republic First Bank-from a very large international corporation that had a large budget for security to a smaller regional bank that doesn't have the [same] resources-gave me good insight on how to manage and do more with less.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

If you're a small or midsized bank, you might not have the resources to have an ethical hacking team like I had at JPMorgan, or you can't afford some of the more expensive tools. So you have to rely on vendors to perform some of these services. Typically, we have vendors performing our vulnerability assessments and penetration testing.

What else might help in lean times? There are things you can do with a small team or a small budget. It's going back to basics. One of my main focuses when I come into a security position is to get a really detailed understanding of the flow of confidential and restricted data. You have to know where your data is going and who it's going to; once you know and understand that, you can start targeting areas of risk. You need to have a mature risk assessment process in place so you can prioritize these risk areas. Once you prioritize the risks associated with the various areas, you can start focusing your limited resources-whether it's budget, assets or staffing-on those areas. You probably won't cover every single one, but at least you've hit all the high-risk areas.

This was first published in January 2009