In the heavily regulated financial services world, security policy compliance is paramount. Bruce Bonsall, CISO
of MassMutual Financial Group, explains how his organization ensures that every IT project properly addresses security and doesn't progress without his office's seal of approval.
What do you do as CISO to get security baked into projects?
We've instituted a governance process with IT projects similar to a building permit. During the concept and definition phase, the project team gets in touch with my security consultants to identify any security implications. It doesn't matter whether they're writing new code, buying technology or outsourcing a function to a third party; anything that involves the processing, transmission or storage of information goes through this process.
We still need to broaden it to more areas in the company. It's growing from a security governance process to more of an IT process, then it will become a corporate governance issue.
Where do CISOs invariably slip up with regard to policy compliance?
I would be willing to bet that some CISOs are having a hard time getting their jobs done because they haven't engaged their business people well enough and haven't approached security as a business issue; they've approached it as a series of technical implementations, but they need to take a holistic risk management approach. They've failed to adequately market the services provided by the security team, and to help business people understand risks.
Do you speak a different language today than you did a few years ago?
I worked hard to understand issues from a business perspective--not just from a security practitioner's perspective. I've learned to frame things in terms business people can relate to.
I made a concerted effort to meet with every senior executive. I got to understand them better and to explain myself better to them.
I was at a roundtable recently, and one of the participants said that the business doesn't understand what we're telling them. I responded that it's not the listener's responsibility to understand the speaker, it's the speaker's job to convey terms that are understandable. It's our fault if they don't get it.
Read the extended version of this interview online at searchsecurity.com/ismag.