This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."
Download it now to read this article plus other related content.
Do not envy Mark Odiorne. As the CISO at Scottish Re, a reinsurance company with more than $12 billion in assets, Odiorne is the only full-time security practitioner on staff. In addition to fighting threats, he also has responsibility for much of the company's substantial compliance efforts.
Which compliance requirements take up most of your time? Sarbanes-Oxley is probably the biggest focus; Gramm-Leach-Bliley as well, because we're a financial services company. What we have found is because we used the ISO standard to build our security model, whether it's Gramm-Leach or Sarbanes or something else, we can pretty much track anything they're looking at to that model. When the company was young, we were constantly writing policies on the fly. So every year, when the auditors would come back in, we had a lot of new processes in place and they had some testing to do. That's also why we've made information security more of a priority and have more resources applied to it.
What are the challenges you think will take up a lot of your time in 2007? Business continuity, disaster recovery are our new focuses. One of the big focuses for senior management is to make sure our data, whether it's in motion or at rest, is protected. We've been buried in our Denver office by snowstorms and that sort of thing, our Cayman office nearly got blown off the map by Hurricane Ivan and our Bermuda office got the same
Another challenge is that our company is very mobile; we have a lot more laptops than desktops and people travel quite a bit. Protecting those assets is a big deal for us. We see a good bit of malware attacks, and we keep seeing the threats change as the bad guys are more motivated by making money. So we see a lot more technology, a lot more money behind the efforts. There's a reputation component in that for us. We don't want to be known as the company that got hit.
How much of the responsibility for the disaster recovery plan falls on you and how much is on the storage folks? It's probably now more on the storage side. But it all kind of falls under security, to ensure that everything is secure, backed up, tested. Scottish does a lot of work with the data that we get from our clients to turn it around and make it available to them. No matter where that data is, we have to make sure that it's protected and only the right eyes are seeing it.
Read the full interview with Mark Odiorne at searchsecurity.com/ismag.
This was first published in March 2007