Tony Spinelli: Prioritize Information Security over Compliance

Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.

Business leaders and chief security officers take note: when it comes to risk mitigation, compliance alone is not

enough to protect your enterprise. It takes a broader security strategy--of which compliance is a part of the whole--to hit the high-water mark. In fact, those organizations that focus on security first to become compliant are seeing greater business impact. Instead of focusing solely on meeting compliance benchmarks, these companies are changing the way they achieve a high-water mark for security performance.

Let's face it, we are entering an era of tighter statutory requirements and rapidly changing regulations. But focusing solely on statute requirements can lead to a disjointed strategy that is neither comprehensive nor aligned with business goals. While compliance mandates are often used to drive security investments, compliance by itself does not ensure a company's security posture.

And while compliance cannot be the sole focus of a security strategy, technology by itself cannot safeguard an enterprise. Increasingly sophisticated threats and growing concerns over data losses are just a few of the issues facing CSOs. For this reason, businesses simply cannot afford to think about security in purely technical terms.

Instead, businesses must look beyond their technology and compliance needs and understand the challenges of ensuring their company's security posture. Achieving this level of transparency requires the right mix of innovation, talent and technology underscored by a strategy that addresses risk at the broadest level. This is where relationships with business partners and vendors can play a valuable role. By joining forces with industry-leading third-party providers, companies gain access to new thinking and innovation to address key needs and challenges. With the right strategy and technology partnerships, businesses can drive a consistent and global set of security practices focused on risk reduction and information security.

At Equifax, we have implemented a strategy to minimize operational and information risk, which includes safeguarding data on hundreds of millions of consumers and businesses worldwide. Equifax tackled this complex undertaking by adopting a simple but powerful vision: that security must be treated as a business. Here's a snapshot of how it worked.

Recognizing that compliance is not the only measure of security, Equifax set out to develop and implement a plan to consolidate all of its security functions into a centralized organization. Equifax chartered a process to assess the company's risks globally and then developed an integrated strategy that aligns its risk mitigation and information security needs with real-world business requirements.

In less than three years, Equifax made its vision a reality and not only transformed its security department into a global center of excellence but also enabled the company to drive greater synergies across its business units. Today, compliance is just one of the many benefits of Equifax's comprehensive security program and strong security position. Faster access to information, enhanced business intelligence and increased visibility of enterprise-wide IT services are among some additional business benefits Equifax has reaped by applying the right mix of innovation, business acumen and technology.

The ability to leverage this type of value from a security investment can go a long way in forging stronger ties with the businesses we protect. While it can be challenging to convince a business unit to dedicate significant capital to security initiatives, the process is well worth the return on investment. Applying security innovation to risk mitigation and data protection strategies can empower businesses to identify new growth opportunities and deliver better, customer-centric solutions.

Here's how we brought this approach to a few of our own business units:

  • Equifax Personal Information Solutions, which provides consumer credit and identity theft protection products, has seen first-hand the impact of innovative security solutions at work. Partnering with Equifax's Security Engineering team, Personal Information Solutions enhanced the authentication process used by new customers to access their Equifax credit report online. As a result, customers were able to obtain their online credit report with greater ease and enhanced security functionality-- resulting in increased revenue for the company's U.S. and U.K. operations.
  • Another area gaining a competitive edge by working with our security team is Equifax Workforce Solutions, which provides employment and income verification as well as human resources business process outsourcing services. Workforce Solutions recently turned to Equifax Security to develop an authentication program for its commercial business portal. Benefits include increased security protection for business customers and a simpler and user configurable security interface.

History has shown that companies that treat security as a business enabler are much more effective in managing risk, protecting their data assets and ultimately sustaining an industry edge. If the current economic crisis has taught us anything, it is that risk is a constant in our marketplace. For this reason, we must be vigilant in our pursuit of security innovation and new solutions that can mitigate risk and still drive greater business value. Companies that understand this correlation between risk and innovation are the ones that will set the high-water mark for security--and business performance.

SECURITY 7 AWARDS

TONY SPINELLI
TITLE Chief security officer
COMPANY Equifax
INDUSTRY Financial services
KUDOS

  • Board member Information Assurance Board of the U.S. Dept. of Defense
  • Board member Georgia Tech Information Security Center
  • Board member Information Risk Executive Council
  • Has oversight for IT security and compliance; responsible for design, development, monitoring of IT and physical security
  • Manages team of 70 and multimillion dollar budget
  • Protects more than 6,500 employees in 15 countries
  • Instituted data loss prevention program to secures data of hundreds of millions of consumers and businesses worldwide
  • Oversaw enterprise-wide encryption and DLP programs
  • Tuned more than 1,000 production devices to sniff out bad traffic without impacting services
  • Instituted regular third-party risk assessments and reviews

EDITOR'S PICK
Tony Spinelli has set a standard for data protection that is to be lauded. His institution of a worldwide data loss prevention program, partner assessment processes and participation in numerous and influential industry groups makes him a model security leader.


INFORMATION SECURITY MAGAZINE'S 5TH ANNUAL SECURITY 7 AWARDS

  Introduction
  JERRY FREESE
Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
  MELISSA HATHAWAY
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
  BRUCE JONES
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
  JON MOORE
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
  ADRIAN PERRIG
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
  BERNIE ROMINSKI
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
  TONY SPINELLI
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.
This was first published in October 2009

Dig deeper on IT Security Audits

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close