Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: Winners of Information Security magazine's Security 7 Award."
Download it now to read this article plus other related content.
Business leaders and chief security officers take note: when it comes to risk mitigation, compliance alone is not enough to protect your enterprise. It takes a broader security strategy--of which compliance is a part of the whole--to hit the high-water mark. In fact, those organizations that focus on security first to become compliant are seeing greater business impact. Instead of focusing solely on meeting compliance benchmarks, these companies are changing the way they achieve a high-water mark for security performance.
Let's face it, we are entering an era of tighter statutory requirements and rapidly changing regulations. But focusing solely on statute requirements can lead to a disjointed strategy that is neither comprehensive nor aligned with business goals. While compliance mandates are often used to drive security investments, compliance by itself does not ensure a company's security posture.
And while compliance cannot be the sole focus of a security strategy, technology by itself cannot safeguard an enterprise. Increasingly sophisticated threats and growing concerns over data losses are just a few of the issues facing CSOs. For this reason, businesses simply cannot afford to think about security in purely technical terms.
Instead, businesses must look beyond their technology and compliance needs and understand the challenges of ensuring their company's security posture. Achieving this level of transparency requires the right mix of innovation,
Requires Free Membership to View
talent and technology underscored by a strategy that addresses risk at the broadest level. This is where relationships with business partners and vendors can play a valuable role. By joining forces with industry-leading third-party providers, companies gain access to new thinking and innovation to address key needs and challenges. With the right strategy and technology partnerships, businesses can drive a consistent and global set of security practices focused on risk reduction and information security.
At Equifax, we have implemented a strategy to minimize operational and information risk, which includes safeguarding data on hundreds of millions of consumers and businesses worldwide. Equifax tackled this complex undertaking by adopting a simple but powerful vision: that security must be treated as a business. Here's a snapshot of how it worked.
Recognizing that compliance is not the only measure of security, Equifax set out to develop and implement a plan to consolidate all of its security functions into a centralized organization. Equifax chartered a process to assess the company's risks globally and then developed an integrated strategy that aligns its risk mitigation and information security needs with real-world business requirements.
In less than three years, Equifax made its vision a reality and not only transformed its security department into a global center of excellence but also enabled the company to drive greater synergies across its business units. Today, compliance is just one of the many benefits of Equifax's comprehensive security program and strong security position. Faster access to information, enhanced business intelligence and increased visibility of enterprise-wide IT services are among some additional business benefits Equifax has reaped by applying the right mix of innovation, business acumen and technology.
The ability to leverage this type of value from a security investment can go a long way in forging stronger ties with the businesses we protect. While it can be challenging to convince a business unit to dedicate significant capital to security initiatives, the process is well worth the return on investment. Applying security innovation to risk mitigation and data protection strategies can empower businesses to identify new growth opportunities and deliver better, customer-centric solutions.
Here's how we brought this approach to a few of our own business units:
- Equifax Personal Information Solutions, which provides consumer credit and identity theft protection products, has seen first-hand the impact of innovative security solutions at work. Partnering with Equifax's Security Engineering team, Personal Information Solutions enhanced the authentication process used by new customers to access their Equifax credit report online. As a result, customers were able to obtain their online credit report with greater ease and enhanced security functionality-- resulting in increased revenue for the company's U.S. and U.K. operations.
- Another area gaining a competitive edge by working with our security team is Equifax Workforce Solutions, which provides employment and income verification as well as human resources business process outsourcing services. Workforce Solutions recently turned to Equifax Security to develop an authentication program for its commercial business portal. Benefits include increased security protection for business customers and a simpler and user configurable security interface.
History has shown that companies that treat security as a business enabler are much more effective in managing risk, protecting their data assets and ultimately sustaining an industry edge. If the current economic crisis has taught us anything, it is that risk is a constant in our marketplace. For this reason, we must be vigilant in our pursuit of security innovation and new solutions that can mitigate risk and still drive greater business value. Companies that understand this correlation between risk and innovation are the ones that will set the high-water mark for security--and business performance.
 |
|
|
|
|||
|
|
|
|
|||
|
|
SECURITY 7 AWARDS | |
|||
|
|
|
|
|||
| ||||||
|
|
|
|
|||
|
TONY SPINELLI
EDITOR'S PICK |
||||||
| ||||||
|
|
|
|
|||
| ||||||
| ||||||
INFORMATION SECURITY MAGAZINE'S 5TH ANNUAL SECURITY 7 AWARDS
Introduction
JERRY FREESE
Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
MELISSA HATHAWAY
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
BRUCE JONES
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
JON MOORE
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
ADRIAN PERRIG
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
BERNIE ROMINSKI
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
TONY SPINELLI
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.
This was first published in October 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation