This article can also be found in the Premium Editorial Download "Information Security magazine: Top forensics tools for tracking down cybercriminals."
Download it now to read this article plus other related content.
IT IS A SUBTLE YET NOTEWORTHY DISTINCTION that Gary Swindon's job title reads "corporate" information security officer, and not "chief."
"As corporate ISO, I am responsible for security strategy, risk assessment, risk management and audit functions--things that are strategic in nature," says Swindon, who reports to the director of compliance and internal audit at Orlando Regional Healthcare, and not to the CIO. "If you're going to report to the CIO, then the job takes on the flavor of technical security rather than it being a business process."
Meet the new CISO, not quite the same as the old CISO.
This transition from operational security responsibilities to strategic ones resonates throughout the results of Information Security's 2006 Priorities Survey. Security organizations, driven by regulatory mandates, are segregating responsibilities and giving more attention to people and process issues.
"In a nutshell, security is now about risk management," says Ron Woerner, information security manager for ConAgra Foods. "You cannot properly manage risk at the operational level. You must be at the strategic level in order to match the severity of threats and vulnerabilities with the business' risk appetite. This shifts the knowledge and experience requirements for information security from the technology to the business."
|How Much Money Will You Have?|
"This cannot be accomplished by a technician, but by a business leader with the proper authority to see that appropriate business decisions are made," Woerner says.
Ironically, the strategic shift emerges from the confidence that the tactical side of the house is in order. Only four percent of respondents were unsure about their abilities to harden network perimeters against external attacks and to hold malware attacks in check.
"My job as information security officer is not technical," Swindon says. "I own everything that touches and contributes to the protection of information. Information systems are some of my customers. They involve me in project development and looking at security before we do things like implement new systems. It gets less expensive from a business perspective."
Security managers are instead turning their attention and wallets toward risk assessments and evolutionary technologies for streamlining identity management needs, providing secure remote access for employees and partners, and complying with federal regulations. Sixty-seven percent of those who took the survey expect security budgets to increase, and 34 percent project at least a 10 percent jump.
This was first published in December 2005