|
It's About Risk, Not Threats
Draconian permit-deny security programs are extinct in the enterprise because network perimeters have disappeared. Busi-nesses don't function without interaction and connectivity between partners, suppliers and customers, and security pros have to enable these relationships without hindering the bottom line. Horowitz is finding out that the secret to facilitating those relationships may lie in the pages of the Kaplan book.
"You have to partner with business units," Horowitz says. Wells Fargo, with 140,000 employees worldwide, centrally manages its IT back end, meaning from an operations perspective, security planning and architecture must also be done centrally. "That means you have to be business savvy and understand time-to-market ratios so that products are profitable, yet still address risk," he says.
Being business savvy means learning not only a new set of large-scale financial skills, having comprehensive regulatory knowledge and understanding legalese, but learning how to talk with business unit managers.
"You have to speak to business units on their terms, and those terms involve customers, customer experience, time to market, profitability and risk. Everything we do is around a risk-based methodology," Horowitz says. "And that's a change because security professionals deal in threats, not risk."
Horowitz, for one, seemed destined for an MBA. Coming out of college in Ohio, he started with Wells Fargo's leadership development program, and after a year of management training, he was entrusted with starting a security remediation and policy compliance team. Horowitz has set a three-year timeline to earn his MBA.
"The CISO needs to be a coordinator and pull processes together and make sense of the regulatory environment," Horowitz says. "You also need to know what write-offs are; what can you depreciate and capitalize; what are incremental spends. It's not just, 'Do I have money,' but 'How do I fit into the moving target that is a budget of this magnitude.'"
|
 |
|
