Home > Information Security Magazine > Features > Implement security and compliance in a risk management context
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Implement security and compliance in a risk management context
by Neil Roiter
Issue: Jan 2009
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >

IS YOUR CHIEF FINANCIAL OFFICER your role model?
That may be overstating the case, but increasingly, chief information security officers should have a lot in common with their colleagues in finance.As a 21st century CISO has to be more than a technologist, the outstanding CFO is much more than an elevated CPA.

"The CFO should be someone who has initiative, is well rounded, and who has broad business sense and broad business experience," says Mark Hogard, CFO of Oklahoma City-based First Capital. "He has to think ahead, think outside the box, and make sure the company is prepared in this ever-changing world."

Both positions have become even more demanding in today's compliance-heavy business environment, with unprecedented requirements for data protection, privacy, consumer protection and corporate accountability. Even in the financial services sector where regulatory controls are old hat, the sheer volume of transactions and explosive growth of data has altered the paradigm.

Financial services executives call on a new breed of CISO, who looks to the example of the CFO to implement compliance and security in a risk assessment context, instead of simply firewalls, antivirus and intrusion prevention systems. There are sharp lessons to b...



e learned for security officers from their financial counterparts.

WHO ARE YOU?
CISOs have often been outstanding technologists, very adept at identifying and implementing new security products and systems. CFOs, on the other hand, don't regard their positions as being exclusively about numbers.

"The CFO position has always been about business evaluation, and the position has always been a business partner evaluating various business objectives," says Mike Stiglianese, who has the unique perspective of having served in both CFO and chief information technology risk officer roles at Citigroup.

That's where the CISO role needs to be, but typically is not. Much more often than not, the position is in IT, and therein lies much of the problem. Stiglianese is surprised how few CISOs are like... him.

Now an independent consultant, Stiglianese spent his entire career at Citigroup-25 years on the finance side, including several CFO positions, and the last three as CISO. The things he's encountered outside the CFO chair have opened his eyes.

"The shocking thing was the lack of metrics and a lack of discipline," he says. For example, he asked one organization how many applications it had, and was told 8,000 to 12,000. Count them, he said.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts