Home > Information Security Magazine > Features > Implement security and compliance in a risk management context
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Implement security and compliance in a risk management context
by Neil Roiter
Issue: Jan 2009
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >

"They said, 'Everyone calls an application a different thing. I said, 'Let's have a meeting and define something. I'll call it an application and you guys call it whatever you want, but we're going to count how many of those things we have.' "

He says simple program and project management are missing, because information security is overly focused on technology and not on planning."That type of stuff was the basics that you had on the CFO side." The CFO sees everything in terms of risk assessment.

What are the potential gains and what are the exposures? What is the potential return and how much can we lose if a loan or investment goes south? What will this new technology or this new service cost us and what can we expect in revenues-and when? What controls do we need for regulatory compliance and do they properly mitigate risk to the business? Because he is grounded in risk assessment and business, the CFO has the ear of upper management- he's one of them-and will be much more receptive to supplicants who "get" business.

The IT-based CISO-especially if he is comfortable there-likely has less insight into...



the business and will have trouble selling new security programs and technologies to business people who think in terms of risk/reward and cost/benefit.

"If the CISO is a technology person, more often that not, he doesn't have enough gravitas with senior management to get their attention, to make them aware of a business issue," says Eric Holmquist, VP and director of risk management at Advanta Bank.

The CISO can be reduced to trying to sell insurance to executives who are not convinced of the risk. The CFO understands that he must be able to take his special knowledge, translate it into business terms and communicate effectively to the investor community outside the organization and the board and management within.

"I have the financial information, and I have enough of financial background that I know what makes sense," says Stiglianese."And, I'm going to make it easier for other people to understand."

At Citigroup, for example, the CFOs have business backgrounds, with "enough financial expertise to know what makes sense." They call on their financial experts to give them the information they need.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts