Home > Information Security Magazine > Features > Implement security and compliance in a risk management context
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Implement security and compliance in a risk management context
by Neil Roiter
Issue: Jan 2009
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >

In parallel, Stiglianese says that in larger organizations, CISOs are moving into this role as business/ risk managers, communicating with business groups and management on their own terms. They have sufficient tech savvy and rely on experts with the technical background.


[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Warning Signs [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Before taking a job as CISO, make sure the company you are about to join is fluent in risk management.

Eric Holmquist, VP and director of risk management at Advanta Bank, offers three signs that an organization doesn't take risk assessment seriously:

* Information security is positioned as an IT issue, and IT is being asked to manage something it has no control over and isn't a technology issue.

* The tone you hear is "just follow the guidance." You can never set regulatory expectations as your measure of success. That's always the minimum standard. You must exceed that.

* You see anecdotal evidence that people just give lip service to risk assessment, and that sloppy practices are acceptable cultur...



ally. If there aren't exceptionally good controls around data in motion, controls of third parties, etc., you have a big problem.

"If there isn't a tone from the top setting information security as a high priority, you're cooked," Holmquist says.

--NEIL ROITER


[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

COMPLIANCE AND RISK
CFOs have always had to deal with regulatory controls, but not in as public and dramatic a way. The CFO was required to make sure the company was in compliance with GAAP standards, report to various agencies and make sure external auditors would approve financial statements.

But all this happened pretty much behind the scenes, says Stiglianese. Regulations such as SOX have changed the dynamic, drawing intense interest from investors on the outside and the board of directors within. When he started at Citigroup, the regulatory reporting group was under the CFO's office, but "as things have become more highlighted and spotlighted, you bring in a different level of talent to handle the regulatory reporting side."

GLBA created a similar environment for the CISO, but while regulatory change came gradually to the CFO, the CISO was thrust abruptly into the spotlight.

"The CISO," Stiglianese observes,"went from zero to 100 miles per hour instantly."

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts