The upshot is that while CFOs understand the regulatory environment, how it affects the business and how it fits into the risk equation, CISOs are still learning.

"Coming from the financial background, with what we were doing with the compliance function," says Stiglianese, "I saw I was spending a lot of money in areas where I really didn't generate risk, and probably wasn't spending enough to mitigate areas that were riskier."

These are critical considerations. In contrast, there's the CISO, who comes to management with a shopping list of technologies he says they need to comply with PCI or meet the security requirements of SOX, GLBA or HIPAA. The checklist, rather than risk-based, approach will probably pry some dollars loose. However, it won't serve the best interests of the company, which may or may not be technically compliant, and is not significantly more secure than it was before the purchase.

Consider that the intent of these regulatory controls is to protect your company, its customers, its investors and its partners.

"Compliance i...

The premise is that there is risk here. Address compliance within that context, so that compliance flows from your risk assessments, rather than being bolted on.

"When you come up with compliance policy that's based on risk, you have to come up with something that works in all cases," says Stiglianese.

That's key to avoid overspending and devoting redundant resources to comply with each regulatory requirement, especially in large organizations, where compliance may become fragmented among various business units.

"One of the first things you realize is that we [financial institutions] are more heavily regulated than most," says Anish Bhimani, managing director for security and risk management at JPMorgan Chase. "So, how do you demonstrate compliance across a number of varying sets of requirements?"

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >