|
Today's economic climate may
mean belt tightening for many
security officers, but Anthony
Meholic already learned how to
do more with less when he
joined Republic First Bank after
working at global powerhouse
JPMorgan Chase. The senior
vice president and information
security officer at the bank,
which serves the greater
Philadelphia area, knows what
it takes to protect corporate
assets in a tough economy.
How do you think the economic downturn will affect security
budgets? It's always been a real chore to justify an information security
budget because you can't put a monetary figure on the return on the
investment. Information security is there to make sure nothing [bad]
happens, so if you're doing your job, nothing [bad] is happening. Given
that you're already starting behind the eight ball, the economic upheaval
in the banking industry is just going to put more of a burden on security
professionals to get more funding. They'll have to learn how to live
wit...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
h less. Take good stock of your resources, the skill sets of your team,
your networking infrastructure and see what you can do within the limited
budget that you'll be getting.
Can outsourcing help? It's certainly part of the picture. Going from
JPMorgan to Republic First Bank-from a very large international corporation
that had a large budget for security to a smaller regional bank
that doesn't have the [same] resources-gave me good insight on how
to manage and do more with less. If you're a small or midsized bank, you
might not have the resources to have an ethical hacking team like I had
at JPMorgan, or you can't afford some of the more expensive tools. So
you have to rely on vendors to perform some of these services. Typically,
we have vendors performing our vulnerability assessments and penetration
testing.
What else might help in lean times? There are things you can do
with a small team or a small budget. It's going back to basics. One of my
main focuses when I come into a security position is to get a really
detailed understanding of the flow of confidential and restricted data.
You have to know where your data is going and who it's going to; once
you know and understand that, you can start targeting areas of risk. You
need to have a mature risk assessment process in place so you can prioritize
these risk areas. Once you prioritize the risks associated with the
various areas, you can start focusing your limited resources-whether
it's budget, assets or staffing-on those areas. You probably won't cover
every single one, but at least you've hit all the high-risk areas.
|
 |
|
