Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Ping: Bruce Bonsall

MassMutual's Bruce Bonsall

This article can also be found in the Premium Editorial Download: Information Security magazine: Keeping on top of risk management and data integrity essentials
Mass Mutual's Bruce Bonsall

In the heavily regulated financial services world, security policy compliance is paramount. Bruce Bonsall, CISO...

of MassMutual Financial Group, explains how his organization ensures that every IT project properly addresses security and doesn't progress without his office's seal of approval.

What do you do as CISO to get security baked into projects?
We've instituted a governance process with IT projects similar to a building permit. During the concept and definition phase, the project team gets in touch with my security consultants to identify any security implications. It doesn't matter whether they're writing new code, buying technology or outsourcing a function to a third party; anything that involves the processing, transmission or storage of information goes through this process.

We still need to broaden it to more areas in the company. It's growing from a security governance process to more of an IT process, then it will become a corporate governance issue.

Where do CISOs invariably slip up with regard to policy compliance?
I would be willing to bet that some CISOs are having a hard time getting their jobs done because they haven't engaged their business people well enough and haven't approached security as a business issue; they've approached it as a series of technical implementations, but they need to take a holistic risk management approach. They've failed to adequately market the services provided by the security team, and to help business people understand risks.

Do you speak a different language today than you did a few years ago?
I worked hard to understand issues from a business perspective--not just from a security practitioner's perspective. I've learned to frame things in terms business people can relate to.

I made a concerted effort to meet with every senior executive. I got to understand them better and to explain myself better to them.

I was at a roundtable recently, and one of the participants said that the business doesn't understand what we're telling them. I responded that it's not the listener's responsibility to understand the speaker, it's the speaker's job to convey terms that are understandable. It's our fault if they don't get it.

Read the extended version of this interview online at searchsecurity.com/ismag.

This was last published in April 2005

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.