Regulatory compliance requirements and concerns over data compromises have elevated the importance of information security issues in corporate boardrooms, according to panelists at the 32nd annual conference organized by the Computer Security Institute. And that trend is lending urgency to the need for security managers to adopt a more business-oriented approach to their jobs.
Selling security to management has become easier because of issues such as privacy threats and data piracy, said Terri Curran director of information security at Bose. "In a sense the road has been paved more for us" by such issues, she said. "Management knows they've got to have security."
The problem is that security managers often tend to understand technology issues better than they understand risk management, said Jack Jones, chief information security officer at Nationwide Mutual Insurance in Ohio. As a result there often is a misalignment with business goals, he said.
"Perfect security is not achievable," Jones said. "At the end of the day, [the security function] is about managing the frequency and magnitude of loss."
Being able to do that requires security managers to do a better job of taking technology issues and putting them in a business context, he said. "That's a significant problem for us," he said. "As long as we have a misalignment between the two, we have a challenge."
Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity, said Jane Scott-Norris, CISO at the U.S. State Department. That means organizations should focus not only on risk avoidance but also on risk management, she said. "You have to be able to evaluate risks and articulate them in business terms," Scott-Norris said.
To be successful, CISOs need to have a combination of technology skills and business savvy, said Bill Hancock, vice president of global security solutions at Savvis Communications. "If you don't know how to communicate well, you will fail as a CISO," he said.
Jennifer Bayuk, CISO at New York-based Bear, Stearns & Co., said that it's also important for security managers to be able to demonstrate the value they bring to an organization -- especially because security is often seen as a cost center offering little return on investment.
"If you can't demonstrate what you are doing, it doesn't count," she said. As a result, there is a need for security managers to be able to put auditable security practices in place, she said.
Looking ahead, Bayuk predicted that CISOs will have two distinct career paths: one will be technology-focused and will involve reporting to the CIO; the other will be more business-focused and will involve dealing with chief risk officers or executives with that kind of responsibility.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Delivering the Power of Choice with Microsoft Dynamics CRM
Email Archiving Implementation: Five Costly Mistakes to Avoid
Everything you need to know about email and web security (but were afraid to ask)
Making the Business Case for IT Consolidation
Discover the advantages of an open architecture multi-vendor network solution
Achieving the impossible: Unlimited application scalability
How to improve employee productivity in small and medium businesses
The state of Middleware
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #98: The Future of Datacentre IP 18/12/2008 10:33:00
CW Live speaks withLin Nease, Director of Emerging Business for HP ProCurve, to discuss the future of networks, including the effect of IP-based storage on datacentres, new capacity requirements generated by the use of 10Gb Ethernet, and how an efficient network design can slash energy and cooling costs, and help enterprises build a "green" image. - +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport.
F-Secure Warns About a Worm Affecting Corporate Networks 2009-01-08 16:42:00+11
Research software developer appoints Susan Dart to new Business Development Director role 2009-01-08 09:08:00+11
Research software developer appoints Susan Dart to new Business Development Director role 2009-01-08 09:08:00+11
Anyware Introduce Two Powerful PCI TV Tuner Cards with S5 Power Up and Windows Media Center Remote 2009-01-07 17:30:00+11
Fortinet Cures Mobile Phone “Curse of Silence/CurseSMS” Attack 2009-01-07 16:30:00+11
Email Archiving 101—Customer Case Study
Join Lee Benjamin, a Microsoft Exchange MVP and Ryan Shipkowski, network administrator for Matthews, to discuss the process and ROI of implementing an email archiving solution, with emphasis on a case study from Matthews International.
