
Resources To Meet The Security Challenges


Jeff Theiler, SVP, Chief Information Security Officer, Hancock Bank
For security professionals, or any management professional for that matter, the key to managing limited resources is to focus on the key risks. Sound governance, risk and compliance practices are an effective way to manage limited information security resources - they may even lead to more resources!
The need for improved risk management focus, among other things, is changing the CISO role. The CISO role is transitioning beyond primarily a technical focus to include skill-sets related to business strategy integration and risk management principles. With these skills, CISO's are being asked to facilitate business solutions balancing the needs of securing information with the business needs for information access and convenience to achieve business objectives. That's not to say that IT and Information Security professionals have not been practicing risk management. Rather, I think the challenge has been translating those technology and security risks into understandable business impacts that can drive the resource discussion and enable the CISO to play a more integrated role with corporate and line of business executives in strategic business decisions. To facilitate resource discussions, CISO's can rely on several fundamental elements.
First, for those organizations practicing ERM (enterprise risk management), use the existing risk framework to develop or refine IT risk assessment processes – are these processes using the same scoring and rating methodologies as the rest of the organization? Same taxonomy? Basically, use the risk language of the organization to convey IT or security risks in terms of business impact without too much "techno-speak." Focus is on identifying critical security gaps, mitigation activities and resource needs to address gaps. This enables all involved to determine which risks to accept, avoid or resolve, etc.
Second, develop a corporate risk profile for enterprise security. This profile would clearly outline for directors, executive management, regulators, etc. what the organization looks like, the playing-field if you will, as it relates to the organization's use of information assets, where located, access methods, etc. along with the key risks, available resources and top security initiatives to support the risk profile. Be sure to include reference to use of third-party technology providers supporting the organization and whether possession of customer data.
Third, enterprise-level security metrics (key performance or risk indicators) are crucial to the resource discussion. There are any number of metrics available for IT and information security. The main focus is to reduce to a handful of enterprise level metrics that give clear indication as to the effectiveness and efficiency of the security program. For example, comparing your information security budget as a percentage of the IT budget with industry benchmarks and/or peer data and further referencing key metrics around vulnerability management can certainly focus attention on the appropriate resources needed to address risks.
Finally, determine the maturity level of your security organization. If not following one of the security frameworks (ISO, COBIT, etc.) and even the most fundamental of "blocking & tackling" activities associated with effective security management are a challenge, then it may not be a good use of time or effort pursuing complex initiatives requiring significant investment or resource capabilities.
CIO Review Clients : Flagship , PCMI
Media Partner : CIO Review | B2B Online 2020
CIO Review Press Releases : CIO Review | One Stop Systems
See Also:
ON THE DECK
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Disrupt Your Legacy Application Portfolio to Improve Security And...
Why a Credentialing Strategy Must be Part of Your Digital Strategy
The Convergence of IT with the Internet of Things Innovation
It’s On People: The Undeniable Cultural Impact in a Digital...
A Promising Road Ahead for Insurtech
Bolloré Logistics Australia becomes a global leader in the use of...
