4 Priorities of Security LeadersData Loss Prevention, Business Alignment Top the 2010 Agenda The New Year comes with fresh perspectives on priorities to be addressed by information security leaders.
To get a sense of what's top-of-mind, we went to three information security leaders:
|Emil G. D'Angelo
International President of ISACA. He is also the senior Vice President overseeing the corporate data security department at the Bank of Tokyo Mitsubishi UFJ.
Vice President of Information Security at Investor's Savings Bank. He focuses on managing data security and enhancing the overall security posture of the Bank.
President of IP Architects, LLC. He has designed and implemented enterprise wide electronic business solutions and information security programs for key customers in a wide range of industries.
Here are the four priorities they identified:
1. Data Loss Prevention
As organizations work with other partners both within the country and overseas, data is also going back and forth. "The key question is: Who is taking ownership for protecting this data when information travels beyond your own surveillance," asks D'Angelo. "How can we ensure that this data is protected in transit?"
Ultimately, the challenge requires going back to the fundamentals and addressing questions including:
- How should the data be protected?
- What data is leaving the organization?
- What's the risk to the business if data is lost, stolen or disclosed?
- How are business partners protecting the data?
As a security leader, D'Angelo's main focus is to protect data and prevent loss by extending meaningful security awareness training programs and education to the people who deal with the data, so that they can understand the risk and security implications associated with their job roles and functions.
2. Business Focus
After a major security incident, organizations often decide they need to purchase new security products to prevent a recurrence. But sometimes the solution may be nontechnical: to better align security with business risks and processes. "Our 2010 focus is clearly set on deriving a value proposition on how security can become an enabler in achieving business goals," says Arya. "We are looking to develop a cohesive security operation, driving towards a unified direction of the business." He is looking to accomplish this by:
- Interweaving security into every process and making it an action item #1 in every project, and by focusing more on the security function's capability to conform to the changing direction of the business;
- Opening the lines of communication with the business units and understanding the operational needs by periodic meetings with key personnel;
- Having a "data flow mapping" to begin pin-pointing the high-risk areas and developing a risk-mitigating strategy that is cohesive and acceptable to the business process;
- Having an Information security program that supports the 10 primary domains of information security, along with critical components including physical security, digital information security, personnel security, disaster recovery, storage and disposal.
However, measuring success of such a program is challenging. "Such programs need reporting to prove that its effective in managing and controlling the information flow," says Arya. His focus will be in measuring employee's awareness and establishing sound reporting structure to ensure that his efforts are on the right track.
3. Vendor Management
Today, organizations are increasingly scrutinized by regulatory agencies to conduct better due diligence when selecting third-party service providers to manage and protect sensitive data. Banking institutions especially are very selective in partnering with third-party vendors. "We will continue to look at privacy and the information protection space as a top priority in 2010," says D' Angelo, who says he will pay special attention to:
- Regulatory Compliance -- Does the vendor service provider have an on going relationship with the FDIC? Has the vendor fulfilled the FFIEC guideline fundamentals like the SAS 70 and other security audits and understands what bank examiners are looking for? Do they follow best practices within information security?
- Industry Depth -- Does the vendor understand the banking business and all the risks associated with it? Do they currently deal with financial clients? Are they 'on top of their game' to proactively protect and manage their client's environment and data? Is the vendor educated and aware of the federal laws and regulations governing financial institutions?
- Support -- Do they have a 1-800 number that is functional? Do they have technical support, 24/7? How useful is their customer service? How accessible is the vendor to address queries and ad hoc questions when required? How prepared is the vendor to do business with a bank? Do they have their due diligence package ready, which can be handed down for consideration?
- Security -- Is the vendor keeping ahead and evolving on a daily basis to protect information assets of their banking clients? Are they taking effective counter measures against security breaches and other emerging threats?
4. Demonstrating Value & Risk Management
Organizations are increasingly cost conscious and demanding return on investment (ROI) projections and value-centric details of how a particular security product or service can address corporate risks. John Pironti's key focus area this year is to explain the value of security and investment to senior leaders and clients by driving the essentials of a sound risk management program within their organizations and addressing fundamental questions of:
- What does 'security' mean to us?
- Do we have enough of it?
- How do we measure it and the purpose it is serving?
- How do we know if it is succeeding and if our program has value?
- What models/ matrixes on decision-making and risk taking should we adopt within the organization?
- Are the governance processes and controls around those models adequate?
- Do we have the assumptions that underpin the models? Are they properly understood?
- Have they been evaluated? Do they make sense?
"Organizations need to understand what data and information they have that is most sensitive. So there has to be a focus on enterprise risk assessment, to be able to protect and value this data," says Pironti. Additionally, organizations need to know where this sensitive data and information exist. What are the vulnerabilities and weaknesses in the system that can lead to a data compromise? What controls can be put in place to effectively secure the organization? At Investor Savings, evaluating risks across business units is "the first priority in determining a course of action in 2010," says Arya. Performing a risk assessment would save significant time and energy that would be wasted otherwise on discussing the same issues with different areas separately. Generally, security concerns overlap across business units, therefore, "The best approach would be to connect different areas and functions to assess the overall risks to the organization and take steps in mitigating these risks toward a common goal of achieving greater control and security of the information."