Ver Suplemento Temático...

Seguridad Corporativa y Protección del Patrimonio.
 

 Expertos

Julie Sartain


IT journalist

Risky business: Marriage of compliance & security


Risky business: Marriage of compliance & security

In the third group are companies that don't want to subtract from the bottom line. These firms, Gaddy says, believe that anything other than an anti-virus program is wasted funds. The C-suite doesn't see the risk or believe the organization might be a potential target. “These companies are willing to place their clients' standing at risk to save a few dollars,” he says. “Sometimes, companies with this mindset find themselves in deep trouble when problems occur, including loss of client information, personal data and other items that have a significant impact on the total business profile.”

Rob Ayoub, manager of technical marketing at Fortinet, a Sunnyvale, Calif.-based network security appliances vendor, agrees that compliance may be considered a pressing issue, but adds that improved security does eventually prevent loss. “I believe there has to be a focus on security as opposed to compliance,” he says. “The CISO, or another person responsible for security, has to establish realistic benchmarks and a progression for a risk management plan. There also has to be continued executive-level education around the changing threat landscape and detailed risk analysis to the business.”

It comes down to taking on everything in moderation, says Christie Grabyan, managing security associate at Phoenix-based security consultancy Stach & Liu. “A company's security maturation may go through growth spurts, but you can't expect to grow a foot in a day,” she says. “Even the appropriate risk threshold will change over time. Getting the money to achieve your security strategy is no different than obtaining money for any other business objective.”

In other words, she says, CISOs must address their executive sponsor's pain points, communication style and needs in the way they propose. Then, ensure that the program makes financial sense, and build trust through effective execution.

Organizations need to refocus and make compliance the by-product of a comprehensive, effective and monitored security program, rather than the stated goal of such a program, says Andrew Rose, a principal analyst at Forrester.

“It is vital that controls and metrics match the organizations' risk profile and risk tolerance, rather than just seeking to tick the boxes that the compliance auditors check,” says Rose. “If there are aspects of the security program that leave elements of compliance unaddressed, then these become discussion points both internally and with the regulator.”

He adds that it's also important for compliance to be measured effectively. Where an organization has to comply with several different regulatory frameworks, they should consolidate the requirements and move to a “measure once, report many” solution. In this way, Rose says, amalgamation of control monitoring helps firms maintain ongoing visibility of their compliance position and prioritize investment.

Funding risk mitigation

The individuals who run companies fall into one of several groups: Those who realize the security risk and want to avoid it, those who believe it will not happen to them and do nothing, and those who know they have to do something, but are unsure what or how to do it, says Benjamin Gaddy, North American advisory board co-chair and information assurance security project manager at (ISC)², a Palm Harbor, Fla.-based nonprofit that offers information security education.

Gaddy says those companies that comprehend potential risk are the most willing to allocate the funding necessary to mitigate it. These decision-makers know from experience what a breach can cost a company if it does nothing, he says, so are willing to support efforts to prepare. Executives willing to get ahead of the curve, he says, ask, “How much security can I afford,” then apply funding to the best of their ability. Other companies have deeper pockets than others, but all recognize that it's a vital business expense.

Gaddy's second group include those companies that usually hire experts to identify what they need and how to navigate from point A to point B. Then it becomes a business decision regarding how to accomplish this task. “This is where a good business becomes critical,” says Gaddy. “It tells a company how to enter into the world of compliance and security. They see it as a good business investment and are willing to show their clients that they have one, and are building a better, more robust one for the future.”

In the third group are companies that don't want to subtract from the bottom line. These firms, Gaddy says, believe that anything other than an anti-virus program is wasted funds. The C-suite doesn't see the risk or believe the organization might be a potential target. “These companies are willing to place their clients' standing at risk to save a few dollars,” he says. “Sometimes, companies with this mindset find themselves in deep trouble when problems occur, including loss of client information, personal data and other items that have a significant impact on the total business profile.”

Rob Ayoub, manager of technical marketing at Fortinet, a Sunnyvale, Calif.-based network security appliances vendor, agrees that compliance may be considered a pressing issue, but adds that improved security does eventually prevent loss. “I believe there has to be a focus on security as opposed to compliance,” he says. “The CISO, or another person responsible for security, has to establish realistic benchmarks and a progression for a risk management plan. There also has to be continued executive-level education around the changing threat landscape and detailed risk analysis to the business.”

It comes down to taking on everything in moderation, says Christie Grabyan, managing security associate at Phoenix-based security consultancy Stach & Liu. “A company's security maturation may go through growth spurts, but you can't expect to grow a foot in a day,” she says. “Even the appropriate risk threshold will change over time. Getting the money to achieve your security strategy is no different than obtaining money for any other business objective.”

In other words, she says, CISOs must address their executive sponsor's pain points, communication style and needs in the way they propose. Then, ensure that the program makes financial sense, and build trust through effective execution.

Suplemento Temático: Los nuevos retos del Director de Seguridad

 


Fuente: SC Magazine
Fecha: 2012-01-02

   Mas artículos de Julie Sartain        Otros Expertos   

Este experto ha sido visto por 1287 personas.