4 Priorities of Security Leaders

Data Loss Prevention, Business Alignment Top the 2010 Agenda The New Year comes with fresh perspectives on priorities to be addressed by information security leaders.

To get a sense of what's top-of-mind, we went to three information security leaders:

Emil G. D'Angelo
International President of ISACA. He is also the senior Vice President overseeing the corporate data security department at the Bank of Tokyo Mitsubishi UFJ.
Jay Arya
Vice President of Information Security at Investor's Savings Bank. He focuses on managing data security and enhancing the overall security posture of the Bank.
John Pironti
President of IP Architects, LLC. He has designed and implemented enterprise wide electronic business solutions and information security programs for key customers in a wide range of industries.

Here are the four priorities they identified:

1. Data Loss Prevention

As organizations work with other partners both within the country and overseas, data is also going back and forth. "The key question is: Who is taking ownership for protecting this data when information travels beyond your own surveillance," asks D'Angelo. "How can we ensure that this data is protected in transit?"

Ultimately, the challenge requires going back to the fundamentals and addressing questions including:

  • How should the data be protected?
  • What data is leaving the organization?
  • What's the risk to the business if data is lost, stolen or disclosed?
  • How are business partners protecting the data?

As a security leader, D'Angelo's main focus is to protect data and prevent loss by extending meaningful security awareness training programs and education to the people who deal with the data, so that they can understand the risk and security implications associated with their job roles and functions.

2. Business Focus

After a major security incident, organizations often decide they need to purchase new security products to prevent a recurrence. But sometimes the solution may be nontechnical: to better align security with business risks and processes. "Our 2010 focus is clearly set on deriving a value proposition on how security can become an enabler in achieving business goals," says Arya. "We are looking to develop a cohesive security operation, driving towards a unified direction of the business." He is looking to accomplish this by:

  • Interweaving security into every process and making it an action item #1 in every project, and by focusing more on the security function's capability to conform to the changing direction of the business;

  • Opening the lines of communication with the business units and understanding the operational needs by periodic meetings with key personnel;

  • Having a "data flow mapping" to begin pin-pointing the high-risk areas and developing a risk-mitigating strategy that is cohesive and acceptable to the business process;

  • Having an Information security program that supports the 10 primary domains of information security, along with critical components including physical security, digital information security, personnel security, disaster recovery, storage and disposal.

However, measuring success of such a program is challenging. "Such programs need reporting to prove that its effective in managing and controlling the information flow," says Arya. His focus will be in measuring employee's awareness and establishing sound reporting structure to ensure that his efforts are on the right track.

3. Vendor Management

Today, organizations are increasingly scrutinized by regulatory agencies to conduct better due diligence when selecting third-party service providers to manage and protect sensitive data. Banking institutions especially are very selective in partnering with third-party vendors. "We will continue to look at privacy and the information protection space as a top priority in 2010," says D' Angelo, who says he will pay special attention to:

  • Regulatory Compliance -- Does the vendor service provider have an on going relationship with the FDIC? Has the vendor fulfilled the FFIEC guideline fundamentals like the SAS 70 and other security audits and understands what bank examiners are looking for? Do they follow best practices within information security?

  • Industry Depth -- Does the vendor understand the banking business and all the risks associated with it? Do they currently deal with financial clients? Are they 'on top of their game' to proactively protect and manage their client's environment and data? Is the vendor educated and aware of the federal laws and regulations governing financial institutions?

  • Support -- Do they have a 1-800 number that is functional? Do they have technical support, 24/7? How useful is their customer service? How accessible is the vendor to address queries and ad hoc questions when required? How prepared is the vendor to do business with a bank? Do they have their due diligence package ready, which can be handed down for consideration?

  • Security -- Is the vendor keeping ahead and evolving on a daily basis to protect information assets of their banking clients? Are they taking effective counter measures against security breaches and other emerging threats?

4. Demonstrating Value & Risk Management

Organizations are increasingly cost conscious and demanding return on investment (ROI) projections and value-centric details of how a particular security product or service can address corporate risks. John Pironti's key focus area this year is to explain the value of security and investment to senior leaders and clients by driving the essentials of a sound risk management program within their organizations and addressing fundamental questions of:

  • What does 'security' mean to us?
  • Do we have enough of it?
  • How do we measure it and the purpose it is serving?
  • How do we know if it is succeeding and if our program has value?
  • What models/ matrixes on decision-making and risk taking should we adopt within the organization?
  • Are the governance processes and controls around those models adequate?
  • Do we have the assumptions that underpin the models? Are they properly understood?
  • Have they been evaluated? Do they make sense?

"Organizations need to understand what data and information they have that is most sensitive. So there has to be a focus on enterprise risk assessment, to be able to protect and value this data," says Pironti. Additionally, organizations need to know where this sensitive data and information exist. What are the vulnerabilities and weaknesses in the system that can lead to a data compromise? What controls can be put in place to effectively secure the organization? At Investor Savings, evaluating risks across business units is "the first priority in determining a course of action in 2010," says Arya. Performing a risk assessment would save significant time and energy that would be wasted otherwise on discussing the same issues with different areas separately. Generally, security concerns overlap across business units, therefore, "The best approach would be to connect different areas and functions to assess the overall risks to the organization and take steps in mitigating these risks toward a common goal of achieving greater control and security of the information."

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.