Basics
New Security Leadership: The Basics
Maintaining the right level of boardroom and employee security awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. CSO looks at what's Out and what's In.
By Derek Slater
Information security in one stovepipe, corporate in another, audit staring suspiciously from across the hall, disaster recovery handled by the facilities group... you know the usual drill. Security functions have a history of fragmented organization. "Each of these departments' main mission is 'to protect company assets;' however, each usually reports through a different hierarchy," one privacy and IT security manager puts it. "It makes no sense."
Historically, the greatest chasm - not just organizationally, but culturally as well - laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other's profession and professionals (propellerheads vs. knuckledraggers, etcetera).
Enough squabbling already. Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts.
"The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management," says Lance Wright, principal at the Boyden Global Executive Search company.
Consider these specific areas where holistic security management pays off:
-Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: "Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective."
-Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. Conversely, a company with disjointed access management can expect a much longer ramp-up time. That's lost money. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.
-Intellectual property protection IP (patents, ideas, classified research) is stored in many forms, from data on the corporate network, to CAD printouts in the trash can, to drawings on the whiteboard in the graphics department. Losing that proprietary information can cripple a company competitively. Bill Boni, CISO of Motorola and a former Army intelligence officer, notes that the only way to protect intellectual property from threats inside and outside the company is by interconnecting all the necessary defensive measures - logical, physical, legal and otherwise.
-Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces. Who's going to give them an accurate picture if no one has visibility across all security domains?
-Coordinated access management It's midnight, and the network control center notes that the CEO just logged on to her office workstation. Problem is, the building access card system notes that the CEO left the building five hours ago. If the network and building access controls were coordinated, the night watchman would know he needs to take a stroll down the hall and see who's sitting at the CEO's desk and using her account.
The most obvious way to manage security holisitically is to put make one person responsible - a CSO. But even in companies where that's impractical, creating new lines of communication and knocking down formerly adversarial relationships is a must.
(For more about the benefits of holistic security, read "Convergence: The Pain The Payoff" from our special report on convergence.)
Compiled from CSO Magazine and CSOonline.com. Contributing writers include Scott Berinato, Daintry Duffy, Sarah Scalet, Tom Wailgum and Malcolm Wheatley. Send feedback to Executive Editor Derek Slater at dslater@cxo.com.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Safeguarding the New Currency of Business
Watch this webcast to learn how your organization can leverage PricewaterhouseCoopers' Global Information Security Survey 2008, the world's largest survey on privacy and infosec practices.
- The Evolution of Application Security - Reducing Risk in Your Organization
- View Gartner Video: Best Practices on Web Application Security
- Safeguarding the New Currency of Business
- Data Protection: Challenges for the Traveling User
- Revolutionizing Endpoint Security with a Single Agent
- Make Compliance Regulations an Ally Not an Enemy
- Optimizing Infrastructure Control
- IT Service Management: Metrics That Matter
- Effective Security with a Continuous Approach to ISO 27001
- File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
- Configuration Assessment: Choosing the Right Solution
- Understanding Data Location is Imperative for Data Loss Prevention
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partner
CSO Executive Seminar on Application Security
-
January 29, 2009New York, New YorkRegister now »
-
February 25, 2009San Francisco, CaliforniaRegister now »
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
