In Depth
Security Accountability: The Fault Line
Welcome to a world where projects fail, computers crash and secrets escape...and you don't have to be the fall guy.
By Tom Wailgum
He says, above all, that his business peers at Nortel want his group to maintain value and independence in everything that it does and to protect the drivers of the business. Simply stated, Williams says CSOs need to "do strategy
Just after midnight, the final decision was made by the business head, Stephen Donaghy, the vice president of the project management office, to go forward with the contract. Ultimately, he and the three lawyers felt that other general provisions in the contract, which required the vendor to adhere to JM Family's security policies and notify JM Family if a breach actually did occur, were enough of a safeguard against future problems.
In retrospect, Dardet speaks confidently about the conversations they had that night. He's pleased that his business peers were debating infosecurity concerns with him before a final decision was made.
Although Dardet is comfortable with the decision, he's quick to classify this drama as a "very special case due to the financials associated with it." In the end, the risk/reward equation ended in a "Let's go for it." And though he played a serious role in the negotiations, Eduardo Dardet did not make the final call. And that's fine with him. n n nAs much as accountability has to do with awareness and process, it also has as much to do with relationships. That means that CSOs cannot simply hole up in the security department and send out e-mail policy reminders from time to time. CSOs need to put a face on the security department. Their face. And if they can build trust and credibility with their peers, other executives will feel that much more comfortable signing their names on the dotted line.
But most CSOs will advise you to get to know the business and to show your business peers that you think business first, security second. "CSOs have to be an enabler rather than an obstructionist," says William Besse, who's in charge of the physical security for Belo, a large media company with businesses in print, broadcast and interactive media. "CSOs can mandate what to do, but they'll leave [the security function] out of the process if you don't understand their business problems."
Dardet agrees. "We have to give them something that they can make a judgment about," he says. But he stresses that you have to be clear about the business specifics
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
