Q&A
Ram Charan: The Business of Security
Lynn Mattice, CSO of Boston Scientific, quizzes the man Fortune magazine calls "the most influential business consultant alive" about how security executives can better serve the business
By Sarah D. Scalet
Charan: What I'm saying is to move people early in their careers, from one function to the other. Every function needs to do this more. It's most commonly done in the finance function.
Mattice: We've created an organization called the CSO or Security Executive Council, founded by CSO magazine, to do research for the security profession. What we're seeing more and more today is that people being put into security positions are coming out of nontraditional roles. They're coming out of the business and being assigned to run this business unit that's called security.
CSO: What does that say about the maturity of the security function, if other executives are rotating into security, but security executives aren't rotating out of it yet?
Charan: I'm talking about moving people early in their careers, not at a higher level. If companies are bringing people from outside the security function at higher levels, that might mean the internal people of security were not considered as good. But I don't want to go there, because I don't know the details. There are so many factors.
Mattice: An additional piece of the council's research involves understanding business intelligence and risk and developing a network of information flow so that you can analyze the risk that the company is facing. We see this area as one of the key elements that the security organization can bring to the table with the board and executive committee.
Charan: My sense is that some boards have a risk committee, and usually a general counsel of the company pulls all the risks together in collaboration with the CFO. That is how security fits in.
Mattice: That's where you think we would then flow the information to?
Charan: Exactly. First you've got to see what is the risk committee, if there is any. If there is none, then you look at the audit committee. And with that you have the CFO for sure, and maybe general counsel, and then link to that. The board doesn't want to see all kinds of risks. The board wants to see a unified piece of information and framework.
Mattice: How do you see boards and executive management assessing risk?
Charan: I think the boards are just getting going on it. They are using the risk committee, with inside and outside help, to create a framework for evaluating risk. In one case, I know where a lead director actually has gone and visited the site, particularly in the environmental safety and health arena. But other than brand and reputational risks, and the financial risk evaluation, there's not much high intensity to the overall risk yet.
Ram Charan
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
