Three CSOs Offer Security Views from Around the World

John Geurts

Executive General Manager for Group Security, Commonwealth Bank of Australia

At Sydney-based Commonwealth Bank, John Geurts, executive general manager for group security, says it’s important for his bankat $284.4 billion in assets, one of Australia’s largestto keep up with best practices at global leaders.

“We recently conducted a review of our practices against several leading financial services companies in the United States and the United Kingdom,” Geurts writes. “It was pleasing to see that our structure and practice had much in common with leading thinking, and that security management is maturing in light of the threat and technological environment we are faced with.”

Geurts says his role encompasses all aspects of securityincluding fraud, physical security, information security and crisis management, as well as emerging threats. “I am most likely to be concerned about ensuring the enterprisewide coverage of those issues that do not neatly fit into any of the above disciplinesfor example, the relationship between IT security and fraud,” he writes.

And that relationship between infor-mation security and fraudwhat he calls “transnational e-crime and its impact on our customers”is his most pressing concern, after ensuring the safety of Commonwealth’s staff and customers.

As for government regulation of security, Geurts advocates a hands-off, yet collaborative approach. He says government “should permit greater collaboration in sharing threat information with business. They should not seek to regulate on matters they do not fully understand in a free market.”

Urho Ilmonen

CSO, Nokia, Finland

Urho Ilmonen, CSO of Nokia in Espoo, Finland, sounds like a spokesman for his industry colleagues when he says that information security is top-of-mind for high-tech companies worldwide.

“The current strained commercial situation and the rapid development of new competitors has fostered a market for technical and financial information, often sought after by investigation and information-gathering organizations of all shapes and kinds,” he writes.

Information technology has another impact on Nokia, the $36.2 billion maker of mobile phones and other communications: It’s made Ilmonen resigned to the idea that outsourcing is here to stay. This adds a challenge for CSOs, he says, because while the scope of activities has not grown, the volume has: “As we regard the outsourcing companies as members of the extended enterprise, we need to treat them securitywise in the same way [as our company], ensuring the same good level in security at their premises and operations that we provide in-house.”

As for government regulations, it’s hands-off. “I do not believe in regulating security,” writes Ilmonen. “Security is a mind-set and a way of operating, and no amount of regulation will improve the state of corporate security unless we do our part in the private sector. I would like to see a truly open exchange of information between the authorities in any country we operate in and our respective departments. Security clearances [now] hamper the progress.”

According to Ilmonen, the CSO needs to show he can enable his organization to operate with fewer risks and assets lost. Success in this regard means “there will be lots of esteem” bestowed upon the CSO. If the added value remains theoretical, other executives will not appreciate the service.

Riccardo Cerretelli

Head of Global IT Security,Eli Lilly, Italy

From his infosec office at drug maker Eli Lilly in Florence, Italy, Riccardo Cerretelli, head of global IT security, sees

his job as acting locally and thinking globally. “IT security projects and services are globally managed. There are no differences between our approach and the approach of our U.S. colleagues,” Cerretelli says of the $12.6 billion Eli Lilly, which is based in Indianapolis.

This CISO’s priority is developing a strategy to deploy software security patches. The time between the report of a security vulnerability to the exploit release is shrinking. In this state, he says, formulating an approach that worksespecially when taking mobile users into accountis a real challenge.

Outsourcing can help in this regard by freeing up resources to handle big challenges, Cerretelli says. He says that by outsourcing the day-to-day activitiesfor example, antivirus monitoring activityEli Lilly is able to free up its resources, and then use those folks for projects or architecture strategy activities.

Cerretelli doesn’t speak in favor of government regulation, but he would like to see the Italian government play a leading role in incident response activities and IT security education programs.

-Kathleen Carr