Different Ports Of Call, Same Mandate

Whether the view is from Europe or Australia, CSOs look at their roles as part of a global effort to manage risks and protect assets. The three CSOs we consulted via e-mail – from Australia, Finland and Italy – each noted that the profile of the security function in their organizations is rising, and that they consider in-house threats more dangerous than external ones. Each is also less inclined to support government authorities who seek to regulate security matters, but they’d like to see more information sharing between law enforcement and corporations. Here’s more of what each had to say.

John Geurts Executive General Manager for Group Security Commonwealth Bank of Australia At Sydney-based Commonwealth Bank, John Geurts, executive general manager for group security, says it’s important for his bank – at $360 billion in assets, one of Australia’s largest – to keep up with best practices at global leaders.

“We recently conducted a review of our practices against several leading financial services companies in the United States and the United Kingdom,” Geurts writes. “It was pleasing to see that our structure and practice had much in common with leading thinking, and that security management is maturing in light of the threat and technological environment we are faced with.”

Geurts says his role encompasses all aspects of security – including fraud, physical security, information security and crisis management, as well as emerging threats. “I am most likely to be concerned about ensuring the enterprisewide coverage of those issues that do not neatly fit into any of the above disciplines – for example, the relationship between IT security and fraud,” he writes.

And that relationship between information security and fraud – what he calls “transnational e-crime and its impact on our customers” – is his most pressing concern, after ensuring the safety of Commonwealth’s staff and customers.

As for government regulation of security, Geurts advocates a hands-off, yet collaborative approach. He says government “should permit greater collaboration in sharing threat information with business. They should not seek to regulate on matters they do not fully understand in a free market.”

Urho Ilmonen CSO, Nokia Finland Urho Ilmonen, CSO of Nokia in Espoo, Finland, sounds like a spokesman for his industry colleagues when he says that information security is top-of-mind for high-tech companies worldwide.

“The current strained commercial situation and the rapid development of new competitors has fostered a market for technical and financial information, often sought after by investigation and information-gathering organizations of all shapes and kinds,” he writes.

Information technology has another impact on Nokia, the $46 billion maker of mobile phones and other communications: It’s made Ilmonen resigned to the idea that outsourcing is here to stay. This adds a challenge for CSOs, he says, because while the scope of activities has not grown, the volume has: “As we regard the outsourcing companies as members of the extended enterprise, we need to treat them securitywise in the same way [as our company], ensuring the same good level in security at their premises and operations that we provide in-house.”

As for government regulations, it’s hands-off. “I do not believe in regulating security,” writes Ilmonen. “Security is a mind-set and a way of operating, and no amount of regulation will improve the state of corporate security unless we do our part in the private sector. I would like to see a truly open exchange of information between the authorities in any country we operate in and our respective departments. Security clearances [now] hamper the progress.”

According to Ilmonen, the CSO needs to show he can enable his organization to operate with fewer risks and assets lost. Success in this regard means “there will be lots of esteem” bestowed upon the CSO. If the added value remains theoretical, other executives will not appreciate the service.

Riccardo Cerretelli Head of Global IT Security Eli Lilly, Italy From his infosec office at drug maker Eli Lilly in Florence, Italy, Riccardo Cerretelli, head of global IT security, sees his job as acting locally and thinking globally. “IT security projects and services are globally managed. There are no differences between our approach and the approach of our U.S. colleagues,” Cerretelli says of the $16 billion Eli Lilly, which is based in Indianapolis.

This CISO’s priority is developing a strategy to deploy software security patches. The time between the report of a security vulnerability to the exploit release is shrinking. In this state, he says, formulating an approach that works – especially when taking mobile users into account – is a real challenge.

Outsourcing can help in this regard by freeing up resources to handle big challenges, Cerretelli says. He says that by outsourcing the day-to-day activities – for example, antivirus monitoring activity – Eli Lilly is able to free up its resources, and then use those folks for projects or architecture strategy activities.

Cerretelli doesn’t speak in favour of government regulation, but he would like to see the Italian government play a leading role in incident response activities and IT security education programs.