Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Navigating the muddy waters of enterprise infosec

Stacy Collett | Sept. 22, 2016
Information security finally has executives’ attention, but aligning with business needs is still challenging.

So how can enterprises get from where they are today to having a cohesive, funded and fully implemented information security program? IT leaders and analysts share tips for navigating these muddy waters and protecting the organization from threats.

Emphasize awareness

About a year ago, customers of sales and marketing advisory firm SiriusDecisions started asking questions about the security of the information they share with the Wilton, Conn.-based company. With all the news about data breaches, they were concerned that a weak link might jeopardize the competitive intelligence they shared.

Vice president of IT Jonathan Block knew the firm’s infosec policies and procedures were sound. SiriusDecisions operates entirely in the cloud, relying on big-name vendors whose security practices far exceed what the firm could do on its own. But he says the growing number of client inquiries, along with a slew of highly publicized security breaches at other companies, “lit a fire under us,” underscoring the importance of information security both internally and for the firm’s clients.

Why security is under scrutiny - csuite charts3 

Today, SiriusDecisions shares detailed information with customers about its service providers’ security certifications and audits, trains every employee on information security awareness, especially social engineering — its biggest threat today — and earmarks 10 percent of its IT budget specifically for infosec initiatives.

Asked to grade the firm’s efforts, Block says, “I’d give us a solid B. Our goal is to try to get ahead of a lot of these things. The frequency and severity of attacks are always going to increase, but we’ve identified the type of attacks that do the most damage, and we focus our efforts on those.”

Create a communication channel

At Wells Fargo, executives are much more knowledgeable about information security than they were four years ago, says chief information security officer Rich Baich, who became the bank’s first CISO in 2012.

Much of the improvement centers around better collaboration and communication between technical and nontechnical staff, business units and executives, he says. To help get there, Wells Fargo realigned its security hierarchy. In January 2015, Baich began reporting to the chief risk officer instead of the CIO to emphasize security’s risk-based focus and to improve transparency with the board of directors.

“I’m not in technology,” Baich says. “[The new hierarchy] allowed us to effectively create a communication channel that helped people understand the language of security, the importance of security, how it fits into the larger, overall risk management construct — and ultimately helped drive and make this part of our culture, [in which] every individual team member is a risk manager.”

Aligning business and infosec goals - csuite charts4 

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.