They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance.
Michael Barrett, CISO at eBay money-transfer service PayPal, says there is always an undercurrent of panic in the event that something blows up. “Most data centers are held together by sheer heroic effort,” he says. When Microsoft discloses software vulnerabilities, as it typically does every first Tuesday of the month, “We’re scurrying about to get patched, and I worry: What will the bad guys do before we patch everything?” Because PayPal is a global company, Barrett says he worries whether the company has the right interpretation on legislation and regulation related to data privacy around the world and the right controls in place.
His long-range concerns have him asking questions such as: In terms of stopping criminals and attackers, do we have the right investment mix and the right set of projects? Are new threats coming up that we need to re-balance that portfolio?
At motion-picture processing and games-manufacturing studio Technicolor in Camarillo, Calif., whose clients include DreamWorks SKG, Sony Pictures Entertainment and Paramount, the top worry is attackers who might steal the entertainment content.
Risk management can sound like a “Mission Impossible” episode in large organizations with many lines of business, tens of thousands of employees, and lots of applications and networks to keep an eye on. “I’m always on call,” says Jalal Zamanali, senior vice president of IT and CISO at Temple-Inland in Austin, Texas, and its subsidiary Guaranty Financial Services, with combined interests in corrugated packaging, forestry, real estate and financial services. Although he has a security staff of 17 to stay abreast of IT projects, Zamanali says his top concern is making sure security controls are on track in terms of regulatory compliance rules related to the Sarbanes-Oxley and Gramm-Leach-Bliley laws. “The chief audit officer has to translate these laws into control points,” Zamanali explains. Consequently, Zamanali — who reports to the chief risk officer — makes sure he meets with the chief audit officer about once a week to discuss compliance issues.
Beth Cannon, CSO at merchant bank Thomas Weisel Partners in San Francisco, says audits to provide evidence that security policies are enforced in IT systems and processes are her main worry.
Consultants and other industry experts don’t dismiss the issues that CSOs and CISOs are worrying about, though they recommend a host of things that might warrant even more of security professionals’ attention. CSOs should worry about losing their jobs because all too often their stance on security is seen by upper management as overly technical or a bad fit, says Jon Gossels, president and CEO of consultancy SystemExperts in Boston. Brad Johnson, vice president at SystemExperts, say one key worry that CSOs should have is where and how they’re going to find and retain the best security-savvy employees.
The Palm Harbor, Fla.-based professional organization International Information Systems Security Certification Consortium (ISC2) has had 48,000 security professionals pass its exam for Certified Information Systems Security Professional and other certifications that can often be found listed on the business cards and resumes of CSOs and CISOs.
Zeitler, whose 30-year career included positions as CISO at Volkswagen Credit and head of security at Charles Schwab and Fidelity Investments, says a top concern for CSOs should be whether they can find personnel with the right skills at the right price. He points to computer forensics, which requires people trained in procedures to capture potential evidence and preserve it appropriately, as an example.
Howard Schmidt, the former security chief at eBay and Microsoft and former White House cybersecurity advisor, says there’s no doubt that regulatory-compliance issues are going to be a top worry for the CSO or CISO.
http://www.computerworld.com.sg/ShowPage.aspx?pagetype=2&articleid=5254&pubid=3&tab=Home&issueid=112