When asked this, many independent observers – former CSOs or consultants working with CSOs – offer a different perspective. They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance.
What has security pros worried?Michael Barrett, CISO at eBay money-transfer service PayPal, says there is always an undercurrent of panic in the event that something blows up. “Most datacenters are held together by sheer heroic effort,” he says. Because PayPal is a global company, Barrett says he worries whether the company has the right interpretation on legislation and regulation related to data privacy around the world and the right controls in place. His long-range concerns have him asking questions such as: In terms of stopping criminals and attackers, do we have the right investment mix and the right set of projects?
Adam Hansen, the IT security chief at Sonnenschein Nath & Rosenthal in Chicago, says his main worry is data privacy and the possibility of a data breach. The creative content, whether pre- or post-production, is held in film canisters and digitally on servers, and Technicolor guards it through tight physical and IT security.
Risk management can sound like a “Mission: Impossible” episode in large organizations with many lines of business, tens of thousands of employees, and lots of applications and networks to keep an eye on.
“I’m always on call,” says Jalal Zamanali, senior vice president of IT and CISO at Temple-Inland in Austin, Texas, and its subsidiary Guaranty Financial Services, with combined interests in corrugated packaging, forestry, real estate, and financial services. Although he has a security staff of 17 to stay abreast of IT projects, Zamanali says his top concern is making sure security controls are on track in terms of regulatory compliance rules related to the SOX (Sarbanes-Oxley) and Gramm-Leach-Bliley laws. “The chief audit officer has to translate these laws into control points,” Zamanali explains. Consequently, Zamanali – who reports to the chief risk officer – makes sure he meets with the chief audit officer about once a week to discuss compliance issues.
Beth Cannon, CSO at merchant bank Thomas Weisel Partners in San Francisco, says audits to provide evidence that security policies are enforced in IT systems and processes are her main worry.
What CSOs should be worrying aboutConsultants and other industry experts don’t dismiss the issues that CSOs and CISOs are worrying about, though they recommend a host of things that might warrant even more of security professionals’ attention. CSOs should worry about losing their jobs because all too often their stance on security is seen by upper management as overly technical or a bad fit, says Jon Gossels, president and CEO of consultancy SystemExperts in Boston.
Brad Johnson, vice president at SystemExperts, say one key worry that CSOs should have is where and how they’re going to find and retain the best security-savvy employees.
Zeitler, whose 30-year career included positions as CISO at Volkswagen Credit and head of security at Charles Schwab and Fidelity Investments, says a top concern for CSOs should be whether they can find personnel with the right skills at the right price. He points to computer forensics, which requires people trained in procedures to capture potential evidence and preserve it appropriately, as an example.
What to do about compliance Howard Schmidt, the former security chief at eBay and Microsoft and former White House cybersecurity advisor, says there’s no doubt that regulatory-compliance issues are going to be a top worry for the CSO or CISO.
http://www.infoworld.com/article/07/07/24/security-standard-01_1.html