Executives in charge of information security should make friends with the CFO, who can give them a broad overview of corporate priorities and see to funding the most important IT projects that protect corporate data.
Security pros should also look skeptically at industry compliance standards and avoid outsourcing security wholesale, said John Pironti, president of IT Architects, speaking at the Interop conference in Las Vegas.
CFOs have a broad view of the company and can appreciate where info security is key to corporate goals, Pironti said. Talking to them can help refine information security goals and nurture support for them in the budgeting process, he added.
Aligning those goals with corporate needs is the right way to go, not blindly following industry compliance standards such as HIPAA and PCI, Pironti said. He noted that the CEO of Heartland -- which has suffered the largest public breach of credit card data anywhere -- has made public statements that the company was compliant with PCI at the time of the breach. "Isn't that scary?" Pironti asked.
Part of PCI fine print says, essentially, "If you've been breached, you couldn't have been compliant," Pironti said. Standards are good in that they give a sense of what a business community at large is doing to address common problems, but corporate risk management should be designed for the individual corporation. They can be aligned with industry standards later, but shouldn't be driven by those standards, he said.
Information security pros should also re-evaluate their security tools periodically to avoid maintaining technologies that may not meet corporate needs anymore. He didn't advocate dumping antivirus software, but pointed out that these products stop 35% to 40% of viruses, down from 47% last year, according to published testing.
Security executives need to distinguish between threats and risk, Pironti said. Threats are bad things that might happen, but risk is the weight given to them based on the practical consequences to the business, and that is unique to each business. "I can tell you about threat, but I can't say how it fits into risk to you," he said.
Pironti advocated that companies create the position of a chief risk officer (CRO) who sits on the board of directors and has the broadest possible view of the business. Such a CRO could offer guidance to CISOs about what assets to protect based on the main goals of the business.
Risk-combating programs should be separate from operational activities in order to keep continuing focus on the major risks. If risk-enforcement leaders get sucked into day-to-day operations they tend to lose focus on risk management, Pironti said.Consultants from outside the company can help, but outsourcing risk management to them altogether is a bad idea. If their contract is canceled, they take with them knowledge of critical functions. Similarly, businesses should avoid following vendor recommendations about what it's important to protect. "You're the only one who can say what's critical in your world," he said.
Any risk management program needs enforcement with well-published consequences for failure to do so. If the risk created by the failure is low, so should the punishment. But for severe breaches that endanger network assets, punishment should be severe and include firing, Pironti said.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Security pros, meet your new best friend: the CFO" was originally published by Network World.