April 27, 2010, 9:50 PM — Executives in charge of information security should make friends with the CFO, who can give them a broad overview of corporate priorities and see to funding the most important IT projects that protect corporate data.
Security pros should also look skeptically at industry compliance standards and avoid http://www.networkworld.com/community/node/60303?page=2&t51hb= ">outsourcing security wholesale, said John Pironti, president of IT Architects, speaking at the Interop conference in Las Vegas.
CFOs have a broad view of the company and can appreciate where info security is key to corporate goals, Pironti said. Talking to them can help refine information security goals and nurture support for them in the budgeting process, he added.
Aligning those goals with corporate needs is the right way to go, not blindly following industry compliance standards such as HIPAA and PCI, Pironti said. He noted that the CEO of http://www.networkworld.com/columnists/2010/040510-net-buzz.html?source=... –">Heartland -- which has suffered the largest public breach of credit card data anywhere -- has made public statements that the company was compliant with PCI at the time of the breach. "Isn't that scary?" Pironti asked.
Part of PCI fine print says, essentially, "If you've been breached, you couldn't have been compliant," Pironti said. Standards are good in that they give a sense of what a business community at large is doing to address common problems, but corporate risk management should be designed for the individual corporation. They can be aligned with industry standards later, but shouldn't be driven by those standards, he said.
Information security pros should also re-evaluate their security tools periodically to avoid maintaining technologies that may not meet corporate needs anymore. He didn't advocate dumping antivirus software, but pointed out that these products stop 35% to 40% of viruses, down from 47% last year, according to published testing.
Security executives need to distinguish between threats and risk, Pironti said. Threats are bad things that might happen, but risk is the weight given to them based on the practical consequences to the business, and that is unique to each business. "I can tell you about threat, but I can't say how it fits into risk to you," he said.