Managing risk as important as avoiding it

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

Security managers becoming more business-oriented

By Jaikumar Vijayan | Washington | Monday, 5 December, 2005

Regulatory compliance issues and concern over data compromises have brought information security issues to the forefront in corporate boardrooms, according to a panel of IT security managers at the Computer Security Institute.

The trend is forcing security managers to adopt a more business-oriented approach to creating security strategies.

Selling management on the need for information security has become easier for IT managers because of privacy threats, data piracy and other issues, says Terri Curran, director of information security at Bose.

“In a sense, the road has been paved more for us. Management knows they’ve got to have security.”

However, security managers often tend to understand technology issues better than they do risk management topics, says Jack Jones, chief information security officer at Nationwide Mutual Insurance in Columbus, Ohio. As a result, their efforts are often misaligned with business goals, he says.

“Perfect security is not achievable,” Jones says.

“At the end of the day, [the security function] is about managing the frequency and magnitude of loss.”

That goal requires that security managers do a better job of putting technology issues into a business context, Jones says. That’s a significant challenge for security officers, he adds.

Scott-Norris: Evaluate risks in business terms

Scott-Norris: Evaluate risks in business terms

Increasingly, corporate security goals aren’t about information security but about information assurance, which deals with issues like data availability and integrity, says Jane Scott-Norris, chief information security officer at the US Department of State.

Thus, organisations should focus on risk management as well as risk avoidance. “You have to be able to evaluate risks and articulate them in business terms,” Scott-Norris says.

Jennifer Bayuk, CISO at New York-based Bear, Stearns & Co, says it’s also important that security managers demonstrate their value to an organisation — especially because security is often seen as a cost centre offering little return on investment.

“If you can’t demonstrate what you are doing, it doesn’t count,” Bayuk says.

Looking ahead, Bayuk predicts CISOs will have two distinct career paths: a technology-focused position that reports to the CIO and a business-focused role that works with chief risk officers.