Tuesday, August 16, 2022

CSI panel: security managers need a bigger business focus

Regulatory compliance requirements and concerns over data compromises have elevated the importance of information security issues in corporate boardrooms, according to panelists at the 32nd annual conference organized by the Computer Security Institute. And that trend is lending urgency to the need for security managers to adopt a more business-oriented approach to their jobs.

Selling security to management has become easier because of issues such as privacy threats and data piracy, said Terri Curran, director of information security at Framingham, Mass.-based Bose Corp. “In a sense, the road has been paved more for us” by such issues, she said. “Management knows they’ve got to have security.”

The problem is that security managers often tend to understand technology issues better than they understand risk management, said Jack Jones, chief information security officer at Nationwide Mutual Insurance Co. in Columbus, Ohio.

As a result, there often is a misalignment with business goals, he said. “Perfect security is not achievable,” Jones said. “At the end of the day, [the security function] is about managing the frequency and magnitude of loss.”

Being able to do that requires security managers to do a better job of taking technology issues and putting them in a business context, he said. “That’s a significant problem for us,” he said. “As long as we have a misalignment between the two, we have a challenge.”

Increasingly, the goal isn’t about information security but about information assurance, which deals with issues such as data availability and integrity, said Jane Scott-Norris, CISO at the U.S. State Department.

That means organizations should focus not only on risk avoidance but also on risk management, she said. “You have to be able to evaluate risks and articulate them in business terms,” Scott-Norris said.

To be successful, CISOs need to have a combination of technology skills and business savvy, said Bill Hancock, vice-president of global security solutions at Savvis Communications Inc. in St. Louis. “If you don’t know how to communicate well, you will fail as a CISO,” he said.

QuickLink 056621

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.