 | |||
|
|
||
| |||
| |||
| |||
|
||||||||||||||||||||
| |
|
Home > Staffing for security, risk management and compliance |
| |
|
|
|
|
| Executive Guide: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||
This guide is part of SearchCIO.com's Executive Guide series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date, visit the Executive Guide section. Table of contents Risk management staffing isn't always part of IT CISO: The Technology Sheriff Risk management: Policy first, technology second Steps to institutionalizing compliance More resources for CIOs
[Matt Bolch, Contributor ] Does your risk management plan include staff requirements solely from within your current IT group? If so, you should consider looking outside your IT organization for other qualified individuals to tackle your risk management plan. "It's a common mistake that companies make to think an IT risk management organization can be staffed by folks with industry certifications around security," said Ed Adams, CEO at Security Innovation Inc., a Wilmington, Mass.-based independent application security firm. "In order to understand the ramifications of one or a series of events, one has to understand the business and the events in terms of potential lost revenue." And while understanding what occurred may require some technical acumen, Adams said, one needs business know-how to interpret the outcome. An ideal risk manager should have an undergraduate degree in computer science and a master's degree in business administration to effectively manage a company's risk management plan. "IT shouldn't make risk decisions," added Paul Davis, who works at Blue Bell, Pa.-based Unisys Corp. as vice president and program manager for enterprise security, global outsourcing and infrastructure services. "IT is there to deliver services to the business, while assessing risk requires a certain due diligence that's strategically focused on the business."
[James Connolly, Contributor] As a midmarket organization grows, the environment gets more complex. Regulators come into the picture. Hackers take dead aim. Perhaps it's time to hire a chief information security officer (CISO). But when does a midmarket company need one? What triggers the need to hire one? The standard answer, of course, is that each company is different. But CISOs and other experts offer some suggestions. "Our rule of thumb," says John Pescatore, security analyst at Gartner Inc., "is as soon as you need a chief financial officer, you know you need a chief security officer. If your finances are complicated enough to have somebody in charge, then securing your systems and data is complicated enough that somebody has to be in charge." The size of a company's IT department can also indicate the need for a full-time CISO. "If there are 1,000 employees, there usually is a minimum of a couple dozen IT people," Pescatore says. With that many IT people, "there usually is a complicated enough IT structure that a chief security officer is needed," he adds.
[Kate Evans-Correia, News Editor] NEW ORLEANS -- Security and compliance needs are driving improvements in technologies such as identity management and content monitoring. But too many businesses are relying on technology rather than policy to deal with risk management issues. "I get calls all the time from companies who want to know what technology they should buy," said Paul Proctor, research vice president at Stamford, Conn.-based Gartner Inc. "I always ask first, 'What value are you trying to achieve?' You have to start with a policy." The primary objective of a compliance audit, Proctor said, is to confirm you have the right controls in place and that you've anticipated risk. Technology is not the answer, however, warned Proctor, who shared the stage with analyst Mark Nicolett at Gartner's Compliance and Risk Management Summit Wednesday. Indeed, if an auditor finds fault with your controls, it will more likely be due to your failure to implement policy or process, not because you chose the wrong technology, they said. "A risk assessment is a key driver in figuring out what you need to do and where you should be spending your money," he said. At the end of the day, the auditor wants to know if you've taken "due care" -- have you done at least what your peers are doing?
[Matt Bolch, Contributor] Federal regulators and Congress have enacted more than 114,000 business governance rules and regulations over the past quarter century. Of course, no company has to comply with all of those regulations, but many certainly are applicable. And when global regulations are taken into consideration for companies with an international presence, the onus of compliance can be heavy indeed. The Sarbanes-Oxley Act of 2002 (SOX) brought the issue of compliance to the forefront as affected companies dashed to complete the initial documents to demonstrate compliance. Then, while employees were breathing a collective sign of relief, the realization hit home that the process would have to be repeated again and again to remain in compliance. Keys to staying in compliance include creating comprehensive policies around corporate governance, devising systems to share data across compliance documents to avoid duplication of work, establishing clear lines of responsibility so each person knows what data to gather and when, and making those processes part of a company's culture. But many of those policy and procedure changes are easier said than done, so many companies remain in the reactive mode, struggling to stay in compliance.
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||
|
|
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS |
|
|
||
|
|||||||
