Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Information security, risk management and compliance staffing guide

Information security, risk management and compliance are serious issues for CIOs. This Executive Guide offers insights on how to recruit, manage and retain skilled IT staff members who can manage these complicated tasks.

Information security, risk management and compliance overlap in many ways, mostly because of the serious impact they have on the business. CIOs are faced with many new responsibilities and challenges meeting the needs of these three issues -- such as staffing. In this guide, get advice and insight from industry experts and practitioners on how to recruit, manage and retain skilled IT staff members who can manage your security, risk management and compliance tasks.

This guide is part of SearchCIO.com's CIO Briefing series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date, visit the CIO Briefing section.

Table of contents

  Risk management staffing isn't always part of IT
  Table of Contents

Does your risk management plan include staff requirements solely from within your current IT group? If so, you should consider looking outside your IT organization for other qualified individuals to tackle your risk management plan.

"It's a common mistake that companies make to think an IT risk management organization can be staffed by folks with industry certifications around security," said Ed Adams, CEO at Security Innovation Inc., a Wilmington, Mass.-based independent application security firm. "In order to understand the ramifications of one or a series of events, one has to understand the business and the events in terms of potential lost revenue."

And while understanding what occurred may require some technical acumen, Adams said, one needs business know-how to interpret the outcome. An ideal risk manager should have an undergraduate degree in computer science and a master's degree in business administration to effectively manage a company's risk management plan.

"IT shouldn't make risk decisions," added Paul Davis, who works at Blue Bell, Pa.-based Unisys Corp. as vice president and program manager for enterprise security, global outsourcing and infrastructure services. "IT is there to deliver services to the business, while assessing risk requires a certain due diligence that's strategically focused on the business."

Learn more in the full article, "Risk management staffing isn't always part of IT." Also:

  • A booming job market means headaches for CIOs
    New research shows that IT salaries are growing at a faster rate than any time this decade. With a shrinking talent pool and expanding headcounts, CIOs are scrambling to hire new staff and to hold on to those they already have.
  • CIOs bullish on Q1 hiring
    Experts predict that IT hiring will show solid growth in 2007 and CIOs will work especially hard to keep good workers.
  CISO: The Technology Sheriff
  Table of Contents

As a midmarket organization grows, the environment gets more complex. Regulators come into the picture. Hackers take dead aim. Perhaps it's time to hire a chief information security officer (CISO). But when does a midmarket company need one? What triggers the need to hire one? The standard answer, of course, is that each company is different. But CISOs and other experts offer some suggestions.

"Our rule of thumb," says John Pescatore, security analyst at Gartner Inc., "is as soon as you need a chief financial officer, you know you need a chief security officer. If your finances are complicated enough to have somebody in charge, then securing your systems and data is complicated enough that somebody has to be in charge."

The size of a company's IT department can also indicate the need for a full-time CISO. "If there are 1,000 employees, there usually is a minimum of a couple dozen IT people," Pescatore says. With that many IT people, "there usually is a complicated enough IT structure that a chief security officer is needed," he adds.

Learn more in the full article, "CISO: The Technology Sheriff." Also:

  • Security management: Special Report for CIOs
    Information security managers and CIOs must know how to deal with attacks and they must have risk management plans in place. Learn more in this Special Report.
  • CIOs not making time for business continuity planning
    Company culture and lack of management support are preventing many firms from planning for downtime or disaster.
  Risk management: Policy first, technology second
  Table of Contents

NEW ORLEANS -- Security and compliance needs are driving improvements in technologies such as identity management and content monitoring. But too many businesses are relying on technology rather than policy to deal with risk management issues.

"I get calls all the time from companies who want to know what technology they should buy," said Paul Proctor, research vice president at Stamford, Conn.-based Gartner Inc. "I always ask first, 'What value are you trying to achieve?' You have to start with a policy."

The primary objective of a compliance audit, Proctor said, is to confirm you have the right controls in place and that you've anticipated risk.

Technology is not the answer, however, warned Proctor, who shared the stage with analyst Mark Nicolett at Gartner's Compliance and Risk Management Summit Wednesday. Indeed, if an auditor finds fault with your controls, it will more likely be due to your failure to implement policy or process, not because you chose the wrong technology, they said.

"A risk assessment is a key driver in figuring out what you need to do and where you should be spending your money," he said. At the end of the day, the auditor wants to know if you've taken "due care" -- have you done at least what your peers are doing?

Learn more in the full article, "Risk management: Policy first, technology second." Also:

  • Enterprise risk management for CIOs
    Risk management is critical for enterprises embarking on new IT projects and plans. Take a look at these resources for insights and advice on risk management.
  • Tips for building a cost-effective risk management plan
    In this podcast, our expert will offer tips for successfully presenting your CEO with a cost-justified risk management plan.
  Steps to institutionalizing compliance
  Table of Contents

Federal regulators and Congress have enacted more than 114,000 business governance rules and regulations over the past quarter century. Of course, no company has to comply with all of those regulations, but many certainly are applicable. And when global regulations are taken into consideration for companies with an international presence, the onus of compliance can be heavy indeed.

The Sarbanes-Oxley Act of 2002 (SOX) brought the issue of compliance to the forefront as affected companies dashed to complete the initial documents to demonstrate compliance. Then, while employees were breathing a collective sign of relief, the realization hit home that the process would have to be repeated again and again to remain in compliance.

Keys to staying in compliance include creating comprehensive policies around corporate governance, devising systems to share data across compliance documents to avoid duplication of work, establishing clear lines of responsibility so each person knows what data to gather and when, and making those processes part of a company's culture. But many of those policy and procedure changes are easier said than done, so many companies remain in the reactive mode, struggling to stay in compliance.

Learn more in the full article, "Steps to institutionalizing compliance." Also:

  • Compliance 2.0: Raising the bar (SearchCIO.com)
    Compliance regulations require CIOs to be more familiar with the law than ever before. This Executive Guide offers tips, news and resources to make the job easier.
  • Sarbanes-Oxley advice for smaller public companies
    Smaller public companies have had more challenges when it comes to preparing for Sarbanes-Oxley. But as of Dec. 15, the SEC will start cracking down. In his latest column, James Champy offers some tips for those trying to do more with less in achieving compliance.
  More resources for CIOs
  Table of Contents

Dig Deeper on IT staff development and retention