CISOs at top firms relay security investment strategies
Security leaders from Global 1000 enterprises shared their insights in a report.
Security leaders from the world's largest global companies teamed up to share technology investment strategies with the community.
On Monday, RSA released a report (PDF) that compiled the insight of 18 CISOs and security execs at firms, such as Coca-Cola, Walmart, Intel, eBay and JPMorgan Chase.
The 20-page report called, “Transforming Information Security: Focusing on Strategic Technologies,” offered three key recommendations to fellow security pros as they plan investments to secure their infrastructure. The 18-member Security for Business Innovation Council (SBIC) authored the findings.
In the report, contributors – which included Coca-Cola CISO Renee Guttmann, FedEx CISO Denise Wood, JPMorgan Chase Chief Information Risk Officer Anish Bhimani and EMC's Vice President and CSO Dave Martin – advised that companies look ahead at least three years when creating a game plan for security investments, and that professionals enhance their assets by integrating technologies in use.
To the latter point, security leaders said that cutting-edge technologies (such as big data analytics, security intelligence platforms and governance, risk and compliance (GRC) management tools) could help security teams better see the “bigger picture,” when used collaboratively.
Lastly, the report recommended that organizations maximize the value of their current investments by formalizing their deployment efforts. In doing so, companies can better estimate operational costs and enhance management capabilities, including security tool maintenance and monitoring, the report said.
In a Tuesday interview with SCMagazine.com, Amit Yoran, senior vice president of RSA, addressed the council's recommendation for a three-year rolling plan at firms when determining needed technology capabilities.
“That's a real challenge for a number of CISOs that have gone up through the security ranks,” Yoran said, speaking of efforts to forecast organizational threats and needs. “They tend to get bogged down in the daily execution of tasks, since there's so much crises going on. There's always a new exploit or escalation [issue] or problem to contend with,” he said.
Yoran later added that, overall, the report's recommendations center on building a multifaceted security program.
“There is definitely a very strong, mutual dependence on the people, process and technology,” Yoran said of successful programs. He noted that technology can serve as a means of reinforcing these enterprise assets.
“You definitely have to have a security program that can execute along all those dimensions," he said. "We ought to make sure that our companies utilize technologies that optimize the process and enable our people.”