CISOs of global firms offer insight on effective security programs

Share this article:

CISOs and security execs at some of the world's most well-known companies have provided recommendations to help enhance organizations' security programs.

On Tuesday, the Security for Business Innovation Council (SBIC) released a report (PDF) detailing the suggestions. The council consists of 19 security leaders, including Coca-Cola CISO Renee Guttmann, FedEx CISO Denise Wood, JPMorgan Chase Chief Information Risk Officer Anish Bhimani and EMC's Vice President and CSO Dave Martin.

The execs made five central recommendations in the 16-page report; one being that organizations should shift focus from technical assets, like servers and applications, to include critical business processes that involved the “bigger picture perspective” of  how information is used to conduct day-to-day operations, the report said.

In addition, the council advised enterprises to define detailed risk scenarios and estimate the business impact of security incidents.

Other recommendations were to develop “informed data collection methods,” as well as a strategy for collecting relevant data for evidence-based controls assurance.

The council also challenged organizations to implement risk assessment processes that involve shifting to more automated tools for “tracking information risks as they are identified, evaluated, accepted, or remediated” to accelerate decision-making.

Sam Curry, chief strategy officer and chief technologist at RSA, EMC's security division, told SCMagazine.com that, in order for IT leaders to move security programs forward, they must hold a strong interest in, not only IT operations, but in their company culture itself.

“This means that the security department needs to learn that they aren't just IT members that work for an insurance company [for instance],” Curry said. “They need to be able to show that they are just as responsible at managing themselves and that they speak the language of the company.”

Curry also emphasized a reoccurring theme throughout the report, which advices organizations to use success-based risk remediation, which takes into consideration the risks taken on by companies weighed against the “reward,” or business gains allowed by lowered security controls.  

The chief technologist also added that many companies focus on buying security tools, as they begin to build out their security programs, bringing to light the question of quality over quantity.

“The key, when you start managing risk, is that the business becomes more mature and you start investing in tools that are more intelligent,” he said.

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.