How do you explain your job to non-technical people?
As the IT compliance officer, I am responsible for monitoring California State Automobile Association's (CSAA) systems to ensure that we are protecting our member's confidential information. For CSAA, this means following and, in many cases, going beyond the requirements of various government and industry regulations.
For what would you use a magic IT security wand?
I would like to have a magic wand that I could wave when we encounter new requirements or technology where we lack information, training or experience. Continuously evolving security requirements and IT tools challenge us as security practitioners. As business managers, we know that knowledge and experience are costly and can take time to develop.
What do you think is dangerously ignored?
There are collections of information about each of us. For too many organizations, the protection of this data is still considered second to the business goals.
What's your information security dream job?
It is managing a security team that empowers the rest of the organization to perform their work effectively and securely, but that isn't a dream for me.
Regulatory changes will continue to push organizations to take actions to protect their data assets. Initiatives like the PCI regulations will continue to challenge us to evolve our protections to meet this specific requirement. The National Association of Insurance Commissioners (NAIC) mandating Sarbanes-Oxley compliance for all insurance companies will have an impact on that industry segment. State regulations will continue to expand the requirements of data protection, following the lead of California, but each with their own twist.
What part of your job makes you most proud?
While other organizations may work hard to minimize the level of effort required to protect customer data, at CSAA we take it very seriously. The first of CSAA's seven values is "members first" and our data protection efforts are tied to that value. We have excellent support from management at all levels. It makes it easy to come to work every morning knowing that you are doing something good and that you have the support required to make it happen.
How did you get interested in information security?
I worked in a service company that managed customer databases for many large corporations. Protection of these data assets was critical to our customers. We made security a prominent part of the product, one that differentiated us from our competitors. This lead to a separate function to manage security and I led that team.