Post on 13-Dec-2014
description
The Information Security Profession: Today and Beyond
Presented by: Kelly Manthey
Partner
www.solstice-consulting.com
Date: May 18th 2010
Objectives• Introduction
• Review the traditional roles of Information Security and Compliance professions and where they intersect
• A perspective on the common pitfalls of the Information Security profession and how to evolve
Traditional View of Information Security
• Aligned with technology• Reviews, consults, tests, and
monitors the security position of the company’s technology
• Concerned with the confidentiality, integrity and availability of data
• Operational focus• Focus on audit requirements
What is an InformationSecurity Professional
• keep the bad guys out• let the trusted guys in• give trusted guys access
to what they are authorized to access
CISO, CSO, GRC
Managers
Operational Security
Layers of the Profession
In simple terms….
The Compliance Professional
• Concerned with aligning business operations to meet the laws and regulations
• Critical success factors – trust and ethics
The Facets of the Compliance Role
Enforcement
Monitoring
Policies Education
Successful Compliance Professionals…..
• Embed compliance into the day-to-day operation of a company
• Remove ambiguity• Communicate and educate• Are seasoned employees with
experience in the company• Drive executive accountability
Intersection of Roles
• Both assess risk• Concerned with data
integrity• Carry a compliance
message to the organization
• Create policies and requirements
• Seeking to align accountability with business process
4 Common Pitfalls in today’s Information Security Dept.
• Relying on technology to make you complaint
• Technology control focus and not enough business focus
• “Us” and “Them” mentality• Getting further upstream
Qualities of the “New” Information Security Leader
• Less focus on the 1’s and 0’s more so on business drivers• More business focus• Aligns goals with business• Asks “Why”• Play an active part defining the
solution, don’t just implement
• Speaks in terms the business understands• Break down the technical speak;
knows how to make capabilities relevant to non-technical people
• Communication skills
• A keen understanding for how to demonstrate data integrity
• See IS function as a differentiator for competitive advantage
• Focuses on balancing tactical problem solving with business priorities and company culture
• Less checking the box, more business enablement• Less CYA
Developing the New Information Security Leader
• Evangelize within your company• Be inclusive & collaborative; get to know your
Audit and Compliance peers; consider their input as part of developing solutions
• Interact with your peers at other companies• Seek industry insight and stay current through
professional development resources• Use your vendors as a resource
Why Evolve?
• Because it’s a different world today
• Criminals are smarter (and less assuming)
• Threats have evolved, are greater, the impact is more severe
• Customer perception; company reputation
Why Evolve? - Business Realties
Security Breaches
Enterprise Re-Orgs
Mergers and Acquisition
Regulatory Expectations
Auditors
Economic Realities
Technology Evolution
Partnership and cross -functional
collaboration required to thrive
How to Evolve
• Don’t just implement; Educate!• Security , Compliance, and Audit functions
working together toward a common goals• Communication, Communication,
Communication• Hire the right talent – capable, adaptable,
collaborative, objective thinking• Lead by example with passion• Be a proactive- seek insight, knowledge, and
new perspectives
Follow-ups.. . .Kelly Manthey kmanthey@solstice-consulting.com
Blog: http://mantheyblog.solstice-consulting.com/Twitter: @kmanthey
Other Thought Leadership: •www.solstice-consulting.com•CIO.com Blog: http://advice.cio.com/user/solstice_consulting/track
Follow us on Facebook and Twitter:•Twitter: http://twitter.com/solsticellc•Facebook: http://www.facebook.com/solsticeconsulting