The Information Security Profession: Today and Beyond

Presented by: Kelly Manthey

Partner

www.solstice-consulting.com

Date: May 18th 2010

Objectives• Introduction

• Review the traditional roles of Information Security and Compliance professions and where they intersect

• A perspective on the common pitfalls of the Information Security profession and how to evolve

Traditional View of Information Security

• Aligned with technology• Reviews, consults, tests, and

monitors the security position of the company’s technology

• Concerned with the confidentiality, integrity and availability of data

• Operational focus• Focus on audit requirements

What is an InformationSecurity Professional

• keep the bad guys out• let the trusted guys in• give trusted guys access

to what they are authorized to access

CISO, CSO, GRC

Managers

Operational Security

Layers of the Profession

In simple terms….

The Compliance Professional

• Concerned with aligning business operations to meet the laws and regulations

• Critical success factors – trust and ethics

http://www.google.com/imgres?imgurl=http://www.veteranshistory.org/PoliceBadge.jpg&imgrefurl=http://www.veteranshistory.org/beyondthebadge.htm&usg=__c8XRlDtCxJ6pzpLLyTcthX7Halg=&h=528&w=370&sz=159&hl=en&start=15&sig2=uwFzilkC01Qfcg-L8bBuJA&itbs=1&tbnid=0LvblE-Fskr34M:&tbnh=132&tbnw=93&prev=/images?q=police+badge&hl=en&sa=G&gbv=2&tbs=isch:1&ei=zNrRS7GHFIGglAeV-7y-Dw

The Facets of the Compliance Role

Enforcement

Monitoring

Policies Education

Successful Compliance Professionals…..

• Embed compliance into the day-to-day operation of a company

• Remove ambiguity• Communicate and educate• Are seasoned employees with

experience in the company• Drive executive accountability

Intersection of Roles

• Both assess risk• Concerned with data

integrity• Carry a compliance

message to the organization

• Create policies and requirements

• Seeking to align accountability with business process

4 Common Pitfalls in today’s Information Security Dept.

• Relying on technology to make you complaint

• Technology control focus and not enough business focus

• “Us” and “Them” mentality• Getting further upstream

Qualities of the “New” Information Security Leader

• Less focus on the 1’s and 0’s more so on business drivers• More business focus• Aligns goals with business• Asks “Why”• Play an active part defining the

solution, don’t just implement

• Speaks in terms the business understands• Break down the technical speak;

knows how to make capabilities relevant to non-technical people

• Communication skills

• A keen understanding for how to demonstrate data integrity

• See IS function as a differentiator for competitive advantage

• Focuses on balancing tactical problem solving with business priorities and company culture

• Less checking the box, more business enablement• Less CYA

Developing the New Information Security Leader

• Evangelize within your company• Be inclusive & collaborative; get to know your

Audit and Compliance peers; consider their input as part of developing solutions

• Interact with your peers at other companies• Seek industry insight and stay current through

professional development resources• Use your vendors as a resource

Why Evolve?

• Because it’s a different world today

• Criminals are smarter (and less assuming)

• Threats have evolved, are greater, the impact is more severe

• Customer perception; company reputation

Why Evolve? - Business Realties

Security Breaches

Enterprise Re-Orgs

Mergers and Acquisition

Regulatory Expectations

Auditors

Economic Realities

Technology Evolution

Partnership and cross -functional

collaboration required to thrive

How to Evolve

• Don’t just implement; Educate!• Security , Compliance, and Audit functions

working together toward a common goals• Communication, Communication,

Communication• Hire the right talent – capable, adaptable,

collaborative, objective thinking• Lead by example with passion• Be a proactive- seek insight, knowledge, and

new perspectives

Follow-ups.. . .Kelly Manthey kmanthey@solstice-consulting.com

Blog: http://mantheyblog.solstice-consulting.com/Twitter: @kmanthey

Other Thought Leadership: •www.solstice-consulting.com•CIO.com Blog: http://advice.cio.com/user/solstice_consulting/track

Follow us on Facebook and Twitter:•Twitter: http://twitter.com/solsticellc•Facebook: http://www.facebook.com/solsticeconsulting