Takeaways from the CISO Roundtable

Posted November 30, 2009
Filed under: Best Practice, Industry | Tags: , , , , , |

Pravin Kothari

I hope everyone had a restful long weekend.

Two weeks ago while in Washington DC, I also attended a CISO Roundtable event we joint sponsored with Accenture.  The topic was “A Risk Based Approach to Building a GRC and Security Program”.  Distinguished speakers included:

  • Bob West, Founder and CEO of Echelon One and former CISO at Fifth Third Bank
  • Scott Charbo, Vice President at Accenture and former CIO at Department of Homeland Security
  • Mark Lockareff, President and CEO of Agiliance

It was a lively discussion among CISO of various organizations.  Bob led off talking about how risk is the new language the CISO must learn to speak to bridge the traditional communication gap between CISO and the other business CxO.  Scott talked about how to effective measure risk in a large and complex organization.  Scott introduced this intriguing concept of measure “flow”.  Mark talked about how Continuous Assessment can take an organization from today’s compliance centric process to a risk based process in the future.  Many interesting concepts were discussed and I will attempt to summarize some of the more thought provoking points in future blogs.

Some of the clear themes that came out of the discussion:

  • Automation is no longer a nice-to-have: This theme from our Advisory Board was clearly echoed by the CISO Roundtable attendees.  The CISO from a major federal agency commented that compliance burden for CIO and CISO is so heavy and increasing so, that if her department does not invest in GRC automation technology immediately, her organization will be unable to keep up with all the new compliance and risk management requirements that are still emerging.
  • Being compliant is no longer sufficient: The CIO/CISO community has now clearly realized just being compliant is no longer enough.  A paper exercise does the organization no good when it comes to managing risks and threats.  The new mandate is all about continuous risk management.  CISOs are asked to prioritize and concentrate their resources on highly critical assets.  Risk management is a critical discipline in helping to set that priority.
  • New risks are being introduced faster than ever: One of the main challenges these CISO face is to just keep up with the new risks and threats that are being introduced by new technologies and the ever more sophisticated evil minds.  Mobile devices, P2P technologies, social media, more complex software, social engineering, fraud technologies are introducing new risks to the enterprise from every angle.  Protecting sensitive data and privacy across all these channels of exposure is taxing.  Just to understand and inventory what risk exposures are being introduced in a complex organization will require continuous monitoring technology.

It was great to see that the security leadership of attending organizations is very much at the leading edge in terms of understanding what the exposures are and what they must do to address these current and emergent threats.  As always, whether awareness and understanding translates into effective execution is a whole different issue.  If you don’t see the problem then you can’t address the problem.  It’s good to see that at least the problem is well understood and has received high level of priority from the leadership community.

No comments yet

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.