Nature of the beast if not the nature of task at
large...two persons besides the one who as final say should be at IT so that at any hour year-round
...if only because someone get sick or as a flat
...not everyone lives on the premises...and you can't do everything from home no matter how multi-
linked you are...certain decisions must be exected
from the frontline...specialy if you have to flush
all for very few givinable reasons.For smaller-org
it will have to be shared-title & actions...|#Heum
there goes Bill with Superman & Ultraman,...ooppss
...no Kryptonite around...
Discussion on:
View:
Show:
As a CSO, I can definitely identify with your article but a lot of my work is also about adjudicating between the balance of business needs and security needs. But a CSO provides me.
The viruses and vulnerability alerts continue to bombard us on a daily basis. Somebody has to ensure that the people developing the new systems and managing the production systems are going to take more action than just reading it and/or sending it to the trashcan. In the environment that I am responsible for, there are a multitude of production server platforms, with new systems being placed on the WAN all the time, and multiple extranets. The new attacks are more sophisticated and impact multiply technologies. Many IT organizations have different groups for the different technologies and IT functions. To have a consistent security stance, you need a single focal point that understands the impact to the business and the technologies.
Then comes compliance, security awareness, certification, processes, procedures (in all areas of your IT lifecycle), standards and guidelines. Who manages your CIRT? How do you handle investigations, privacy, vulnerability and penetration tests, and intrusion detection systems?
In the end, if that proverbial CEO wants to sleep at night, they need to be assured that somebody is watching their security back. Their need is an identified business focal point for security. In today?s global 24x7 business world, security is a critical business function that should not be relegated to the bottom of the business decision tree but embraced as both a protector and enabler of business. A lot of organizations are spending money in a knee jerk reaction to security incidents. Centuries of business haveshown that this is an inefficient approach, you need to plan. That?s what a CSO brings to the table. They understand security, business, budgets, and operations.
The viruses and vulnerability alerts continue to bombard us on a daily basis. Somebody has to ensure that the people developing the new systems and managing the production systems are going to take more action than just reading it and/or sending it to the trashcan. In the environment that I am responsible for, there are a multitude of production server platforms, with new systems being placed on the WAN all the time, and multiple extranets. The new attacks are more sophisticated and impact multiply technologies. Many IT organizations have different groups for the different technologies and IT functions. To have a consistent security stance, you need a single focal point that understands the impact to the business and the technologies.
Then comes compliance, security awareness, certification, processes, procedures (in all areas of your IT lifecycle), standards and guidelines. Who manages your CIRT? How do you handle investigations, privacy, vulnerability and penetration tests, and intrusion detection systems?
In the end, if that proverbial CEO wants to sleep at night, they need to be assured that somebody is watching their security back. Their need is an identified business focal point for security. In today?s global 24x7 business world, security is a critical business function that should not be relegated to the bottom of the business decision tree but embraced as both a protector and enabler of business. A lot of organizations are spending money in a knee jerk reaction to security incidents. Centuries of business haveshown that this is an inefficient approach, you need to plan. That?s what a CSO brings to the table. They understand security, business, budgets, and operations.
I work in the healthcare industry ( Nursing Homes ) and with the new HIPAA regulations, most Nursing Home Companies will have to have a CSO just to keep abreast of the regulations that are coming out. I was looking at one summary of the regulationsthat pertain to IT under HIPAA that was over 70 pages long. With a CSO, who will know if all your facilities are compliant? What has to be done to reach compliance? I think it is a feild/position that has some real potential for job growth and jobsecurity (no pun intended).
The Heathcare Insurance Portability and Accessibility Act (HIPAA) of 1996 (which is still not yet in full force), required the appointment of a Security Officer in the preliminary draft of the Information Security regs.
However, now, six years later we are still awaiting the final Info Sec regs. Most cheap hospitals (sorry for being redundant) appear to have made a decision not to hire a Security Officer until the day the regs are due to go into full effect. Not my idea of "planning ahead", but I am not at the level to be making those decisions. I am a "lowly" senior IT Auditor (with 15 years experience), or so they think.
Delaying the hiring of a Security Officer will dramatically increase the long term cost of security. Unfortunately management has no "vision". For that they will pay a high price.
I did IT Audit for a dozen years in Banking. They almost always had a Security Dept. The four healthcare CIOs I now deal with look at me dumbfounded when I tell them that. Only one has dedicated Info Sec people. One has assigned it to the Network Services Director, two seem to hope it will kind of take care of itself. "After all, Roger, you don't know how tight my budget is". I just point it out in my audit reports and walk away.
Bottom line, security is radically different by industry. Healthcare is probably the worst.
Any challengers?
Roger T.
However, now, six years later we are still awaiting the final Info Sec regs. Most cheap hospitals (sorry for being redundant) appear to have made a decision not to hire a Security Officer until the day the regs are due to go into full effect. Not my idea of "planning ahead", but I am not at the level to be making those decisions. I am a "lowly" senior IT Auditor (with 15 years experience), or so they think.
Delaying the hiring of a Security Officer will dramatically increase the long term cost of security. Unfortunately management has no "vision". For that they will pay a high price.
I did IT Audit for a dozen years in Banking. They almost always had a Security Dept. The four healthcare CIOs I now deal with look at me dumbfounded when I tell them that. Only one has dedicated Info Sec people. One has assigned it to the Network Services Director, two seem to hope it will kind of take care of itself. "After all, Roger, you don't know how tight my budget is". I just point it out in my audit reports and walk away.
Bottom line, security is radically different by industry. Healthcare is probably the worst.
Any challengers?
Roger T.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
