Softside of security

Yesterday, PISA invited security experts to have a discussion forum and share the challenges in management IT security. 3 keynotes speakers are coming from banking, telecom and public organization respectively.


Below are the key points of the 2 hours discussions:

Both banking and telecom are highly regulated industries. IT security planning and management are driven by regulators. And both security managers in these industries believe more regulation will come!! Be prepared. But WHY the regulator wants more regulations? (An interesting question although knowing the answer will not stop them)


IT security managers sometimes need to educate business manager about risk and sometimes need to control them. It is a delicate relationship. In other word, IT security manager need to control our customer. The following were shared:

  1. One organization has a security steering committee and it is a collective decision on whether to implement a control. Security manager’s role is to advice and advocate about risk. The decision to venture a risky operation or system does not rest on IT security manager or business manager.
  2. The key point in IT risk management is to deliver the message to the Top Management. In cost conscious economy like now, management attentions are the key. If IT security manager direct report to CEO, meaning by passing CIO, things will be very different.
  3. IT Auditor sometimes is friends to IT security manager as they helps delivery message to the board level and balance the risk control culture.

Comments

Anonymous said…
It is good to get more ideas what CISOs do.

"Aligning with business objective" is readily a challenge. If you believe there is a hole and professionally express your opinion, however, there is a budget and resource problem.

At that moment, you will be just waiting at there. For myself, I will think: That's company is not mine, I have done my best to express my viewpoint. If there is any incidence, their management has accepted it already.

As a CISO, he/she should be very patien....whatever waiting for incidence or acceptance of his/her idea to improve.
1/7/05 01:25
Post a Comment

Popular posts from this blog

Risk on Radio

This morning I joined a talk show on RTHK and discussed risk of usnig credit cards. Media attendtion is high after the recent security breach at Cardsystems. The story was uncovered on 17 June 2005, but after 6 days it is still lingering on. WHY? First, I believe this incident is huge in terms of people affected. 40 million card numbers were lost. Secondly, it was uncovered on SAT. I am not joking. One of my lectures in a Crisis Management class told his student in class that when reporters are hungry for news, even lost of a penny can be headline news. On Saturday, when reporters unable to find new story, a incident like this one will be reported by every newspaper. Back to the talk show, there were few people called in. And one mentioned that when he visited a Indian online shop and was diverted to a HSBC credit card website. This website asked him to enter his personal information like birthday and passport number. He worried this may be fraudulent website and asked for advice. As
Read more

One source of poverty

A study focused on the effects of Wal-Mart stores on poverty rates found that an estimated 20,000 families nationwide have fallen below the official poverty line as a result of the chain's expansion. Although I have not read the whole report nor the article confirmed the research method is scientific, I agree with the author that "found that one of the greatest effects of a Wal-Mart opening is the closing of mom-and-pop-type operations."
Read more

Root Certificate update and software design

Recently, a member of PISA (also called Anthony) noticed that when using HK Post office website, FireFox displayed security warning saying the digital certificate used bu HK Post is invalid. A detailed study by other PISA members showed that the reason HK Post (once is the root CA for HK) used their own root certificate. Root certificates are usually shipped with the browser installation and HK Post digital certificate was not included in their default software package. Hong Kong Post setup a page to teach users on how to add the root certificate to most used browsers . However, how many users know this link, willing to follow or could follow the instructions !! It is quite clear that currently most browsers develop and distributed by US company or US-based community. The interest of adding other root certificates is likely lower than adding new functions. Having said that, FireFox developers have a process to add Root Certificates to their software package, for example this li
Read more