Las Vegas played host to this year’s Information Risk and Security Management Conference, held at the world famous Caesars Palace Resort and Casino in September and SD&I got a chance to get technical with one of its educational session speakers, John Pironti, chief information risk strategist, Archer Technologies, Overland Park, Kan. Created by ISACA, (previously known as the Information Systems Audit and Control Association), a global organization for information governance, control, security and audit professionals, the conference addresses a number of issues pertaining to information security, including those of network security, information security management and risk management.
What are some main points you wanted your audience to walk away with during your session on Transforming Information Security to Information Risk Management at the conference this past September?
Pironti: The concept of the session was to really start evolving the conversation of Information Security to be one of Information Risk Management. On the new discussions, we use information security as an element of information risk management. So we really start having the “risk” conversation instead of having the security conversation. What we’re trying to do is get the security professionals to move away from being a technically-focused and reactive engine in conversation to more of a business-aligned and proactive conversation.
Do you think that this is something that will improve the relationship between the security and IT side?
Pironti: Absolutely. For many years, we’ve spoken about in the security community the idea that we want to be more business friendly but we have not acted in that way. We still look to the technology to solve the problem more than to say ‘what is the problem we’re trying to solve?’ And typically the problem that the security community is trying to solve is the latest exploit or attack or hacker activity going on, where the business may look at this and say ‘that’s not as important to us as it is to you.’ Because when you have a risk management conversation, you assume that there are challenges; you assume that there is the potential possibilities of bad things happening like that, and you develop a posture and a profile that is what is your tolerance for that to happen. And then you use security as your tool to meet that profile and decide I need to secure this risk level in order to meet this risk profile.
What are some of the responsibilities that an IT person and integrator should have individually when working on a project?
Pironti: It really has to be a cohesive conversation between the two groups. Instead of having an integrator or the IT group coming in and being an authoritative source that says ‘you shall do it this way’ it has to be a relationship where both come together and say: what can you do and what can I expect of you?
What are two relevant and important topics for those seeking IP and IT training?
Pironti: The one thing that we’ve really come to realize in the IT and IP world, is that education is really the key to success. The users are our first line of defense, our greatest advocate and our greatest critic. A lot of what I like to do is bring these populations into business classes 101— take them out of their comfort zone. A lot of IT people will tell you ‘I didn’t go to business school because I wanted to be an IT person, I wanted to be a technician.’ My view is ‘how can I operate technology well if I don’t understand the goals of the business properly?’
Finding a Meeting Ground Between IP and IT