Las Vegas played host to this year’s Information Risk and Security Management Conference, held at the world famous Caesars Palace Resort and Casino in September and SD&I got a chance to get technical with one of its educational session speakers, John Pironti, chief information risk strategist, Archer Technologies, Overland Park, Kan. Created by ISACA, (previously known as the Information Systems Audit and Control Association), a global organization for information governance, control, security and audit professionals, the conference addresses a number of issues pertaining to information security, including those of network security, information security management and risk management.
What are some main points you wanted your audience to walk away with during your session on Transforming Information Security to Information Risk Management at the conference this past September?
Pironti: The concept of the session was to really start evolving the conversation of Information Security to be one of Information Risk Management. On the new discussions, we use information security as an element of information risk management. So we really start having the “risk” conversation instead of having the security conversation. What we’re trying to do is get the security professionals to move away from being a technically-focused and reactive engine in conversation to more of a business-aligned and proactive conversation.
Do you think that this is something that will improve the relationship between the security and IT side?
Pironti: Absolutely. For many years, we’ve spoken about in the security community the idea that we want to be more business friendly but we have not acted in that way. We still look to the technology to solve the problem more than to say ‘what is the problem we’re trying to solve?’ And typically the problem that the security community is trying to solve is the latest exploit or attack or hacker activity going on, where the business may look at this and say ‘that’s not as important to us as it is to you.’ Because when you have a risk management conversation, you assume that there are challenges; you assume that there is the potential possibilities of bad things happening like that, and you develop a posture and a profile that is what is your tolerance for that to happen. And then you use security as your tool to meet that profile and decide I need to secure this risk level in order to meet this risk profile.
What are some of the responsibilities that an IT person and integrator should have individually when working on a project?
Pironti: It really has to be a cohesive conversation between the two groups. Instead of having an integrator or the IT group coming in and being an authoritative source that says ‘you shall do it this way’ it has to be a relationship where both come together and say: what can you do and what can I expect of you?
What are two relevant and important topics for those seeking IP and IT training?
Pironti: The one thing that we’ve really come to realize in the IT and IP world, is that education is really the key to success. The users are our first line of defense, our greatest advocate and our greatest critic. A lot of what I like to do is bring these populations into business classes 101— take them out of their comfort zone. A lot of IT people will tell you ‘I didn’t go to business school because I wanted to be an IT person, I wanted to be a technician.’ My view is ‘how can I operate technology well if I don’t understand the goals of the business properly?’
Finding a Meeting Ground Between IP and IT
One of the single fastest growing technologies in the security industry today is IP. As organizations evolve from traditional closed systems to the more powerful integrated IP systems, they need highly qualified professionals who can design, install and support these networked solutions. More specifically, the security industry is in need of training in IP and convergence – the bringing together of the traditional models with that of the more sophisticated technology models. There are many topics that should be of interest to those seeking IP and IT training. In the broadest sense, the two most important topics are probably basic networking and IP video. But when we dig down a little deeper into the topics necessary to have a strong command of IP, there are numerous items that one must make sure there training program consists of. This includes but is not limited to information on proprietary and converged networks, the OSI Model, protocols such as TCP, IP, UDP and SNMP, network administration, operating systems, databases, security applications, SDK, API, security integration and ID management.
The most robust training will also consider integration and project management. This will include such topics as logical access control integration; visitor management; digital video management; security integration toolkits; project management philosophies; auditing, facilitation, project planning; and even ROI and cost justification. Topics such as these help bring full circle the application of IT training to the security project and make technical topics more understandable by applying them to real world scenarios in the industry.
Connie Moorhead is the President of The CMOOR Group and founder of SecurityCEU.com based in Louisville, Ky.