Jose Granado has been involved in information technology and security for more than 20 years in both the private and public sectors. Now the Security Service Line Leader for Ernst & Young’s Americas region, his focus areas include information security, advanced security centers and information technology effectiveness.
The firm just released its annual survey dedicated to the global information security sector. Having surveyed more than 1,400 customers, Ernst & Young queried them on issues ranging from moving their security programs beyond just being compliant to implementing programs to protect corporate branding and reputation in a threat-filled environment.
The study indicates that most U.S. companies really don’t have a very good handle on how to advance beyond basic compliance when it comes to protecting their precious information data resources. Is this a case of being overmatched, understaffed or ill-informed?
“I believe that many security organizations within U.S. companies are having compliance requirements drive their IT strategy, instead of compliance becoming a natural by-product of an overall robust IT security program,” Granado says. “Understand your company’s goals and needs, aim to be secure and you will be compliant.
“IT is constantly struggling to demonstrate measurable ROI to the business and IT security is not any different. IT security programs and initiatives that help enable a business process in a secure fashion will quickly gain business sponsorship and support,” he continues. “Thinking innovatively to support new business needs will generate demand for ‘out of the box’ thinking and allow the security group to employ techniques across the enterprise beyond basic compliance. Business imperatives drive innovation — which can then be applied across the entire enterprise as appropriate.”
With the convergence of physical and logical security becoming the norm in many top companies, Granado confided that security managers must assume a fresh perspective in this new risk environment. “On the IT side, the security manager needs to step outside of his/her comfort zone and think in terms of the ‘data’ itself — not just the network, firewall or the server,” he says. “This means developing a data protection strategy around endpoint devices (such as laptops and PDAs). There is also a strong awareness component that involves training users on safely handling data in whatever form it resides (electronic files, paper, etc.) as well as properly disposing of that data. An understanding in good communication security practices — especially when out in public places — also contributes to a sound security program.
“On the physical security side, security managers need to consider how technology could enhance physical security initiatives and enable new security processes,” Granado continues. “When integrating both physical and IT security responsibilities, the security manager actually becomes an Asset Protection Manager with people, information, facilities, product and brand as the corporate assets that are being protected. Developing a holistic and integrated protection view on these corporate assets — especially in a global environment — will help minimize risk to the organization.”
Because of increased globalization and compliance issues creating new challenges, it is interesting to note that 70 percent of the survey respondents said they were incorporating information security standards into their enterprise risk plan.
“Performing an annual comprehensive assessment that takes into account financial, political, government and cultural risks is critical in understanding the company’s threat exposure in a specific geography, as well as helping determine the overall threat level globally,” Granado says. “This assessment should drive global resource and technology requirements to implement a global security program. Establishing a network of relationships with key local officials, vendors, etc., is critical in trying to stay ahead of pending activities that could impact IT security posture.”
If you have any questions or comments for Steve Lasky regarding this or any other security industry-related issue, please e-mail him at email@example.com