Ex-Bear Stearns CISO takes aim at compliance issues

Security expert laments shortage of audit pros, independent assessors

The sudden death this March of Wall St. firm Bear Stearns & Co., buried under an avalanche of the subprime mortgage crisis, pushed many IT people out of their jobs, including Jennifer Bayuk, the chief information security officer (CISO) there.
Bayuk, 10 years with Bear Stearns and now an independent IT security consultant, speaks with Network World Senior Editor Ellen Messmer about that upheaval—and what’s wrong with security compliance practices today.

What was it like in the middle of the collapse at Bear Stearns, which was swallowed up by JPMorgan Chase at a bargain-basement price?

There were some openings at JP Morgan Chase, but a lot of the internal audit, legal and information security didn’t need to be duplicated. I was too high-level to be absorbed. But everyone who departed got a severance package based on their tenure at Bear Stearns. And JPMorgan is helping with job placement and allowing use of an office in New York.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The sudden death this March of Wall St. firm Bear Stearns & Co., buried under an avalanche of the subprime mortgage crisis, pushed many IT people out of their jobs, including Jennifer Bayuk, the chief information security officer (CISO) there.
Bayuk, 10 years with Bear Stearns and now an independent IT security consultant, speaks with Network World Senior Editor Ellen Messmer about that upheaval—and what’s wrong with security compliance practices today.

What was it like in the middle of the collapse at Bear Stearns, which was swallowed up by JPMorgan Chase at a bargain-basement price?

There were some openings at JP Morgan Chase, but a lot of the internal audit, legal and information security didn’t need to be duplicated. I was too high-level to be absorbed. But everyone who departed got a severance package based on their tenure at Bear Stearns. And JPMorgan is helping with job placement and allowing use of an office in New York.

Are you going back into the financial sector?

It’s more appealing to be an independent consultant at this point.

Your experience not only with Bear Stearns, but with AT&T, has earned you wide respect. In the keynote address you gave at the recent SIFMA Conference, you used the time to basically diagnose what you think is wrong with the way security compliance is conducted. today. So what is so wrong?

Regulators are asking the security people to meet compliance. Security people are devising programs in which they ask vendors — such as third-party service providers -- to provide assurances about security to meet compliance. But there aren’t enough audit and security professionals in the world. There aren’t enough experts to know if something is being done right. So they fall back on checklists to pass regulatory exams.

So what happens in this circumstance?

Instead of examining business processes, the method of achieving 'due diligence’ is simply do what everyone else is doing. There’s a growing group of managers called ‘risk managers’ to decide if risk exists or not without ever understanding the underlying technology. Legal is very much involved in this. So vendors must submit these checklists.

What’s the point of these checklists?

If you can hold someone accountable, you can sue them. You can go back later and say, you said you did this.

So if that’s one way this whole system of compliance has evolved, what could be done to improve it?

Vendors who have data should come up with a way to prove they’re secure. If the vendor has evidence readily available, you don’t need to have staff go out there.

That sounds like self-assessment, and some people roll their eyes at that thought.

There has to be evidence of independence on the side of the assessor. And things are constantly changing. When you have a regulatory audit, where tests are done, you should be able to use that as evidence. The independent source of assessment I’m thinking about really doesn’t exist right now, but it should.

Read more about security in Network World's Security section.