Expanding roles for the CISO
Jackie Bassett and Daniel Rothman's book worth reading
Security Strategies Alert
By
M. E. Kabay
,
Network World
, 05/20/2008
Sign up for this newsletter now!
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
- Share/Email
- Tweet This
- Print
In this series of three columns, I'm reviewing and commenting on ideas in A Seat at the Table for CEOs and CSOs: Driving Profits, Corporate Performance and Business Agility by Jackie Bassett and Daniel Rothman and edited by Raquel Filipek. Today I'll finish with a brief summary of the rest of
the book, although I think I could write another six or seven columns on it if that wouldn't give my editor apoplexy!
Chapter 2, “Show Me the Money,” makes the point that security problems should be treated with urgency at the strategic level, not just as tactical glitches that can be relegated to low-level staff as minor details. “Because a security breach
represents an underlying revenue and profitability problem that has gone undetected, preventing a security breach should be
managed with the same level of urgency.”
The authors argue that identity management should not be seen as a nuisance: identity management can be a key to effective
knowledge management about customers and competitors. For example, “When new customers are integrated into a company’s business
processes seamlessly, the results translate into improved cash flows from revenues that are identified sooner and higher levels
of customers satisfaction.”
Inefficient, drawn-out assignment of unique, trackable identifiers “also gives the social engineer ample time to troll the
system looking for an opportunity to exploit a weakness or even get signed up as a new customer” and then penetrate defenses
through further social engineering. Good identity management can also be linked to customer relationship management because
a customer whose access is terminated can be identified immediately to the VP of sales for analysis and possible recovery.
Chapter 3, “Customer-centric Innovation,” includes several interesting examples of how improved security and greater integration
of the CISO can support strategic planning of the sales function.
Chapter 4, “Security as a Catalyst for Innovation,” continues the theme with a discussion of the many ways that thinking about
information security supports good application development, improved information management, and more productive knowledge
capture.
Chapter 5, “Maximizing Shareholder Value in an M&A [Merger & Acquisition],” specifically addresses how good security practices
are important for both the purchasing and the acquired organizations. They offer practical questions for boards of directors
and guidance on reading audit reports, including in particular security aspects. They suggest a systematic series of steps
for CISOs when becoming involved with M&As.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.
Comment