More than 160 senior IT managers and executives gathered at the Piedmont Center in Buckhead Atlanta, GA, for an informative morning of presentations followed by a CIO Panel discussion.
The second presenter was Duane Baldwin, ISG Practice Manager at COMSYS. The subject was Security, Regulatory Requirements and Driving Business Value.
An effective business impact analysis was cited as key to understanding ability to comply with regulations without negatively impacting the business itself. An organization must understand what comes, goes out, and happens in between for effective security and regulatory compliance.
It is imperative that an organization “understands what drives the business” in order to reconcile the records of the process with the reality of doing business. It is also important, when establishing a case for security or regulatory technical solutions, that the need and options are stated in business terms. Business buy-in to addressing vulnerabilities and threats being essential for the successful implementation of such solutions.
The phrase variable paranoia was coined to refer to the level of appropriate detail that must be considered.
An anecdotal example was given about an emergency bunker at a chemical plant. The bunker was secured against ingress of toxic substances through the use of a fan system. However, the fan system could be controlled remotely via a modem. The mechanical maintenance system posed a significant vulnerability, since the fans could be stopped or even reversed via the modem, with devastating effects to all in the bunker.
In the example above, the smallest component seemingly removed from the main site operations and systems was significant. In an office processing financial information, a fan switch modem may not be.
Measurement of security effectiveness must also be accounted for. Security solutions must be monitored, and reports presented in business terms. Security reports should enable the business to focus on what it means to them, since security is an enabler for business, not the objective.
“The choice of security solution does not matter, if applying it puts the company out of business.”