Here's a piece I wrote for Optimize a few months ago.
Constant threats to our business have changed the way we prioritize security and risk management at WesCorp, the largest corporate credit union in the United States with $25 billion in assets and $650 million in annual revenue.
As chief information security officer (CISO) and director of enterprise security services, my role is to embed security into WesCorp's operations. The company's goal is to use rational information risk management to help solve business problems, provide secure business operations, and protect our clients' data.
We've
developed a business-focused "reduction of risk on investment"
approach. Because it's difficult to consistently attach a specific
monetary value to information assets and to assess an ROI for security
initiatives, we focus on reducing risk exposure and avoiding costs by
implementing the appropriate security measures.
To effectively
prioritize our risks, WesCorp aligns with the company's strategic
initiatives. It's crucial to clearly understand what's important from a
critical operational-impact viewpoint. This must be done from both
technical and business perspectives.
WesCorp uses the Octave
framework, developed by the Carnegie Mellon Software Engineering
Institute, to facilitate our information risk-management process.
Specifically, risk is defined, prioritized, and managed based on the
synergistic flow of data, including risk assessment, business
continuity, vulnerability management, threat analytics, and
regulatory-compliance initiatives. These elements provide meaningful
data that lets the company understand where it may be vulnerable, what
mitigating controls are in place, and its overall risk and security
posture. This approach lets us effectively communicate to management,
regulators, and customers how we manage risk across the enterprise.
Three recent security initiatives illustrate how we've reduced risk through better network and security life-cycle management.
For
some time, we've all been warned that the network perimeter is dead
because of the increasing number of access points for mobile workers,
vendor collaborations, and business partners. We suggest that the
perimeter is, in fact, multiplying, though the diameter of the
perimeter is collapsing. As technology gains additional footholds
throughout the enterprise, thousands of firewall-like solutions are
needed to patrol and monitor access points. The challenge is to provide
network security while allowing the free flow of information and,
therefore, business as usual. The tactical security implementations
necessary for a growing network have traditionally been expensive and
difficult to manage.
Our strategy involves segmenting the
internal network into multiple networks grouped by asset criticality,
role, and function. This provides quarantine and containment to prevent
the spread of attacks. By layering the network infrastructure on
virtual security services, we can efficiently mitigate vulnerabilities
while guaranteeing firewall-intrusion detection and prevention, virus
protection, caching, and proxy services. This network-security approach
is aligned with how the business units are structured. Instead of
deploying 30 separate devices, we've consolidated our hardware
platforms into a single solution with the help of Crossbeam Systems
Inc. and other vendors to recoup $1.2 million in savings.
Another security initiative involves vulnerability management. Because
vigilance is necessary to identify and isolate threats in the
enterprise, assigning vulnerability-management and remediation
activities can slow the ability to act defensively and decisively,
thereby increasing risk. We've set up intelligence tools to identify
direct attacks in near-real time using streamlined processes.
Using a risk-management and threat-analytics solution from Skybox
Security Inc., we set up a virtualized representation of the enterprise
and incorporated business-impact analysis and risk-assessment metrics
into our overall vulnerability-management approach.
Finally, while we developed strategies for managing data access and
reducing business risk, our concerns turned to what happens to data
after it's accessed. We needed to focus on providing real-time, ongoing
database management, specifically, to understand and monitor
privileges, system and user behavior, metadata integrity, and the types
of content accessed.
With the help of IPLocks Inc., we
can assess the risk to critical data warehouses across our enterprise,
and integrate security life-cycle process improvements from the bottom
up. This allows for greater effectiveness in curtailing abuse, fraud,
and potential breaches.
Projects also must provide efficiency
improvements or defensive-positioning capabilities against competitors
or market forces, or demonstrate that they enable a business unit to
achieve goals that contribute to the success of the mission.
Senior-level sponsorship is key, as well.
WesCorp
has an executive-chartered operational risk-management committee
comprising senior staff from across all lines of business, including
the CIO, as well as representatives from our internal audit and
enterprise security-services teams. The committee provides oversight
and governance for our initiatives and allows for clear definitions and
actionable execution of our security and risk-management efforts.
I
report up through the VP of IT to the CIO, who ultimately reports to
the chief operating officer/CFO. I also have dotted-line relationships
to various executive committees and councils, enabling our security and
risk-management framework to be executed unencumbered.
Compliance
is a big driver of all our security and risk efforts. WesCorp, though
not a public company, is heavily regulated like financial-services
companies. We strive to demonstrate our compliance and communicate the
effectiveness of our actions. Unlike many financial-services companies,
however, we view regulatory compliance as a functional byproduct of our
risk-management efforts; a properly defined and executed strategy goes
beyond compliance and implements business improvements. We can use the
best practices of compliance requirements as guidelines to estimate how
well we're managing our tasks.
Critical to our overall security
and risk-management strategy is effective communication with business
units. The model we've adopted calls for an integrated team approach
between the traditionally separate IT and security functions. Because
we're mutually invested in each other's successes, we have a much
easier time reengineering our business processes and implementing
technology. We also have unique business-relationship managers who
facilitate smooth communication between the business units and IT.
Security is evolving from a technology function to a core business function because enterprises realize that a focus on the execution of business goals means survival. Those that don't have such a focus will see a further erosion of their credibility and relevance. Risk management requires common sense and protecting the right things for the right reasons; it demands basic business knowledge and sound judgment. Focusing solely on technology is myopic and dangerous. Businesses that successfully manage risk are willing to think like an entrepreneur and manage people, processes, and technology to a leveraged advantage to reduce risk.
The security breaches at ChoicePoint and Lexis-Nexis have reinforced the relevance, necessity, and effectiveness of our security and risk-management efforts. These catalytic events have galvanized us to evaluate our program and raise awareness globally across all lines of business. People who might otherwise not be in touch with risk-management programs can quickly reassess and determine that security is fundamental to business.
By integrating security and risk directly into business processes, we gain a competitive advantage. Because the business decides what our priorities are or should be, the strategies we champion are automatically aligned with the business as a whole. It's a common-sense approach that affords uncommon comfort and security in an increasingly at-risk business world.