by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : April 15, 2014
The number of security breaches affecting enterprises across numer- ous industries continues to grow, seemingly every day. Once a topic restricted to the IT organization, security is now unquestionably a C-suite priority. A strong plan for risk management throughout the organization has become essential. As with other elements of risk, addressing security requires a broad- er organizational focus than has been the case in many agencies and enterprises. To rely solely on the CIO to control all security matters is like relying on a single rewall to protect against all types of threats. Now more than ever, each leader in an enterprise must own a signi cant stake in securing the data and intellectual capital that ows through an organization. The responsibilities for those secu- rity issues overlap organizational boundaries, as does the potential damage if things go wrong. For example, corporate chief market- ing of cers could nd themselves at risk of losing customer trust if security violations result in the loss of personal information. Therefore, C-suite professionals need to unify their efforts in manag- ing risks and balance responsibili- ties for combating security risks throughout the organization. Lead- ers should begin by taking three important steps toward building security intelligence: 1. Get informed. Addressing IT security risk should be part of a larger risk management frame- work. Such a structured approach to assessing business and IT risks includes identifying key threats and compliance mandates, reviewing existing security risks and chal- lenges, implementing and enforcing risk management processes and common control frameworks, and executing incident management processes when crises occur. 2. Get aligned. Security does not stop at the organization's bound- aries. Successful organizations implement and enforce security excellence across the extended enterprise. That means involving key stakeholders, speci cally: • Customers. Organizations must communicate personal information policies, remain transparent and rapidly address privacy breaches. • Employees. Organizations should set clear security and privacy expectations, provide education to identify and address security risks, and manage the access and use of systems and data. • Partners. Organizations should work with their partners to develop and implement supply-chain secu- rity. They should also report on and manage risks as a normal part of business operations. • Auditors. Organizations must coordinate with auditors to align enterprise and IT risk, contribute to controls frameworks, and conduct regular reviews of regulatory and enterprise policies. • Regulators. Organizations must manage regulatory risks, demon- strate compliance with existing regulations, and review and modify existing controls based on changing requirements. 3. Get smart. As public and private enterprises seek to bolster their security defenses, the use of predic- tive analytics plays an increasingly important role. Such tools support automated risk management pro- cesses and sophisticated detection of advanced persistent threats --- critical building blocks for security intelligence. Requirements include the ability to identify previous breach patterns and outside threats to predict potential areas of attack, assess employee behavior to reveal patterns of potential misuse and monitor the external environment for potential security threats. Security is more than a purely technical issue. It depends on uni cation and input from mul- tiple C-suite executives who can provide unique perspectives about risk, investment and preventive approaches to security issues. ■ Involving the C-suite in risk management Leaders throughout the organization need to join forces to more systematically and proactively address security threats To rely solely on the CIO to control all security matters is like relying on a single firewall to protect against all types of threats. Commentary JOHN LAINHART AND DAN CHENOK JOHN LAINHART leads IBM's Public Sector Cybersecurity and Privacy Services, and DAN CHENOK is executive director of the IBM Center for the Business of Government. April 15, 2014 FCW.COM 17
March 30, 2014
April 30, 2014