|
 |
 |
 |
 |
|
"I wonder what it would be like to go home at 5 PM today?" says Bruce Coffing, an information security officer responsible for identity and access management at LaSalle Bank, a large Midwestern bank ($113 billion in assets) serving individuals and businesses with over 400 branch locations. He cannot recall the last time he actually left for home on time.
"A bank never sleeps, and the job never finishes" he says.
What Does Security Leadership Entail? Information Security Media Group (ISMG) publishers of BankInfoSecurity.com and CUInfosecurity.com, recently posed this and other questions to Debbie Wheeler, Chief Information Security Officer for Fifth Third Bancorp. In her current role she is responsible for establishing policy, standards and governance over the implementation of Information Security controls and procedures, as well as end user education and training for the Bancorp. Here are her thoughts on security leadership. Upasana Gupta: What makes a good CISO?
Debbie Wheeler: I believe...
Best-Practices for Getting Across the Right Messages The board members at a financial institution are responsible for oversight and implementation of a sound security program, including the overall guidance and direction of setting a cultural value related to risk awareness, driving policy and strategy, defining a global risk profile and creating security initiatives and priorities for the banking organization. They are the drivers that define and signify security, and as such have very little time at their disposal for training and education.
Expertise and Interactivity Key to Developing a Collaborative Security Education Program The perspective on information security changed forever on September 11, 2001. From being a check box response on a training attendee sheet or just a mandatory requirement, security training awareness education has today transitioned into a “hands-on” intensive and integrated program, based on a well-founded training strategy that includes a formal course curriculum in addition to other learning interventions designed to deliver the appropriate security information and messages to all levels of employees.
Today, the information security field is not just about technology, it is about people and protecting information wherever it is while still being able to share that information with clients, partners and customers. Considering the security challenges organizations are facing today, more and more employers are emphasizing the need to hire qualified and certified security professionals since employees play an integral role in protecting the assets of any organization, and as such, need to be adequately trained to ensure they possess adequate knowledge in broad security areas and disciplines and demonstrate industry standards and best practices to effectively work and deliver in a given job role and function.
Do you see pieces of paper in your organization with usernames or passwords?
Employees play an integral role in protecting the assets of an institution, and as such, need to be adequately trained and made aware of the basic security practices which are frequently overlooked. A set-it and forget-it approach "we're protected because we have a firewall" to information security ignores end-users, who, if left untrained, remain the institution's weakest link.
RICHARD SWART: Good to talk to you today. Could you provide us an overview of what’s happening in cyber security education and research in the United States right now? How good of a job are our universities doing? DR. EUGENE SPAFFORD: Overall I think we’re not doing very well. We’re doing better than we were but there are still a lot of gaps available. This is particularly well stated in a very recent report from the National Research Council that’s entitled “A Safer and More Secure Cyberspace” that was released just about two weeks ago. And their observation echo what has been said and reports and what many of us have been saying for some time: basically we don’t have enough people who are in the pipeline when who are learning about cyber security. We don’t have it mainstreamed enough in the regular computing curriculum, and we don’t have the resources in place to really be looking at a broad enough variety of both near-term and long-term issues.
First question we have for you is how is the role of an information security officer evolving and what advice would you give to concurrent security officers or IT professionals who aspire to the ISO rule? JOYCE BROCAGLIA: Well what I can tell you is that in over two decades what I’ve been doing recruiting it certainly is an evolving role. What we’re seeing is that corporate culture has shifted quite a bit from placing a value on information security to valuing information risk and this is what has caused a large change in the information security officer’s role and it’s forced them to evolve from purely a technologist role to much more of a strategist role.
Certifications are highly sought after by job seekers and employers. They are a major criterion for hiring qualified security professionals, a practice followed by most companies. The challenge for employers, and the key point, is to understand what a specific certification signifies- If a certification along with mastery in key knowledge areas also tests the practical knowledge of the candidate and
The focus on information security is not just a passing phase—we have seen it sustained over the past couple of years, and it continues to grow. So you can now begin to place yourself in a position to become that ideal security professional as this role evolves and expands more so for banking and financial institutions where information security plays a critical role because banks are committed to the security of its customer’s financial and personal information, again, financial institutions have to abide by privacy, customer trust and information security laws and regulations which have increased significantly in the past 5-6 years, additio
Omar Herrera Information security personnel in Financial Institutions Financial institution have specific requirements for the experience and abilities of their information security personnel. However, it is becoming harder for qualified professionals to satisfy requirements from these institutions. While information security personnel can be trained in specialized areas of information security, they still need to have relevant general information security background and a minimum number of years of experience in the industry.
The focus on information security is not just a passing phase—we have seen it sustained over the past couple of years, and it continues to grow. So you can now begin to place yourself in a position to become that ideal security professional as this role evolves and expands more so for banking and financial institutions where information security plays a critical role because banks are committed to the security of its customer’s financial and personal information, again, financial institutions have to abide by privacy, customer trust and information security laws and regulations which have increased significantly in the past 5-6 years, additionally the risk of financial loss, security breaches is something which is on the rise and steps need to be taken to address these very significant security issues plaguing the banking industry partic
Certifications are highly sought after by job seekers and employers. They are a major criterion for hiring qualified security professionals, a practice followed by most companies. The challenge for employers, and the key point, is to understand what a specific certification signifies- If a certification along with mastery in key knowledge areas also tests the practical knowledge of the candidate and his/her ability
John Smith, VP Technical Services at an Investment Bank was interviewing a senior information security professional on the phone last month in April, 2007 during the phone interview the candidate suddenly requested John to be on hold as another call was coming through.
A checklist for professionals aspiring to be Leaders and Security Rock Stars Love What You Do - Have a passion for information security. Do not consider getting in the field because earning potential is high or because your friend is in security.
As an active job seeker you may post your resume in several job boards providing personal contact information including your social security number and more… speak with innumerable recruiters discussing potential job opportunities revealing more information about yourself. Chances are you don’t give this everyday job hunt process and search a second thought. But someone else may.
ALAN ZAPANTA(ISMG): Now, recently, you have been conducting some compelling research regarding the skill level that the information security industry demands and the current curriculum that many colleges ascribe to. Could you please give us a brief overview? RICHARD SWART: Yes. I did this research in cooperation with the Center for Systems Security and Information Assurance, which is a consortium of about 120 universities mostly on the East Coast. And what we realized was a gap between the expectations of industry in terms of the skill levels that recent graduates should have and the type of training that universities were providing. So we did a parallel set of surveys where we were able to ask specific questions to both industry leaders and to professors to gauge how they were preparing students to enter the information security field and to try to identify where there was a mismatch between what the professors were doing and what the industry needed.
Once an isolated planet, information security has now become a universe in itself! Today, security is acknowledged as an integral component for corporate success leading to the increase in demand for highly-skilled security professionals. A recent study conducted by IDC for the International Information Systems Security Certification Consortium, or (ISC)2, projected that the number of information security professionals worldwide will be 2.1 million in 2008, up from 1.3 million currently. This states the urgency and significant importance to develop a new approach and curriculum in assuring information, not only based on security but also considering integrity, relevance, and other aspects involved in creating a whole new culture of security.
The National Security Agency (NSA), through the National INFOSEC Education and Training Program (NIETP), identifies 75 universities that conform to its standard for acceptable programs in information security today. Criteria for that determination are derived from recommendations of the National Security Telecommunications and Information System Security Committee (NSTISSC). Since there are nearly 4,000 institutions of higher education in the United States (NCES, 2002), this is not particularly impressive until you consider the fact that six years ago, less than one percent of US universities offered recognized programs in information security. In that respect, the growth in the number of institutions represented on the list is amazing progress.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication