Good Governance: How to be a Security Leader

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Governance is a term increasingly used in financial institutions, as banking/security leaders try to introduce new processes and disciplines to their organizations.

In this exclusive interview, Jennifer Bayuk, an information security specialist and former CISO at Bear Stearns & Co., discusses:

TOM FIELD: Hi, this is Tom Field with Information Security Media Group. The topic today is security governance. We are talking today with Jennifer Bayuk, an Information Security Specialist. Jennifer thanks so much for joining me today.

JENNIFER BAYUK: You're welcome. I'm happy to be here.

FIELD: Jennifer, just to introduce yourself to our audience, tell us a little bit about yourself, what you have been up to the past several years and what you are doing now.

BAYUK: I am an Information Security Specialist. I was most recently the Chief Information Security Officer at Bear Stearns before it merged with JPMC. My background is mostly technical. I started in Bell Labs looking at security issues and the public switch phone network. From there I went to a rotation in an AT&T audit, which lead me to Price Waterhouse, and that started my education in the governance and management of security. From there I became head of IT Internal Audit for a financial firm and went back to security because audit, to me, was on the outside looking in and security management and architecture, which is what I went into when I first joined Bear Stearns, was a much more proactive approach. As different reorganizations and things happened at Bear, I ended up as the Chief Information Security Officer, and now I am an independent consultant and I am still looking at the same types of problems that I looked at as a technologist, architect, auditor and manager, but I am looking at them with an independent eye.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

FIELD: Very good. The topic is governance and I wanted to ask you, what does governance mean specifically in the information security context?

BAYUK: It all comes down to the tones being set at the top. You know that is an audit phrase, and it comes from COSO -- the Committee of Sponsoring Organizations of the Treadway Commission -- but it applies nevertheless in the security-specific governance case. The top management of a firm, organization, whatever, has got to endorse, acknowledge and support a security program in such a way that the people who are handling data and responsible for executing procedures and things that contribute to the control, the management control, of the data understand that it is a serious responsibility.

FIELD: Now in your experience Jennifer, what are the key elements that a governance program absolutely needs to have?

BAYUK: Well, I have a lot of different publications that keep coming back to the six key elements of any kind of security governance process and they are in a well documented framework that goes in a circle, like a 'plan, do, check, act cycle,' which is popular in all types of management. Security management should be no different.

Security managers have always followed the same types of ways of getting things done that other IT managers and managers in general have. For example, follow the Seven Habits of Highly Effective People, they've won friends and influenced people, they have re-engineered corporations, etc., so security management has the same types of components as any other governance process. And they are:

You have to have some kind of strategy.

Strategy has to be translated into well-defined policy that is agreed upon and approved and authorized.

Policy has got to be documented and projected to those affected by it in some kind of an awareness process because policy without awareness is just a document on a shelf, and it doesn't get you anywhere.

If you have awareness of policy and you are in a role that is handling information, then you should have some kind of implementation in the form of the preventive, detective and recovery access types of controls and once you have some implementation and you believe it reflects your policy.

You have to check to make sure you have some kind of monitoring process.

Your monitoring process invariably will find that not everything is 100% aligned with your security policies, so you will end up with some kind of remediation of compliance process, and if you are constantly remediating things because your implementation shows your are not in compliance with your policy then you to go back with strategy and that completes the cycle.