New ISSA President Sets 3-Point Agenda

#1 Challenge: Understand True Information Risk
New ISSA President Sets 3-Point Agenda
The new president of the world's leading information security association sees a "crazy landscape" facing information security professionals.

Kevin Richards, head of the Information Systems Security Association (ISSA), in an exclusive interview, says he sees some fundamental areas where everyone is struggling against information security threats to their organizations. Richards, a risk management advisor with Crowe Horwath, replaced former ISSA head Howard Schmidt, who is now President Barack Obama's cyber security coordinator. ISSA has 10,000 members in more than 70 countries.

Areas where Richards says information security professionals need to focus include:

Understand Information Risk - Understanding what information, what data they have as an organization and identify what it is and where it resides. "Organizations are struggling with getting that inventory of what is it I have, where is it, how am I protecting it and what is the impact to the organization if it gets lost," Richards says. Organizations have to know what their real exposure is, and are struggling to get their arms around that idea.

Setting a Perimeter - Richards cites the explosion of mobile technologies, smart phones or thumb drives. "You have to define where the endpoint is. Is the endpoint part of the cloud? Is the endpoint a laptop?" The organization must know what it is that needs to be protected."

The days of having a "set perimeter" that the organization could build a wall around or dig a moat to protect "has been gone for years, and "with this explosion of technologies. I think that organizations are really having challenges trying to define that endpoint and define a security strategy," Richards says. The security plan has to be balanced to enable the business, but allow it to meet security and risk management objectives. He sees the security perimeter is still a big threat area for organizations.

Bridge the Gap - Between the traditional information security infrastructure and the organization's enterprise risk management framework. "How can I explain to the business: Here are my exposures, both technical, process, and getting management's understanding and buy in and commitment to get the appropriate funding to build those protection area controls in place?" The threat, Richards says, sometimes comes from the lack of understanding at an executive level as to what the organization's real exposures are. Richards concludes that info sec pros need to "bridge that gap so areas are being protected in a way that best supports the business risk objectives."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.