January 2016 SAFE Newsletter
The Trinity of the Information Security Officer
The role of the Information Security Officer (“ISO”) is to develop, and implement an information security program that incorporates the financial organization’s vision and strategy to ensure all information assets and technologies are adequately protected and meet regulatory requirements. Accomplishing this without sacrificing the organization’s core business processes, or unnecessarily driving up cost is an art form that requires a skilled professional in three main areas: 1) Technology and Security, 2) Compliance, and 3) Management.
Technology and Security
The individual assigned the role of ISO should possess an in-depth understanding of the benefits, weaknesses, and impact of information technology and security. The ISO should be kept abreast of cutting edge technologies that could better assist in identifying vulnerabilities and/or preventing security breaches both internally and externally. Understanding the functional reality of monitoring devices can assist a savvy ISO in determining business processes that could further enhance the protection inherent within a monitoring device. Furthermore, an ISO who is aware of new security methods and/or technologies has an upper hand in creating, developing, and implementing an information security program that offers robust protections without eroding the budgetary concerns of the Board of Directors and other C-level executives. Additionally, an ISO that is aware of technology and security trends within the industry can proactively prepare a financial organization to meet and even exceed information security requirements.
An ISO should not only be well versed in technology and security but should also have comprehensive knowledge of the effects of regulatory requirements on the performance of technology and security, as well as the impact it has on business policies and processes. A financial organization’s core businesses should always be the focus of the underlying vision and strategy. Many financial organizations get inundated with compliance obligations that are not right sized for its specific business needs: Constantly chasing the information security compliance dragon without realizing any benefit. Much of this misalignment is caused by a lack of understanding of what is required by examiners for your specific financial organization based on size and complexity. An ISO that understands and grasps the impact of information technology compliance on the financial organization can better align the information security strategy to meet regulatory requirements without sacrificing core business processes.
One of the most important aspects of an ISO for a financial organization is managing the information security program so that it incorporates technology and security, as well as compliance principles, while still focusing on core business activities. By combining technology and security with compliance principles the ISO is able to clearly articulate a holistic picture of the financial organization’s information security landscape. This holistic picture will assist the ISO in meeting regulatory requirements and security practices by pinpointing the areas of information security that are necessary for its financial organization to implement based on size and complexity.
An ISO that implements the Trinity of the ISO is on the right path to building a comprehensive an agile information security program.
Too Small to Care?