Tack on another "C" in security function.
One CISO, James R. Wade of Key-Corp., the major banking company based in Cleveland, talked recently about the position and what it entails. While he's been at Key for about a year, he was formerly the CISO for the Federal Reserve System (covering the Reserve Banks but not the Federal Reserve Board).
In an interview, Wade--who also serves as president of the International Information Systems Security Certification Consortium, or ISC (2)--said his office oversees what is generally a centralized technology platform in Cleveland, with some added resources in Albany, N.Y. "We see ourselves as a center of excellence," partnering with existing IT staff. His group numbers about 35, two-thirds of whom had been with Key before he joined, he notes.
"What is new is that this is really being focused on gaining an enterprise-wide view; these positions are being created for the C-suite for insights on the security standpoint, as well as a business standpoint," Wade says. "I see this as the proverbial three-legged stool--you have the security side, the technology side and the business side."
Wade concedes that an avalanche of mergers in recent years has made things more challenging for industries like financial services, and that different philosophies must often be brought under one umbrella. How? "It all starts out with policies--a senior management statement of what has to happen. [Then comes] policy development and the day-to-day [duties]. For many financial services organizations, because of the way security is perceived, it's now integrated more into how we do business."
Wade says the research he's seen from companies like Gartner Inc. and The META Group suggest that there is no single approach for a reporting scheme--some CISOs may report to the CFO or even the CEO, though most would report to the chief information officer. Deciding to create such a role "starts with the realization that you need someone who can interact with highest levels [of the company], who can help put together strategy at the highest level and make sure that's followed through into the technology."
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||management; chief information security officer, or CISO|
|Author:||Heffes, Ellen M.|
|Date:||Dec 1, 2003|
|Previous Article:||New governance rules coming to exchanges.|
|Next Article:||Study faults bank risk management.|