Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Council Teleconference: Application Rationalization — Hidden Costs and Smart Decisions
November 17 at 11:00 am US/Eastern (GMT-5)
Join Honorio Padrón, of The Hackett Group, who will share the drivers for companies to tackle application rationalization and the results of research that define the hidden cost of complexity. Additionally, we will discuss key decision milestones—to start or not, holding the course steady and fulfilling expectations.
Virtual Desktop Cost-Benefit Analysis — Michael Jacobs, Catlin Group
The analysis contained in this presentation measures the cost of everything from the machines and licenses to the infrastructure for virtual vs. traditional desktop environments.
Honor your best senior team members - Apply for the CIO Ones to Watch Award
Get well-earned public recognition for your top up-and-coming team members, your IT organization and your enterprise. Award winners will be announced, publicized and feted in May 2010, great timing to help attract new IT recruits to your company.
Learn more about the CIO Executive Council »May 15, 2002 — CIO —
Last year, David Saul, executive vice president and CIO of commercial insurer Zurich North America, pulled a dozen IT staffers away from their daily tasks to combat a virus that was attacking the company’s firewalls. They did a good job limiting the damage, but it took two days?two days in which other work did not get done. Next time, Saul hopes to be ready to respond before a threat surfaces. "We want to be in a safety zone that doesn’t require that kind of immediate mobilization," he says.
That’s why Saul increased his full-time information-security staff from 12 to 18 people, mostly by training, reorganizing and reassigning IT people to security. "Good security equals prevention, detection and reaction," says Saul, who is based in Schaumburg, Ill. "If you’re not going to staff to make the process work, then your exposure to security breaches is higher."
That exposure is an increasingly widespread problem. In a 2001 survey of security practitioners conducted by the Computer Security Institute and the FBI, 85 percent of respondents (primarily from large corporations and government agencies) had detected computer security breaches in the previous year, and 64 percent of those respondents acknowledged suffering financial losses.
In fact, there’s no limit to the damage evildoers can inflict. Sept. 11 proved that. In this environment, many people believe that it’s sheer madness to have an IT staff handling information security on an ad hoc basis. "It’s a hard-and-fast rule, in my opinion," says John Hartmann, vice president of security and corporate services of Cardinal Health, a $47 billion health-services provider in Dublin, Ohio. "If the two roles are shared, business priorities will drive security to a lower priority."
Tim Mitchell, CIO of Sarnoff, an electronic, biomedical and information technologies company in Princeton, N.J., disputes that, saying that his IT staff handles security very well, thank you. But he does agree that people charged with security responsibility must be organized into a team?as his are?carrying out a coherent security program that sets out specific responsibilities and requires regular meetings.
A security team needs to set policies and procedures, assess vulnerability, detect intrusion, respond to incidents and manage security architecture. And perhaps most important of all, it needs a leader.
Finding skilled security professionals to carry out this mission can be tough, and the alternative?training in-house IT staffers who are security novices?can be costly and time-consuming. (Outsourcing security is another option. To read a cautionary tale about the pitfalls of outsourcing security, check out "Exposed," at www.cio.com/printlinks.) But whichever route you choose, here are some ways to enhance your chances of success.