Dave Hansen is the Corporate Senior Vice President and General Manager, CA Security Management. In this interview, he discusses how the underground economy is impacting large organizations and tackles the good and bad sides of compliance.
With threats evolving at a breakneck pace and the underground working on a seemingly endless budget, how is this situation impacting the work of a security manager in a large organization?
Security managers today have to be concerned about a lot more than external threats, such as a virus or denial of service attack, and internal threats from employees and partners. A few factors have evolved in recent years that have elevated the focus on security to the business level, not just an IT level.
As security technology continues to play a direct role in business compliance initiatives, security manager’s need to look at their jobs more closely through a business lens versus just technology. They have to think about things like internal and external audits; they have to concern themselves with overall business risk and ensure they balance security with employee productivity.
Achieving that balance of the right level of security so that a business and its data are protected while still allowing enough flexibility for employees to do their jobs is more complex than it sounds. As individuals change roles in an organization, their access to data and applications often changes. Making sure the proper access is provisioned and deprovisioned in a timely manner is central to ensuring employee productivity and even more so in meeting compliance mandates.
This security and productivity balance becomes an even greater challenge when you consider employees or partners who are granted privileged access because of their position as an administrator. They often need to have access granted that is broader in order to do their jobs. However, this access introduces vulnerabilities that must be controlled.
The convergence of physical and logical security also is giving security managers something to think about. The intelligence that can be gained by linking physical security systems and logical security systems can help provide deeper transparency for security and compliance needs.
The challenges for today’s security managers are much more complex than they were at the beginning of the decade and we’re working with our customers to help them manage that security complexity and strike that balance of productivity and security.
Some advocate compliance while others blame it for many of the problems having an impact on the insecurities of today’s organizations. What’s your take on the good and bad sides of compliance?
Regulatory compliance mandates require good processes around ensuring the privacy and the protection of personal information belonging to customers, employees and anyone else doing business with an organization. Some of the specific security requirements that compliance drives include segregation of duties to ensure, for example, that the person who writes the checks cannot also approve the checks. In addition, more regulations are looking at the security issue of managing privileged users, such as IT administrators, to ensure their actions are more controlled and auditable.
Compliance keeps organizations in check and is meant to protect various groups and individuals on multiple
levels depending on the regulation. Complying with regulations can be a complex and time-consuming initiative. As a former CIO, I understand the time IT spends on compliance issues. However, compliance has become table stakes for doing business today.