Page 98 - Pay Magazine s2014
P. 98
finance & strategy
Integrating Security into Your Company’s DNA
fasT faCT
The most valuable stolen card- holder data on the black market is three to four years old, according to John Walsh, CEO and president at SightSpan. If a company is breached and data are stolen, sometimes the company will offer credit monitoring
services to con- sumers for a year; by the third year, the incident is forgotten and consumers stop checking their credit scores.
n Securityisajourney, not a destination
“You never actually ‘get there;’ you’re always going to be making security changes,” says Kevin Kealy, chief information security officer
at FIS, a Jacksonville, Fla.-based global provider of banking and payments technologies. “The bad guys always will be trying to leap- frog what you’ve done today, which means your security always has to be evolving.”
Kealy adds that FIS stresses a “secure by design” philosophy, meaning designing a system to be secure from the ground up. For example, any code the com- pany writes follows the guidelines of Open Web Application Security Program (OWASP) to ensure it isn’t introducing vulnerable code.
Wain agrees maintaining strong security is a moving target. Too many times, he says, companies will spend millions of dollars on data security and consider the issue closed, but they need to be continu- ously investing in and upgrading their security infrastructure.
n Buy-in from the top
For a data security plan to be effective and truly integrated into
a company’s DNA, the firm’s senior executives, including the CEO, must understand completely what must be done to keep its data secure. “Our chief executives at FIS could not be more supportive of our security goals,” says Kealy.
“If you don’t have that tone from the top, it’s not going to be a successful enterprise.”
n Hire the right people
There are no shortcuts to security, Dancu says, and that means hiring the right people. “You want experi- enced security people who’ve been ‘around the block’ so they can adapt the company’s system to new threats. You have to spend the money and have the right people
in place.”
Walsh suggests designating an information security officer and writing a job description for the position. Then, the company must determine the security level it requires and its approach to security—will it all be done in house, or will the company use external resources?
Having the right people means little, however, if they don’t have the necessary authority, Wain adds. Whoever is in charge of security must have the organizational power to make security initiatives a priority of the chief executives or the security plan goes nowhere.
n Implement company policies
Sometimes, it’s the most obvious security tasks that most often are overlooked, and implementing pol- icies addressing them can ensure they aren’t. For example, using se- cure email for transmitting client information and encrypting data- bases are seemingly obvious
practices that too many companies forget, Walsh says. Another matter of company policy should be limiting information access within the company.
“I see very poor access control policies,” Walsh adds. “Very simply, why is everybody able to see every- thing? It increases the company’s vulnerability because it increases the risk of someone stealing infor- mation and using it inappropriately.”
Wain suggests companies ap- proach data security by finding opportunities to reduce the amount of information they are storing. Perhaps companies might be holding onto data longer than necessary, or they need to explore using tokenization, for example, to reduce the amount of information they have to store.
n Multiple layers of security
One layer of defense is simply not enough, according to Wain. “i2c has
96
