My first 100 days
- 11 December, 2006 21:05
Boulton Fernando was appointed CSO of IndyMac Bank in the US in July. Here's the aggressive to-do list for his first three months.
-- Get an early win. I wanted to make sure I plucked a low-hanging fruit at IndyMac in order to quickly demonstrate security's value. My first win here was complex passwords. There was worry about increased help desk calls and passwords ending up on stickies. It took some hand-holding. But they've accepted the reality that when you don't have the complex password requirement, employees will create six-character passwords that are all the same letter. And that's not secure. Within about 30 days, I had complex passwords implemented and enforced.
-- Share security status. Another early change was to put our security status report on a shared network. Any team member can go in and look at it. Some can update it. I review it weekly and present the status to the executive VP of technology every other week.
-- Adjust commuting habits. My commute is longer here than at my previous job. I've learned a good use of that time is to download news and business podcasts so I can listen on the way to and from work.
-- Create an overarching project plan. By far the most complex task I've taken on so far is developing the enterprise security and privacy strategy. The reason it's so complex is it comprises physical security, IT security, business continuity, compliance and privacy; it has to talk about the business drivers and has to be flexible enough to adapt to the bank's future vision. I'm comfortable with what we've produced. What I really need is the next item.
-- Executive committee buy-in on project plan. Cross your fingers.
-- Move physical security staff. We're putting the physical and IT security folks on the same floor. How's that for convergence? Another convergence-minded step we've taken: joint status meetings. We'll get crisis management, emergency response working directly with the technology recovery group. They've got to talk. There's still some cliquishness, so in the meetings I'll bring up topics of common interest -- for example, access management. They all have a stake in that.
-- Change perception of physical security. We need to do some marketing here. Once the strategy is approved, I'd like to take it on a road show with management and highlight the advantages of integrating physical and IT security, thus creating a "one-stop shop" for security.
-- Dress down. I'm getting close to checking this one off. I came from a background where you wear suits every day. Here, we have casual work clothes, that includes the option to wear golf shorts. It felt different the first few days. As funny as it sounds, it's an adjustment for me.
-- Revamp our asset classification policy. Before, data and assets were either confidential or not confidential. I requested a third classification, "personally identifiable information." I think some folks were worried three would turn into four would turn into 10 would turn into 400. So I waved the regulatory wand and said, If we stay at two classifications, we're going to have to encrypt everything under the sun. This way, we can encrypt a subset of information. So we created a working group to set the policy, developed standards and now have a policy with three classes of assets.
-- Streamline policies. Despite the fact that we revamped that one policy, overall we have way too many security policies. That happens when you work tactically, ad hoc. Something comes up and someone develops a policy regarding that specific incident. Soon enough, you have all these policies and the only people reading all of them are internal audit. I want to develop a simple, flexible security policy that follows the ISO framework.
-- Balance tactical and strategic. When I got here, security was 100 percent tactical. I want to bring that down to about 40 percent. I'll do it by creating a strategy/architecture group.
-- Rate all facilities' security controls. We've created gold and silver ratings for all of our facilities. The next step will be to determine which facilities need to upgrade controls like mantraps, surveillance and so forth.
-- Rehabilitate the reputation of the security group. The main issue is people need to think of security as an enabler of future business and a market differentiator. To do this my team should work on projects that are forward-thinking while addressing present control concerns.