Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Former NSA CIO slams Fortune 100 companies' security

Derek du Preez | Oct. 4, 2013
Prescott Winter: Enterprises should be identifying what assets most need protection

"There are ways that big data can substantially enhance this," said Winter.

"If you can get enterprises to think about this risk management approach, then give them the tools to do it right by giving them all the rich data sources. Which business lines are the most important? Identify the assets that support those business lines, put markers on them, tag them, and say wherever that asset is, whether its a system or a set of data objects, those are the assets that support our most important outcomes and you need to make those category number one for protection."

He added: "You need to start with: what is the consequence if this group of assets is compromised? Then make sure that these taxonomies of assets are used consistently across the entire enterprise, every place you go in your network, every access control, has to reflect the fact that these are your corporate gems."

Firms must also then audit their work, to make sure that people are following the rules, Winter said.

"People make mistakes and things that ought to be done in a particular way often aren't and the result is a set of vulnerabilities that will leave your enterprise open," said Winter.

"Inspect don't just expect. Gather enough data to begin automating all these processes, don't just do these things on an ad-hoc basis. Actually put processes in place so that you are in effect auditing yourself continuously."

Getting business buy-in
Finally, Winter revealed that he has worked with companies and CIOs that have been given huge budgets by the CEO to implement these processes, as the strategy is completely aligned with identifying what is important to the business.

"The lesson that I draw from this is that this is a message that your senior officers understand. We are going to build a set of structures and processes that manage risk to the key assets," he said.

"We can define exactly what those assets are because we have actually aligned them with the business processes that the CEO says matter most. This is a conversation you can have with the CEO and CFO, because they live in the world of risk management."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.