Last week, I wrote a blog post summarizing the Day 1 opening keynotes at Forrester’s Security Forum. This week, I’d like to recap the Day 2 opening keynotes. The second or last day at any event is always a challenge; attendees are always tempted to leave early or to stay in their hotel rooms to get some work done or if the event is in Vegas, squeeze in some craps (my favorite) or drop a few coins in a nearby slot. Luckily, we held the event in Boston and the lobsters have nowhere to run, so most attendees were happy to stick around until the end of the day. Not only did we have great attendance on Day 2, but there was a palpable buzz in the air. The audience asked tough questions and no one was spared — Forrester analysts, industry guest speakers, and vendors. While the main topic of Day 1 seemed to focus on risk and overall strategy, governance, and oversight, Day 2 focused on coming up with the specifics — the specific plans, the specific policies. As Andrew Jaquith stated in his keynote, to provide better data security, “you don’t need more widgets, what you need is a plan.”
Below are some of the highlights from the Day 2 keynotes:
I had the chance to sit down with Credit Suisse’s CISO and Head of IT Risk, Daniel Barriuso, to ask him a few questions about his role at Credit Suisse and his approach to security. Daniel will be keynoting this week at Forrester’s Security Forum, which kicks off this Thursday, September 16th. Here’s a sample of our Q&A below:
Why is a more holistic approach to IT security so important today?
[Barriuso]: Given the complex and fast changing IT security landscape, a holistic approach is key to being able to effectively understand the end-to-end threat landscape and manage it proactively. This entails planning for both current and emerging threats, identifying future trends, and making conscious decisions on the security investments required.
What were some of the most important lessons that you learned over the last several years?
[Barriuso]: A key lesson that I have learned through my career is that governance is the foundation for a strong IT security organization. Often organizations focus on technology and technical controls as the main driver to secure data. Instead, a top-down approach is required, beginning with the policy, governance bodies, and risk management framework.
What advice would you give to other senior security leaders who want to move to this more holistic approach?