Chuck Kulig, Vice President of onShore Security asks Steve Kent, onShore CTO about what new regulations coming from New York will mean for other businesses.
[CHUCK] They say the New York state regulation will be affecting cyber security compliance and regulations. Most of this is for banks, but I’m not a bank, what now?
[STEVEN] Well so first you have to break information security away from technical operations, both from a risk management auditing perspective and a reporting perspective. This means that technical operations, the kind of day-to-day technical issues around risk management within the institution, have to be still managed and implemented by technical staff. However, the reporting oversight and strategy need to be maintained by risk management staff in the form of a CISO. That information security management needs to be not only separate from technical staff but should give a greater level accountability to technical staff so the CISO position can either be appointed risk management personal understands information security or outsourced group or person or a person hired and dedicated for that position. But that person can no longer be part of the engineering technical staff which is kind of what we’ve been used to within the industry. Overall, this leads to more professionalism; it leads to a better auditing situation which regulators are going to appreciate and frankly, it’s a direction the industry in whole needs to go, as we manage information security as part of just another risk of business operations.