Many of our blog posts have been inspired by subjects that were discussed at our Global Advisory Board annual meeting in Dublin. Michael Johnson of ISACA’s New York Chapter, who has a senior information security role in the healthcare sector, kindly shared his opinion about the value of taking part in the Advisory Board, and what’s important to him when he’s evaluating a new security technology or process.
“I liked the opportunity to interact with other professionals in an environment where it’s a free exchange of ideas. It’s not vendor-centric: although solutions are commented upon, they’re merely used as reference points, and I find that the ability to speak to some of the needs that I experience in my job, with risk professionals, security professionals, or attorneys, helps me to perhaps find new direction.
One of the presentations reflected their approach to risk and how they have grown out of PCI into a risk governance perspective in their organisation. Interestingly, I’m in healthcare and that person is in guest services. I spoke with her later to share with her that we’re in exactly the same spot. We’re of similar size, with similar challenges. I have protected health information and she has guest information. I have 18 points of compliance – 18 identifiers for protected health information – that I have to worry about, and to find that her organisation was going through the same processes that we are going through was enlightening. It encouraged me that my own organisation, is on the right path.
There were some aspects to PCI that she does differently, and I asked her how she implemented that. And, we also exchanged some notes about data loss prevention. That one situation is an example of the collaboration that can go on, cross-discipline, by being a participant at this event. If the conference was much larger in size, we probably wouldn’t have had that conversation. Small is beautiful, in this case. But here’s a situation where big likes big: big companies have similar problems and need to have a network of places where they can spend a little time together without any pressure.
The third thing that struck me about the event was the innovation section. If there’s one take-away for me, it’s that there was a brand new, disruptive technology that was presented in a way that I could think about how I could put it in place for 65,000 employees. The opportunity to hear about this data-centric innovative approach to things makes a lot of sense to me. Encrypting at the user file level makes a lot of sense to me. I think one of the things about control of the keys and access controls is important and it’s something I have to spend more time thinking about. But it spurred me to spend time thinking about my environment in a different way.
As a buyer, I want to learn more and know more without the anxiety of vendors who are constantly calling and telling us the same story of fear, uncertainty and doubt, which I’m sceptical about. Our security organisation is to be of service – we’re not the police. When we think about that, any time I’m going to introduce a solution or propose a technology, the things that are important for me to consider are the workflow impact, the business impact, and risk reduction. So when I hear from a vendor, they have to answer a business concern.”