For Security & Risk Professionals

CISO Handbook: How To Plan For A Security Breach

by Khalid Kark, October 22, 2009

Many chief information security officers (CISOs) are forced to respond to security breaches with little knowledge or planning. Not only is it important to have the tools for responding to security breaches, but it's essential to build a detailed response . . .

For Infrastructure & Operations Professionals

IT Compliance: From Painful To Pleasant

by Khalid Kark, July 31, 2009

With increasing workforce mobility and the extension of the business supply chain globally, organizations are struggling to keep up with increasing corporate and regulatory compliance requirements. Regulations such as the Health Insurance Portability . . .

For Security & Risk Professionals

Healthcare Security: Ready Or Not, Here It Comes

Applying Five Cardinal Rules Of Information Security To Healthcare Companies

by Khalid Kark, July 24, 2009

The US Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The security and privacy rules took effect in 2003, but none of this really improved the overall state of information security across the healthcare industry. . . .

For Security & Risk Professionals

Articulating The Business Value Of Information Security

by Khalid Kark, July 24, 2009

Many CISOs struggle to articulate the value of their security programs and justify the security budget to business and executive management. This problem was acutely evident in the current economic downturn: Many security managers saw their budgets slashed, . . .

For Security & Risk Professionals

Case Study: DTCC Implements A Process-Based Approach To Security Metrics

by Khalid Kark, April 29, 2009

Jim Routh at DTCC took a unique approach in developing his security metrics program. He identified all of the processes that the security team was responsible for and then defined a process owner for each of them. Some of these owners were part of the . . .

For Security & Risk Professionals

Case Study: Harland Clarke Turns To Corporate Objectives For Defining Security Metrics

by Khalid Kark, April 29, 2009

John Petrie at Harland Clarke was lucky to report directly to executive management, and he reported on a routine basis to the executive management team on information security issues. This gave him a unique perspective into the business planning and prioritization . . .

For Security & Risk Professionals

Real World Example: Eastman Kodak Security Metrics Dashboard  (1.4 MB XLS)

by Khalid Kark, April 22, 2009

Includes a real world example of a security metrics dashboard courtesy of Eastman Kodak Company.

For Security & Risk Professionals

Case Study: Eastman Kodak Company Takes A Tiered-Risk Approach To Security Metrics

by Khalid Kark, April 20, 2009

Eastman Kodak's matrixed organizational structure enables its business units to act quickly in response to changing business conditions, but it also creates a decentralized security function. Security information resides in different parts of the organization, . . .

For Security & Risk Professionals

The Forrester Wave™: Information Security And IT Risk Consulting, Q1 2009

Deloitte And PricewaterhouseCoopers Lead, With Accenture Close Behind

by Khalid Kark, March 18, 2009

In Forrester's 72-criteria evaluation of information security and IT risk consulting service providers, we found that Deloitte and PricewaterhouseCoopers (PwC) lead the pack because of their superior understanding of business requirements coupled with . . .

For Security & Risk Professionals

Security Budgets, Reporting, And Responsibilities Are All Rising In 2009

by Khalid Kark, January 20, 2009

Security professionals have been complaining for years about their inability to influence the organization and that information security is a thankless job. Recent conversations with CISOs and data from Forrester's annual security survey suggest that . . .

For Security & Risk Professionals

Twelve Recommendations For Your 2009 Information Security Strategy

by Khalid Kark, January 20, 2009

Many security predictions paint a doomsday scenario where a crippling cyberattack will leave us all reeling from its effects or Supervisory Control and Data Acquisition (SCADA) systems vulnerabilities will be exploited to play havoc with our national . . .

For Vendor Strategy Professionals

What President-Elect Obama's Cybersecurity Agenda Means For Security Vendors

by Khalid Kark, January 8, 2009

President-elect Barack Obama has acknowledged that leaving America's information systems unprotected could lead to a "crippling blow" to our economy. He has promised to make cybersecurity his top priority, declare cyberinfrastructure a strategic asset, . . .

For Security & Risk Professionals

Case Study: Verizon Business Builds An Asset-Based Security Metrics Program

by Khalid Kark, July 22, 2008

In response to the evolving security threat environment and heightened attention to regulatory compliance, many companies started migrating from a purely reactive security program to a proactive risk-based security program. This has led to new challenges . . .

For Security & Risk Professionals

Best Practices: Security Metrics

by Khalid Kark, July 22, 2008

Security metrics are a key initiative for many chief information security officers (CISOs) today, but many of them struggle with picking the right security metrics and translating the operational measurements into meaningful metrics for business. Forrester . . .

For Security & Risk Professionals

Managing The Expansion Of Security Responsibilities During Economic Uncertainty  (324 KB PPT)

by Khalid Kark, July 3, 2008

In the past few years, the siloed IT security role has rapidly added to its responsibilities and transformed itself into the cross-functional information risk management role. This has left many firms scrambling to structure their security and risk organizations . . .

For Security & Risk Professionals

Security And Privacy Essentials For IT Outsourcing Deals

Managing Risk While Ceding Operational Control

by Jennifer Albornoz Mulligan, Khalid Kark, May 16, 2008

Global spending on IT services and outsourcing was estimated at $488 billion in 2007 and is predicted to rise an additional 9% in 2008. At $120 billion, IT outsourcing constitutes roughly 25% of this spending. Organizations engaged in outsourcing will . . .

For Security & Risk Professionals

2008 CISO Agenda: Embrace Change

Ten Changes To Existing Practices That Will Guarantee Your Success

by Khalid Kark, March 28, 2008

It's amazing how little progress we see year after year. As we look back to early 2007, or even 2006, not a lot has changed in what's expected of the security organization and what the chief information security officers (CISOs) are saying they'll do. . . .

For Security & Risk Professionals

2008 CISO Priorities: The Right Objectives But The Wrong Focus

by Khalid Kark, March 20, 2008

There is a definite chasm between chief information security officers' (CISOs') priorities and their responsibilities. CISOs understand that their priorities need to align with business objectives, yet many of them remain focused on technology and operations. . . .

For Security & Risk Professionals

Seven Habits Of Effective CISOs

by Khalid Kark, February 28, 2008

The chief information security officer (CISO) role in an organization has evolved beyond recognition in the past few years. Today, most CISOs have decreasing responsibility for day-to-day security operations and a greater level of participation in strategic . . .

For Security & Risk Professionals

Enterprise GRC Versus IT GRC

by Khalid Kark, Marc Othersen, Chris McClean, December 5, 2007

Technology plays a vital role in governance, risk, and compliance (GRC) initiatives. An effective enterprise GRC strategy will employ technology to drive sustainability, consistency, efficiency, and transparency into GRC oversight. The practice of GRC . . .

For Security & Risk Professionals

Defining IT GRC

by Khalid Kark, Marc Othersen, Chris McClean, December 4, 2007

IT governance, IT risk management, and IT compliance are three distinct disciplines that in the past have existed in silos within organizations. Today, many organizations no longer see these activities as individual, one-time projects handled in separate . . .

For Security & Risk Professionals

VeriSign Is A Strong Performer In Security Consulting, Especially In Key Technical Areas

The Forrester Wave™ Vendor Summary, Q3 2007

by Khalid Kark, Chris McClean, September 25, 2007

VeriSign's security consulting practice is working to complement the company's already strong managed security services group. While not as mature or globally widespread as offerings from competitors in the market, the company's technical capabilities . . .

For Security & Risk Professionals

Wipro Is A Strong Performer In Security Consulting With Potential For Rapid Growth

The Forrester Wave™ Vendor Summary, Q3 2007

by Khalid Kark, Chris McClean, September 25, 2007

Wipro's offshoring model is unique among the larger players in the security consulting space. While some customers have mentioned obstacles when working with this model, the cost savings Wipro provides is still a very strong draw for clients. In our evaluation, . . .

For Security & Risk Professionals

KPMG Is A Strong Performer With A Strong Vision And Excellent Client Satisfaction

The Forrester Wave™ Vendor Summary, Q3 2007

by Khalid Kark, Chris McClean, September 25, 2007

KPMG's security consulting practice is relatively small compared to many of the large firms it competes with, but it has focused its attention in key capability areas and is poised for substantial growth. Even with a smaller client base, the company's . . .

For Security & Risk Professionals

IBM Is A Strong Performer In Security Consulting Based On Technical Skills And Global Reach

The Forrester Wave™ Vendor Summary, Q3 2007

by Khalid Kark, Chris McClean, September 25, 2007

IBM has one of the biggest security consulting practices in the market, with a robust partner ecosystem and a solid customer base across all global regions. The company expanded its security service capabilities with the purchase of ISS in 2006, although . . .