Constant threats to our business have changed the way we prioritize security and risk management at WesCorp, the largest corporate credit union in the United States with $25 billion in assets and $650 million in annual revenue.
As chief information security officer (CISO) and director of enterprise security services, my role is to embed security into WesCorp's operations. The company's goal is to use rational information risk management to help solve business problems, provide secure business operations, and protect our clients' data.
We've developed a business-focused "reduction of risk on investment" approach. Because it's difficult to consistently attach a specific monetary value to information assets and to assess an ROI for security initiatives, we focus on reducing risk exposure and avoiding costs by implementing the appropriate security measures.
To effectively prioritize our risks, WesCorp aligns with the company's strategic initiatives. It's crucial to clearly understand what's important from a critical operational-impact viewpoint. This must be done from both technical and business perspectives.
WesCorp uses the Octave framework, developed by the Carnegie Mellon Software Engineering Institute, to facilitate our information risk-management process. Specifically, risk is defined, prioritized, and managed based on the synergistic flow of data, including risk assessment, business continuity, vulnerability management, threat analytics, and regulatory-compliance initiatives. These elements provide meaningful data that lets the company understand where it may be vulnerable, what mitigating controls are in place, and its overall risk and security posture. This approach lets us effectively communicate to management, regulators, and customers how we manage risk across the enterprise.
Three recent security initiatives illustrate how we've reduced risk through better network and security life-cycle management.
For some time, we've all been warned that the network perimeter is dead because of the increasing number of access points for mobile workers, vendor collaborations, and business partners. We suggest that the perimeter is, in fact, multiplying, though the diameter of the perimeter is collapsing. As technology gains additional footholds throughout the enterprise, thousands of firewall-like solutions are needed to patrol and monitor access points. The challenge is to provide network security while allowing the free flow of information and, therefore, business as usual. The tactical security implementations necessary for a growing network have traditionally been expensive and difficult to manage.