Managing Information Security Risk
Updated: Mar 20, 2019
Fireside Chat with Dan Reynolds
Starting his information security career in the military, Dan Reynolds brings a very diverse background to the table. During our recent meetup, we had the chance to sit down and chat with Dan, who currently works as the VP, Chief of Security and Information Architecture Omnicom Media Group.
The recent chain of events has served as a wake up call to many C-level executives. The board of Target firing the CEO after the high-profile data breach has caused most executives to realize that they can, and likely will, get fired if their security is not of high priority. “If we move away from the FUD (Fear, Uncertainty, Doubt) factor of information security and actually apply proper business principles as to risk management – at the end of the day, you are a risk manager – how much risk can we afford to take with the type of data that we have? You look into that and you start incorporating holistic security programs into what you’re doing – then you start seeing better results,” points out Dan. At the end of the day, you are risking real money.
On the topic of money, businesses are always trying to do more with less and information security is subject to this mindset as well. How do you deal with that? “Get really creative,” says Dan. “It depends on understanding your business – as you’re moving up in the information security through the analyst to the manager to the executive, you have to shift out.”
The positive thing is that many companies are starting to realize that it’s not just their company they’re putting at risk. In case their company gets breached, they are also putting their business partners at risk, which means that can potentially lose those partners and the business they bring, in case a breach does occur. This is where business clauses come into play “stating that you have to have a certain level of information security and that you are liable for that if you fail them.” This makes it easier to explain to executives that the risk is high and needs to be addressed appropriately.
In the video below, you can watch Dan explain in detail how information security executes can accomplish their goals and achieve high levels of information security on limited budgets, how to communicate with the board, and more.