Product Guides- Windows 7 beta shows off task bar, UI goodies
- How the yellow first-down line actually works
- Outlook '09
- Microsoft research projects to improve our lives
- Ballmer sets loose Windows 7 public beta
The sudden death this March of Wall St. firm Bear Stearns & Co., buried under an avalanche of the subprime mortgage crisis,
pushed many IT people out of their jobs, including Jennifer Bayuk, the chief information security officer (CISO) there.
Bayuk, 10 years with Bear Stearns and now an independent IT security consultant, speaks with Network World Senior Editor Ellen Messmer about that upheaval—and what’s wrong with security compliance practices today.
What was it like in the middle of the collapse at Bear Stearns, which was swallowed up by JPMorgan Chase at a bargain-basement price?
There were some openings at JP Morgan Chase, but a lot of the internal audit, legal and information security didn’t need to be duplicated. I was too high-level to be absorbed. But everyone who departed got a severance package based on their tenure at Bear Stearns. And JPMorgan is helping with job placement and allowing use of an office in New York.
Are you going back into the financial sector?
It’s more appealing to be an independent consultant at this point.
Your experience not only with Bear Stearns, but with AT&T, has earned you wide respect. In the keynote address you gave at the recent SIFMA Conference, you used the time to basically diagnose what you think is wrong with the way security compliance is conducted. today. So what is so wrong?
Regulators are asking the security people to meet compliance. Security people are devising programs in which they ask vendors — such as third-party service providers -- to provide assurances about security to meet compliance. But there aren’t enough audit and security professionals in the world. There aren’t enough experts to know if something is being done right. So they fall back on checklists to pass regulatory exams.
So what happens in this circumstance?
Instead of examining business processes, the method of achieving 'due diligence’ is simply do what everyone else is doing. There’s a growing group of managers called ‘risk managers’ to decide if risk exists or not without ever understanding the underlying technology. Legal is very much involved in this. So vendors must submit these checklists.
What’s the point of these checklists?
If you can hold someone accountable, you can sue them. You can go back later and say, you said you did this.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2009 Network World, Inc. All rights reserved. |
Comments (3)
Business processes failed due to dependance on ITBy Acct101 on July 15, 2008, 11:28 am Basic Accounting principles are being forgotten as business managers depend on IT to do all the checks and balances. The CISO is worried about IT security, but...
Reply | Read entire comment
AgreedBy Anon on July 14, 2008, 1:10 pmI would have to agree. Checklists should only be used as a guide to ensure all areas are being looked at. Companies are being forced to react to compliance rather...
Reply | Read entire comment
Compliance IssuesBy Anonymous on July 14, 2008, 10:58 amYou can see why Bear's Stearns dropped quickly. Checklist's are not the problem with compliance. Implementors of compliance use checklists as a tool. The...
Reply | Read entire comment
View all comments