Juan Diaz Pinales made only one demand when he signed on as information security manager of Doral Financial: that he report directly to the CEO.
While most I-managers may not make such ultimatums, Pinales said his authority has made a big difference for Dorals security infrastructure in his eight months on the job. The bank has quadrupled the number of suspicious activities reported to the government because more employees are involved in monitoring, he said.
Pinales status in his bank is an example for those who want to develop better security policies within corporations, rather than focusing only on better technology.
The Human Firewall Council, a nonprofit organization that includes members from Ernst & Young and the FBI, will promote awareness of the importance of human factors involved in information security. It will also provide programs and policies that can help make an organization successful when incorporating these factors. The HFC was introduced at last weeks Computer Security Institute conference in Washington, D.C.
"People is one of those topics that doesnt get nearly enough attention, but is absolutely critical to a companys security," said Charles Cresson Wood, an independent information security consultant and HFC member.
Security responsibilities need to be woven into the fabric of an organization, Wood said. For example, if a company incorporates security policy in its codes of conduct, its training and its performance reviews, employees are more likely to take note of those policies.
Dorals employees must read a security manual and pass a test before being allowed to access the banks computer systems. "In my policy, every bank manager is my assistant security manager," Pinales said.
Often, the problem for I-managers is convincing an organizations top executives that implementing a more widespread security policy is not going to cost them more money.
Steve Hunt, vice president and research leader of Giga Information Group and a member of the HFC, said that part of the HFCs job is convincing executives that they get much more bang for their IT buck when its spent on people, not technology.
"If you only have $1 left in your security budget, spend it on awareness," Hunt said.