The Roundtable Network
Home Roundtables Testimonials Sponsorship About Contact
Peer Education


The excellent choice of current and relevant topics, the great moderator and the small group size make these roundtable discussions both enjoyable and extremely valuable. This is one of the few events for which I will always make time.

Kylie Watson
CISO, Sumitomo Mitsui Banking Corporation



Roundtables — Worth Repeating

Perspectives, issues, and commentary from recent roundtables

The most unique feature of our IT security roundtables is the lively and enthusiastic discussion that results. Here are highlights of the executive open commentary from last quarter's events:

Can't attend our next event? Stay on top of key takeaways from roundtable discussions by subscribing to updates to this page.

New York, February 2010

Roundtable Discussion Topic: With the deluge of data, how do you identify all the relevant information necessary to make educated, cost effective & timely risk-based decisions?

Worth Repeating Commentary

  • "We have 3 data sources that bubble up for risk-based decisions: IT, Business, and Audit"
  • "The problem with people as a data source is the question you ask is not always question they answer"
  • "Understanding what data you need is just as hard as finding it"
  • "You must determine what data is critical to the business and what is minutia"
  • "It's just data unless it is relevant to the business"
  • "Even with supporting data, the business doesn't always want to fix it the right way"
  • "You can identify, collect, and analyze but without the proper translation it is hard to sell"
  • "If you can't explain it to the business, it is not going to get funded"
  • "It's a sorting problem; you must properly consolidate information to create intelligence"
  • "It's about prioritizing disparate sources of information"
  • "I know for sure, we have all the data that we use"
  • "Data is important but you must also identifying patterns of behavior within the data and look for anomalies"
  • "Pure technology risk management is what we try to do but the user is re-defining the technology all the time"
  • "How do you measure risk when the controls change everyday"
  • "Metrics can also be your undoing as not all metrics are meaningful but they still illicit action"
  • "We spin a lot of wheels investigating risks that are not a risk"
  • "How do you take the collected intelligence and resource against it?"
  • "Unfortunately you don't know what you don't know"
  • "How do you collect the data from outsourcers?"
  • "There is a difference between risk monitoring and risk management"
  • "It's a problem only if I don't have a bigger problem"

Back to Top

San Francisco, March 2010

Roundtable Discussion Topic: Do you feel a lack of clarity and control over your enterprise encryption program; can you drive it towards simplicity?

Worth Repeating Commentary

  • "I'm not sure you can use simplicity and encryption in the same sentence"
  • "Before you can effectively leverage encryption, you must first find your data and classify it"
  • "Encryption needs to be clearly supported by data handling policies and procedures"
  • "The holly grail is finding and securing the unstructured data"
  • "We've measured the amount of encrypted data going through our firewall and it's increased substantially which could be a minus instead of a plus; more sensitive data than ever is leaving the company"
  • "Key management is critical; there is an immense level of trust in just a few keys"
  • At the end of the day, the business takes the risk by not leveraging the encryption solutions made available"
  • "It takes two to tango; users cannot comply to an encryption policy if the solution isn't sufficiently simple"
  • "Policies don't protect data, technology does so you have to make it easy to comply"
  • I don't want to rewrite policies – they should be ground rules that don't change with the environment"
  • "To be successful, encryption must be used by many and administered by few"
  • Not all the data is the same, so you cannot protect it all the same; scrape off the stuff that doesn't matter and make the business units identify the value of the rest"
  • "The business must get comfortable with owning the risk, it's inevitable"
  • "Encryption must be managed centrally, it's the key to our success"
  • "We use a risk model for our most sensitive data (i.e. IP and government classified); risk of loss on one axis and accessibility / integrity on the other axis"

Back to Top

Toronto, May 2010

Roundtable Discussion Topic: Preparing for the next generation of information security: cloud computing, mobile devices and social media.

Worth Repeating Commentary

  • "We've completely banned all social media"
  • "We own all the devices but by the time we lock them down they become useless"
  • "Developing an enterprise wide policy doesn't work; one size does not fit all"
  • "Although we must embrace new technologies carefully, we also must ensure we don't stifle productivity"
  • "Because the business units are motivated by contractual obligations to customers, we are empowered to manage the data"
  • "We have a committee that discussing the needs of the business units when it comes to all new technologies including social media – for now it is banned"
  • "Allowing a variety of mobile devices as well as social media is critical to recruiting talent and maintaining our competitive edge"
  • "We put tools in place to enforce critical policies but also try to remain flexible"
  • "We did a cost analysis on cloud and found in most cases it was cheaper to keep it in house"
  • "Cloud has to be driven by the business with policies to support it, so far they haven't asked"
  • "The public cloud is not ready for PII"
  • "Segregate the highest risk data and tightly control access so it is not about what the end points are doing"
  • "We do annual audits for our highest risk providers"
  • "We only support the Blackberry and no one can store any data on their phones"
  • "An SLA is your only protection as your data will be exposed to cloud employees"
  • "Like most at the table, cloud is not permitted in our company and we have no near terms plans to adopt it"
  • "When it comes to mobile, we take the Czar approach; we don't even allow address books on the phones"
  • "We do have a twitter site but it's tightly managed and monitored"
  • "Marketing wants social media but we have no one to monitor it"

Back to Top

New York, May 2010

Roundtable Discussion Topic: As mobile and portable devices proliferate, so do the risks!

Worth Repeating Commentary

  • "We have centrally located kiosks for all personal activities. Employees are expected to keep personal information off company devices at all times"
  • "You must assume that any device can and will be compromised including phones"
  • "In our firm, information security is a line of business and before a device of any type is issued the user must have a sponsor for the device, go through training, encrypt client data and sign an agreement to abide by policies"
  • "We've had success teaming up with legal to create a questionnaire and agreement for mobile device use"
  • "Our biggest issue is sensitive data is be carrying around on mobile devices, may of which are lost or stolen"
  • "The blending of personal and business on a single device is our biggest cultural security issue"
  • "We don't allow personal devices to connect to our network"
  • "Investment traders push back on any restrictions because it hurts productivity"
  • "We do allow personal devices on the network post signing a code of conduct agreement"
  • "With the Droid you cannot enforce anything, so it is completely off our list"
  • "With the new entitlement culture of younger employees, we are going to have to find a way to control the data and not the device"
  • "Our biggest concern is mobile devices that browse unauthorized sites and pick up malware that is then brought into the network"
  • "We need a process for both lost / stolen phones as well as departing employees – reclaiming data is becoming challenging"
  • "We have a daily flogging for those who lost their Blackberrys"
  • "We've standardized on Blackberry since only iPhones get stolen"
  • "The key question: Do you spend time on education or enforcement?"
  • "In our case PII must be on the device because connectivity is not guaranteed"
  • "It's common to have employees forwarding their mail to their iPhone"
  • "With the powerful app's available, Smartphones are simply laptops being carried around in pockets"
  • "We must embrace these devices as it is critical to productivity....it's coming and we cannot deny it"
  • "Mobile devices pose even greater risks as we operate frequently in hostile countries"
  • "Training is a condition of getting a device with a contract sign-off"
  • "Our rule is lose one, we will replace it, lose two, buy it yourself"
  • "We are in the relentless pursuit of managing reputational risk and mobile devices add even more complexity"
  • "When we required passwords on all phones, we were accused of causing car accidents"

Name:
Title:
Company:
Business Email:
Office Telephone:
Location/City:
 

Back to Top
Home  |  Roundtables  |  Testimonials  |  Sponsorship  |  About  |  Contact