Herrod’s comments have been compiled from transcripts of Honeycomb Web conferences. To access her complete presentations click here.
Chrisan Herrod accepted her position with the SEC in August 2003. She is responsible for implementing the SEC’s information security and IT business continuity programs and for the operational security of the SEC’s critical infrastructure.
Prior to her appointment at the SEC, she was with the National Defense University, Information Resource Management College, where she served as both Department Chair of the Information Operations and Assurance Department and as a Professor of Information Security.
Her previous information security experience includes Director of Global IT Security at GlaxoSmithKline (GSK), one of the world’s leading pharmaceutical companies and Director of Information Security at Fannie Mae, a leading real estate, financial institution. While at Fannie Mae she became involved in the White House sponsored, Partnership for Critical Infrastructure Security as the Information Sharing and Analysis Working Group Chair.
From 1993 to 1998 she was a senior civilian with the Department of Defense’s Information Security Program Office serving as Director of Plans, Policy and Resource Management and Director of IA Education, Training and Awareness. From 1988 to 1992, she was assigned to the White House Military Office, Office of Emergency Operations at the Defense Information Systems Agency. Ms. Herrod served as an active duty military intelligence officer in the US Army and retired as a Major, USAF Reserve.
Advice for information managers:
“The best advice I can give to anyone that has to worry about regulations and information management is to adopt a mentality where you are looking at an information management lifecycle for your organization. You shouldn’t look at it like a stove piped function. Information is the most valuable piece of any corporation because today we live in an information based economy. So you have to adopt the mentality that we are protecting information from a lifecycle management point of view.”
Implementing an IT compliance management program:
“In many cases the requirements differ from regulation to regulation so [if you are unprepared] your in a constant audit management mode rather than getting your job done. The ideal situation would be to have a mechanism to collect evidence so that you could provide that to you auditors as they come through for various audits.”
Objectives for the future:
“Several companies that I have talked to, one of their objectives is to reduce their cycle time to try to compress the schedule so they can be productive and work in their core mission area rather than having to take up a lot of resources to do compliance work. So it’s getting smarter in how you go about ensuring your audit/compliance strategies are in place and effective.”
Building a compliance culture:
“Once you have a culture built into your organization, a culture of understanding that every end user, every business owner, every c-level executive, every manager has a role in compliance, the more successful your going to be. Your also going to be more successful if you have repeatable business processes in your organization built on a standard framework as it relates to information technology processes.”
Technology is not always the answer and it shouldn’t be the first step:
“I’m of the opinion that whatever makes your job easier you should utilise. In my view technology is not the sole answer to achieve compliance. Good processes are as, if not more, important. Technology can be a helpmate: the SEC is using software to help track internal compliance to Sarbanes-Oxley. But again, it shouldn’t be the sole approach to achieve compliance.”
Regulation is here to stay:
“It’s only going to become more of a jungle in terms of regulation.”
The three top things done by the SEC in the area of security:
“The SEC made a decision to implement an identity management system and revamp our access management processes around all of our applications. We also made a decision to implement a web based training and awareness programme that is mandatory for all our employees and contractors.”
What’s next for SOX:
“From my perspective one of the things is its going to be integrated as a philosophy into government compliance as well. I think your going to see both public and private sectors being held to similar standards. And I think also your going to see some clarity around some of the information technology controls and I think that’s going to happen sooner rather than later.