ISACA member Mark Coderre, CISM, CRISC, head of enterprise information security architecture for Aetna, recently received a CSO40 Award, which recognize projects that delivered outstanding business value in 2013.
We chatted with Mark to learn more about his project and to get his perspective on the changing world of cybersecurity.
ISACA: Congratulations on winning the CSO40 Award! Describe Aetna’s project and your role with it.
Mark: The project goal was to streamline global security governance through codified risk assessments and controls for each market Aetna is expanding to. I was the project sponsor and one of the stakeholders.
ISACA: What were the outcomes of the project?
Mark: For global compliance:
- Identification of relevant laws, regulations and guidelines
- Extraction of IT controls
- Mapping into control standards
- Translation to eGRC consumable format (repository)
- Process development
For global risk assessments:
- Risk assessments per country (IT operations)
- Risk-based IT control extraction and mapping
- Process development
ISACA: What advice would you give to other companies looking to conduct a similar initiative?
Mark: Start by understanding the engagement model. Who influences and who leverages this information? Then instrument that engagement model in an eGRC platform for workflow and auditability. Now you are positioned to leverage that information in your IT delivery-governance function and have very crisp data to support any red flags on software releases. This supports mature, repeatable, security-project governance.
ISACA: Do you use COBIT at Aetna?
Mark: Aetna’s Internal Audit function leverages COBIT as a reference standard.
ISACA: You are at the front lines of the evolving cybersecurity landscape. What are some of the biggest challenges facing enterprises today?
Mark: New types of IT—cloud offerings, mobile devices and social networking. When those paradigms combine you have new channels that require new control implementations or cause you to rethink policies, education and data-risk classification.
ISACA: You are a bronze-level ISACA member (member for three to four years) and you hold both the CISM and CRISC certifications. How has ISACA membership and/or certification benefited you in your career?
Mark: These certifications are important not just for what they represent on your professional profile, but that you uphold a common set of principles and language that improves the profession and its ability to protect business, people and supply chains.
The most important thing we can do as security professionals is engage on standards that allow us to quickly compare risks and interoperate at a technical level. I also firmly believe in the sharing of “indicators of threat” and identity ecosystems as laid out in the US Presidential Directive for a National Strategy for Trusted Identities in Cyberspace (NSTIC). These both leverage network effect to amplify detective and preventative controls across industries.
Continue the conversation…engage with your peers in the COBIT 5-Use it Effectively topic in ISACA’s Knowledge Center.