Jerry Sto. Tomas, Chief Information Security Officer at Allergan, discussed IT security and steps that organizations can take to bolster their security levels during his presentation at the 2015 Chief Information Officer Leadership Forum in Los Angeles on Feb. 10. In his presentation, Sto. Tomas noted that IT security controls must be aligned with an organization’s goals.
According to Sto. Tomas, a risk-based approach to IT security enables an organization to better understand dangers and eliminate these problems. He said that conducting internal architecture evaluations and performing due diligence on vendors is key for organizations of all sizes. Developing criteria to complete reviews also is important, Sto. Tomas said, and these guidelines should be updated periodically: “We do a risk-based approach in terms of if it’s highly critical we do an assessment once a year. If it’s not too critical, maybe once every two years, so there are really a lot of criteria happening on the back end.”
Educating different departments about IT security enables an organization to protect its valuable data as well, Sto. Thomas said. If an organization can develop security processes that all of its employees follow, Sto. Thomas noted, it can take a risk-based approach to security issues: “At the end of the day it’s a risk-based approach. Strategically it’s a risk-based approach; you really need to look at each of the vendors; you really need to have security controls for each type and I think that’s at least your baseline.”