chief information security officer at PayPal
With more than 5,000 employees, there's a lot of perception to manage, and with 143 million user accounts worldwide, there's a lot of data to protect. Barrett and his staff of 30 must keep tabs on what information employees are accessing and use audit controls to track what they do. Every quarter, Barrett gets a list of users who have access to PayPal's systems, and every quarter he sends a report to the company's managers to ensure that each of the users listed still requires access. Anyone who's no longer with the company gets scrubbed from the list.
Of course, it's unrealistic to think that any CISO can drive a company's risk level to zero. "It's not good to reach for your tin-foil helmet and become completely paranoid," Barrett says. CISOs must know how to identify risks and prioritize resources, he adds, "and you have to be able to revise the plan as you go along."
Cigna's Craig Shumard: One Man's Security Mission
Mozilla's Window Snyder: A CISO With A Different Agenda
PCI Standard Drives Some CISO's Work This Year