Freely subscribe to our NEWSLETTER

In a recent Forrester survey, information protection and information availability initiatives topped the list of CISO concerns for 2008 (see Figure 1). For many CISOs, these business priorities are now part of their core responsibilities and are forced to the top of their agendas by executive management.

CISOs Have The Right Business Priorities, With The Wrong Operational Focus

CISOs are getting their priorities aligned with the business, but many struggle to look at these problems from a business perspective. A majority of CISOs are still responsible for technical and infrastructure security and rely heavily on technology to solve all their issues (see Figure 2). They face challenges coordinating their efforts across business areas and find it hard to balance compliance and security responsibilities because :

CISOs continue to view data protection as a technology problem. A vast majority (81%) of security professionals identified data protection as important or very important for their organization in the next 12 months. For many CISOs, this means encrypting sensitive data or deploying information leak prevention technologies. They still ignore or de-emphasize the process and people elements of data security such as security awareness, monitoring, and auditing processes.

Business continuity and disaster recovery efforts are disconnected. Approximately 27% of enterprises don’t have a recovery site in the event of data center site failure, and 23% of enterprises never test their disaster recovery plans.1 Even for organizations that do have decent disaster recovery capabilities, the challenge is to align them to business continuity capabilities. Both of these initiatives remain stovepiped. As a result, an organization may be able to guarantee that it could get critical servers up and running within 48 hours but may not know if there would be enough people to run them.

A lack of process controls hampers application security efforts. Security professionals grew up in the infrastructure world, and a majority of them struggle with application security controls. On the other hand, application developers are trained to develop applications quickly and with minimal performance degradation. To them, security controls slow the application development process as well as the actual performance of the application. Additionally, the application security teams don’t report directly to the security organizations, and many CISOs struggle to get application security processes established as part of an organization’s software development life cycle (SDLC).

Regulatory compliance focuses attention on dotting the i’s and crossing the t’s. Many organizations want to minimize their spending on compliance by meeting the letter of the law and fulfilling the bare-minimum requirements. This approach may prevent regulatory penalties in the short run but may prove detrimental to the security and privacy of the organization in the long run.

CISOs treat security awareness as a one-size-fits-all endeavor. One CISO confided that, on paper, 95% of his organization went through security awareness training in 2007 ; nonetheless, he was apprehensive about the state of security awareness within the organization. The reason was that awareness training consisted of the same 90-minute presentation that was conducted four times per year throughout the organization. Simply attending a generic security presentation counted as training, regardless of their duties or their exposure to security risks. This example is representative of the state of security awareness in organizations today.

Vulnerability and threat management remain reactive. Security is starting to share its vulnerability management responsibilities with other parts of IT or outsource some of it. Yet threat management is still a huge gap in many organizations because security professionals view it as a purely operational activity and miss out on being proactive. As a result, vulnerability and threat management has stayed very reactive.

To succeed, start with the broader business context

Many specific security concerns could be tied together to address a business issue. Instead of looking at these as individual security projects, it’s best to view them as solving part of a bigger businesslevel problem for the organization. The three main issues that CISOs need to address are business alignment, operational efficiency, and training and awareness. These may not all be addressed in one year, but it’s important to frame them in a business context and define a multiyear strategy to address them through different security initiatives.

Execute On Business Priorities By Addressing Information Risk

A lot of security professionals are starting to keep tabs on business priorities. The real challenge is to incorporate those priorities into the security strategy, and more important, to execute on these priorities to address information risk. The most critical priorities for CISOs are to :

Ensure data protection for client and corporate data. For many business executives, their top priority is protecting customer data because, frankly, breaches are very costly. If you collect sensitive customer data, you’re bound by more than multiple regulatory, legal, and privacy requirements. In case of a data breach, you incur fines and large sums in identification, remediation, legal, and opportunity costs.2 Many security professionals also underestimate the cost of corporate intellectual property breaches. It may not make the headlines, but it potentially has a catastrophic business impact.

Prepare and coordinate business resilience activities. Many CISOs view business continuity/ disaster recovery (BC/DR) just in terms of physical crises : fires, floods, hurricanes, or terrorist attack. Yet other business interruptions, such as power outages, data security breaches, hardware or application failures, or even mergers and acquisitions, can be just as disruptive. You can have the best BC/DR plan, but it’s useless without preparation, planning, coordination, and effective response capabilities.3

Balance regulatory compliance requirements with security considerations. The misconception that compliance equals security has led organizations to spend excessively on regulatory compliance, sometimes at the detriment of security. The truth is that it’s possible to have excellent security and be noncompliant, and it’s possible to pass a compliance audit with flying colors and still have poor security. It’s the CISO’s responsibility to ensure that compliance initiatives take a holistic view by incorporating security and privacy requirements.

Develop operational efficiency where you get most bang for your buck

Operational efficiency is a laudable goal in general, but due to limited resources, CISOs should focus on areas that can give them the most visible results upfront. The areas that promise good return on investment (ROI) and streamlined processes within a reasonable time frame are :

Application security — taking care of a majority of your vulnerabilities. Symantec’s recent Internet Security Threat Report shows that 61% of all vulnerabilities discovered in the second half of 2007 were application related.4 This requires a two-pronged approach : Evaluate existing and legacy applications for vulnerabilities and introduce application security processes at the beginning of the development life cycle. Doing the latter can provide up to 30x savings.5

Identity and access management — reducing excess privileges and lowering costs. Information security has been managing identities for many years ; it has also been responsible for granting access to information resources. Only recently have these two disciplines intersected, where the CISO needs to know not only who was on the network, but when she was, what she did, and much more importantly, if she was allowed to be there. Automating these tasks reduces human errors and saves a tremendous amount of time for the organization.6

Vulnerability management — scanning and patching systems. Keeping track of all information resources, scanning them for vulnerabilities, and ensuring that at least the critical assets are appropriately patched and sufficiently protected can be very tedious. This objective can be achieved by deploying a tool or outsourcing it, but make sure that you have regular scanning and established SLAs for vulnerability management.

Focus on employee training to strengthen the weakest link

Security awareness develops a first line of defense for the organization. It’s heartening to see security awareness appear on the CISO priority list for 2008. Many organizations are realizing that a majority of breaches occur because of people inside their firewall, but this isn’t just because of the actions of malicious insiders. Security training and awareness ties directly into the effectiveness of other security initiatives ; it’s not an isolated endeavor. Developing an effective security awareness program significantly mitigates risk.7 This is because :

Your personnel are a critical line of defense. Incident management equips the organization to deal with unforeseen events. So a lack of training will result in chaos and confusion at the time of security breaches. Executive management is not usually trained to coordinate and respond to security situations that may be out of the ordinary. Another factor that complicates security incident response is forensic and eDiscovery requirements ; if you botch them, you may lose evidence or the data might be inadmissible in court. Lack of training also leads to unreported security incidents. Many people don’t know what types of activities should be viewed with suspicion, nor do they know whether or where to report such incidents.

Careless or inadvertent worker activity carries significant risks. We have all from time to time left things on subways, in taxis, or in public places. The stakes are multiplied as we carry more and more data on our mobile devices. Many CISOs struggle with stolen laptops, PDAs, and mobile phones that house sensitive corporate information. Many thefts can be avoided by training people to follow commonsense approaches such as putting their laptop in the trunk instead of leaving it in plain sight or keeping their laptop close as they check in at the ticketing counter. Similar training can be provided for data center employees with regard to physical access, and even regular users can learn to be vigilant in their surroundings.

Recommendations

Target your 2008 efforts on delivering demonstrable value

Alignment with business, protection of corporate and customer data, compliance, and business BC/DR are not new initiatives for CISOs, so the 2008 priorities don’t herald radical changes. But they should remind us that we need to make and demonstrate greater progress on what we’re already doing. This means that you should :

Develop more comprehensive competencies. Many CISOs point to a lack of skilled people as one of their major issues.8 As security threats become more sophisticated and the threat vectors become diverse, security organizations need to have competencies that are deep and wide. It’s not enough to have deep understanding of encryption technologies ; you also need to understand the basics of human psychology to predict how people would try circumventing this control or how they could be tricked into giving away their passwords.

Brace for requests to tighten your belt. One large global organization challenges its IT staff to reduce IT operations expenses by 30% every year and use this amount for new tools and technologies. Expect to get similar targets for the information security group, especially if the economy continues to slow. Many CISOs are facing tough questions as they present justifications for security spending, and many others are being asked to look at options such as outsourcing for reduced costs and increased competencies.

Align security and compliance controls. Regulatory compliance does equate to security ; the trick is to balance both simultaneously. For example, if you’ll be encrypting credit card data for payment card industry (PCI) compliance, look at expanding this to cover personal information, healthcare information, or corporate intellectual property (IP) as well, so as to fulfill multiple regulatory, legal, and corporate requirements.

Look for product suites and one-stop shops. CISOs used to get excited by the coolest technology and a product with the most bells and whistles. Many have learned the hard way that those technologies typically don’t integrate well, and they end up with a hodgepodge of technologies and can’t take a holistic view of the security environment. As a result, many CISOs now prefer product suites and larger IT vendors for security tools and technologies.

Use metrics and dashboards for strategic decision-making. CISOs have been looking for a comprehensive dashboard and metrics tool for some time now because the sheer volume of data makes this task almost impossible to do manually. Finally, the vendors are beefing up their reporting and dashboarding capabilities and are providing open APIs and interfaces for others to connect and exchange information with their technologies. Also, a new breed of products is popping up that offers the capability to integrate information from different parts of your environment and provides you information that can help with strategic decision-making.9

1 Source : Business Data Services Enterprise And SMB Hardware Survey, North America And Europe, Q3 2007.

2 Trying to determine the cost of a data breach is no easy task. After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number. In reality, there are many different factors that should be part of the data breach cost calculation — and it’s about more than just losing money. Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization’s bottom line, especially if it is ill-prepared, and it’s important to be able to make an educated estimate of its cost. See the April 10, 2007, “Calculating The Cost Of A Security Breach” report.

3 According to Forrester’s Business Technographics® May 2006 North American And European Enterprise Infrastructure And Data Center Survey, 56% of 1,017 IT decision-makers at North American and European enterprises said purchasing or upgrading disaster recovery capabilities is either a critical or important priority during the next 12 months. Investing in advanced recovery technologies and building or sourcing alternate data centers is one way to improve capabilities, particularly for disaster recovery, but in reality, most challenges related to disaster recovery and business continuity (BC) are based on process and procedure. Firms typically lack a centralized BC program office that enforces standards, consistency, and quality across a distributed organization or across hundreds of localized BC plans, and these plans are rarely, if ever, tested. To address these challenges, more firms are turning to Web-based software to transform their static BC plans from Word documents and Excel spreadsheets into a more mature BC program. See the May 30, 2007, “Market Overview : Business Continuity Planning Software” report.

4 Source : “Symantec Internet Security Threat Report : Trends for January-June 07,” Volume XII, September 2007
(http://www.symantec.com/business/theme.jsp ?themeid=threatreport).

5 Organizations that develop applications in-house have to make a decision : You can wait until someone exploits vulnerability in your system and fix it, or you can proactively build security early on in your development process — mitigating vulnerabilities before attackers find them. A proactive application security program should extend to every relevant phase of the application life cycle, from conception to operation ; program success hinges on commitment and support from executive management. Security personnel need to work with application owners and business stakeholders to prioritize resources and to ensure proper measures are implemented throughout the life cycle. See the August 14, 2007, “Managing Application Security From Beginning To End” report.

6 For examples of how to justify investment in identity and access management products, see the October 22, 2002, “Justifying The 2003 IT Budget : Identity Management Brings Quantifiable ROI To Security” report.

7 Organizations must take a structured approach to security awareness. For more information, see the December 23, 2005, “Five Steps To Effective Security Awareness” report.

8 In a survey of 2,212 security decision-makers at North American and European companies, 55% rate “unavailability of people with the right skills” as a “challenging” or “very challenging” issue over the next 12 months. Source : Business Data Services Enterprise And SMB Security Survey, North America And Europe, Q3 2007.

9 For additional information on the governance, risk, and compliance (GRC) platform market, see the August 7, 2006, “Overcoming Risk And Compliance Myopia” report.