For all the gains that have been made in raising awareness within Canadian organizations of their vulnerability to security gaps, many companies are still unable to determine where their greatest risks are and lack the ability to determine whether or not their security budget is being spent in the right places or is providing any value.
Security has been identified as a top priority in recent surveys of CIOs, and even among the CEOs to whom they report, but even with that heightened sensitivity, a majority of Canadian companies continue to make minimal or misguided efforts to deploy security solutions. Faced with a lack of resources, skills and budget, companies are simply choosing not to take a sophisticated approach to security but rather to implement solutions that they think will keep their organization ‘safe enough’. This is a short-sighted and ill-informed mindset which is leaving many organizations vulnerable to security threats that can have a serious if not debilitating impact on a company’s ability to operate. And ironically, it often results in wasted resources.
In this challenging situation, there is a real opportunity for CIOs to enhance the value that they provide to their organizations and to improve the return on investment in security systems by taking a leadership role in moving their organizations to a holistic view of security.
lack of a holistic approach
Unfortunately, many organizations do not take a very strategic or holistic view toward their own protection. Most companies focus almost all of their resources on insuring availability – keeping their boxes up and running.
The right resource mix needs to address confidentiality, integrity and availability – the three pillars of a sound information security strategy. If you are not anticipating what’s coming next, the devices that you are keeping up and available are only protecting you against yesterday’s threats.
The questions that aren’t being asked often enough include:
– How does an organization measure its return on investment when it launches a security project?
– How does it gauge success?
– Has the expenditure on technology or on a governance framework provided the organization with the benefits that were originally desired at the beginning of the engagement process?
Of course you can’t answer the latter questions without first being able to answer the first. You can’t determine if your implementation is successful and is providing value to the organization unless you have a system for measuring and analyzing all the elements of your security strategy.
Therefore, the first step is to build a strategy that makes it clear that security is a priority. Doing that requires putting appropriate resources to data analysis, which also provides the tangible business benefit of revealing your true total cost of ownership. That information further enables you to make informed business decisions.
a false sense of security
Today, however, a more typical scenario would be a company which has not invested at all in security policy or standards simply deciding that it is going to buy technology to fix its problem. It might invest hundreds of thousands or even millions of dollars in infrastructure and desktop security products, with little ability to integrate those products or provide a complete picture of security within the enterprise. Inevitably, when various worms or malicious-code attacks hit, these organizations will find that they have invested all of their project funding in the implementation of the technology, assuming that the technology would largely take care of itself. What’s missing, of course, is a serious commitment to organization-wide policies or standards that would enable an effective response when they were attacked. Instead, they end up with a false sense of security because of their significant investment in infrastructure and in various devices.
Without the proper link to sophisticated analytics to help recognize the nature of the threats and prioritize the risks, and lacking the proper policies and standards to maintain the integrity of the system, there are ultimately damaging breaches. When such breakdowns occur, the view at the corporate level is that the investment in security infrastructure has brought little or no value to the organization.
role of the chief security officer
A more effective approach is to undertake a governance assessment of all the stakeholders, including those who are responsible for the infrastructure, and those who are responsible for setting security policy, communicating that policy and ensuring compliance with that policy.
Flowing out of this kind of scenario, there is a significant emerging trend toward the creation of the role of Chief Information Security Officer or Chief Security Officer, who has accountability for bringing a holistic view of security programs across the enterprise. This individual doesn’t have a functional view but rather takes a horizontal view and oversees the people with functional vertical views who are responsible for their specific components, such as perimeter security. The Chief Security Officer is responsible for integrating those components, presenting a horizontal view of organizational security to the board, the executive and all other stakeholders.
It’s important that these Chief Security Officers bring all stakeholders to the table, including those responsible for physical security of a plant or site, to get buy-in to a structured governance model that takes a holistic approach to security issues at the enterprise level and that will bring demonstrable value to the organization. This is not just a CIO view but needs to include every stakeholder that touches an aspect of security, including legal, human resources, physical security and even strategic vendors.
Once an organization has this structure, it has the pieces in place to build an expanded business model that can detail the true cost of ownership of security systems and the true return on investment so it can now properly prioritize threats.
making informed security investments
The role of the Chief Security Officer is only now emerging. Today, most of the information discussed here about creating a holistic strategy sits with the CIO. Rather than view this changing landscape as a threat, I think there is a huge opportunity for CIOs.
If you are not in a position, from a data analytics standpoint, to understand where your most active threats are coming from and to differentiate between kiddie script hackers and the real bad guys, if your department can’t profile attack sequences and give you data visualization that enables you to understand who is attacking you, then you are nowhere near close to being able to determine if your security dollars are being well spent.
In Canada, many organizations are flying blind in terms of their security analysis; they simply don’t know what they don’t know. Once you’ve got that total cost of ownership view, you can make informed investments and prioritize strategically.
What we are seeing is that once an organization understands its total cost of ownership, understands its priorities and understands its threats and risks, it often asks itself if it can do both the analytics and the management of perimeter network security as well as a partner. Most don’t lack the infrastructure investment, but do come up short when it comes to identifying and implementing good governance policies and standards and overall security health within their organizations.
This raises the issue of constrained resources and access to staff with the right skills, although again that can be greatly impacted by lack of measurement or analysis. It may not be that the resources are insufficient, just that they are improperly allocated. Typically the CIO is focused on perimeter security, protecting the networks from intrusion, and the technologies that protect infrastructure at the gateway level. The overall cost of this effort is driving the business decision-makers to ask: is this core to my business? Do I have an adequate budget assigned to do this work and drive real benefits such as increased security and increased reaction times to threats, viruses, and worms? Again though, without the analytics to provide the total cost of ownership and ROI, it’s impossible to make that business judgement.
So, while much of the discussion around technology security focuses on whether an organization has invested enough and built enough of a security infrastructure, the bigger issue that hasn’t been as well addressed is whether those security investments are providing any kind of return and whether they are mitigating the most likely and imminent threats.
As any CIO knows, the threat remains very real and is, in fact, a sleeping giant within many Canadian organizations.
addressing the key issues
Against this backdrop, what can CIOs do to address the resources, skills and cost issues to ensure their organizations are secure and protected from possible security breaches? They can stop reacting to security threats by ‘running in place’.
Businesses now face more multifaceted threats and external issues – worldwide political events, growing regulatory requirements, and a continuous barrage of attacks. Brand risk can be significant, and security has become a major topic of concern, and yet most enterprises today are ill equipped to fight the daily onslaught of security threats. A band-aid approach is no longer sufficient.
Like a homeowner who hires a security company to monitor his home without addressing the fundamentals, such as installing more deadbolts, companies that lack a strategic, enterprise-wide security strategy and architecture are and will remain vulnerable.
The solution is for enterprises to go on the offensive to combat the whole new generation of security threats that extend well beyond computer networks. Security today transcends spam, viruses and firewalls to include an entire organization and much of its ecosystem of partnerships and relationships – from the network to the workforce, and from the workplace to the supply chain. Strategic approaches to security must be holistic, embedded across an organization and protect all points of vulnerability.
The logical person to be at the centre of this offensive – this drive to a strategic, holistic strategy – is the CIO.
Michael Small is National Practice Executive, Security and Privacy, for IBM Global Services, Canada. Based in Toronto, he can be reached at [email protected].