For all the attention that cybersecurity has gotten in the past couple of years, many companies have yet to build a comprehensive information security strategy. Instead, many corporate security efforts are fragmented and reactive, driven by events such as the SQL Slammer worm which, within minutes, caused massive slowdowns on the Internet. The person in the hot seat is frequently the CIO, who must absorb and act on the advice of his chief security officer, as well as translate that information into business terms more palatable to the executive board.
It's not an easy job, to say the least, and CIOs vary in their ability to pull it off, said Harry DeMaio, a former director in the information security practice at Deloitte & Touche LLP and a member of the board of directors at the SANS Institute, a security training group based in Bethesda, Md.
"I think CIOs are a mixed bag in how successfully they treat information security," he said. "The ones who look at their job as strategic to managing the information of the organization and can see the business implications of information security are doing it the way it should be done. But the techies that just throw software onto something or put up a firewall are only doing part of their job."
Gerard McCartney falls into the former role. As CIO of the Wharton School at the University of Pennsylvania in Philadelphia, McCartney looks at information security from a wider angle. "My job is looking at our data as a whole and viewing it in terms of business requirements. I need to ask, 'If our systems are vulnerable in any way, how will that impact our business?' "
This point of view is at odds with that of his security people, said McCartney. "To them, every piece of data is sacred."
For CIOs faced with a similar balancing act -- and who isn't? -- we offer the following advice on the essential issues CIOs need to understand about information security.
More isn't always better
"People can go overboard with security -- I've seen it time and time again," said Steve Crutchley, the chief security officer at 4Front Security Inc., a security service provider in Reston, Va. "They've spent all that money, and what have they got to show for it? You don't need overkill."
In other words, tailor your security coat to fit the business overall. McCartney goes by the "acceptable level of casualties" method, by which he throws a strong mantle of security around his absolutely essential data and provides less protection to what he calls "the frills." "If we can wait from a business point of view to recover that kind of data, we don't want to spend too much money ensuring the safety of frills," he said.
Pin security plans to a business-risk analysis
A good security plan starts with a risk analysis of a company's business processes, said Crutchley. "You need to manage the risk, and that means being able to understand where the vulnerable areas are." But Crutchley isn't referring to technical soft spots. He said that it is vital for CIOs to first understand where the business processes are most at risk and put security in place to protect those areas. "Security is a byproduct of a business, so you have to be able to plug security into the business processes and make it work," he said. "From a CIO point of view, you have to prove that you understand where the business risks are and can mitigate them."
Don't budget in a vacuum
It's a given: money will always be an issue for IT executives, who must deal with the often-harsh reality of running what many business folks view as a cost center. But according to Steve Akridge, a partner at T3I Inc., an information security consulting firm in Atlanta, too many CIOs treat security spending arbitrarily. "You need to have a dedicated part of the budget for information security, and you need to respect that," he said. Moreover, CIOs need to base that number on some form of reality. "Nobody has a magic formula for determining appropriate security spending," Akridge said, "but throwing 2% into the budget for security and assuming that will be adequate doesn't work either."
Learn to work harmoniously together
Information security professionals generally work within the IS department, but that doesn't mean that they work together harmoniously. Rather, "there seems to be a lot of adversarial attitudes from the IT department when the security guys come in," said Akridge. "Because the CIO is so focused on overall IT production issues, such as keeping [the] data center running, they are often in direct conflict with what the information security practitioners are trying to do. The CIO will want to do something to enhance operations and the infosec guy will say, 'Wait; maybe we need to study this a little more.'" What both sides need to understand, said Akridge, is that they are on the same team. "Information security wants to help, not hinder."
Have the right people
In tough times like these, IS folks wear a lot of hats. So it's not at all unusual for a network administrator to devote 80% of his time to that task, while 20% is devoted to security. Trouble is, that represents a conflict of interest, said Akridge. "The system administrator is production-oriented, while information security is about data protection. They'll follow their first instinct when issues come up, and that could cause problems," he said. Information security is more than applying a patch or tuning a firewall, and smart organizations will recognize that by encouraging IS staffers to get additional training or security certifications.
Finally, the best thing that CIOs can do is take off the rose-colored spectacles. "Stop believing it can't happen to me," said Akridge. It can, and most likely, it will. So the best defense is to plan ahead. "By knowing what they'll do when the inevitable breach happens, CIOs can save time and money."
FOR MORE INFORMATION:
This was first published in February 2003