For CIOs at entrepreneurial organizations, where information security policy often takes a back seat to the business at hand, the battle to build an information security program can be long and painful.
Consider the Millennium Challenge Corporation (MCC), a young, rapidly growing federal agency whose mission is largely to cut through red tape for countries seeking grants to combat poverty.
When CIO Dennis Lauer arrived in November 2007, MCC's information security program was as vulnerable as some of the countries it served. There was "almost zero" compliance with the security standards stipulated by the Federal Information Security Management Act (FISMA), which was designed to promote cost-effective, risk-based information security programs.
"From an IT perspective, lots of corners had been cut," Lauer said.
For example, the agency had no process for patching. There was no encryption on external hard drives, nor on laptops, and no secure network connectivity. Indeed, shortly after Lauer arrived, he received notice of 23 outstanding financial and FISMA audit findings that called out areas of noncompliance with federal laws and mandates.
In addition, MCC had missed a federal deadline requiring all government agencies to meet the Federal Desktop Core Configuration (FDCC), a standard for desktop computers.
Rapid growth was part of the problem. Originally conceived as a 50-person agency, MCC grew to more than 400 people in its first three years after it became clear the agency needed a lot more people on the ground. But without secure networks and reliable mobile devices, MCC people on the ground couldn't do their work. This was a costly problem, given they were highly paid people traveling to exotic places. "We weren't flying to Atlanta," Lauer said.
Vulnerability management product diagnoses the risk; now to convince the patient
According to Lauer, shoring up information security at MCC would take a $600,000 worldwide technology refresh, a comprehensive risk assessment, an outside consultant to ride herd on the outsourced IT operations, vulnerability scanning software, daily reports, an executive dashboard that converted risk metrics into big letter grades, and, oh yes, a very thick skin to protect from pushback and complaints.
Lauer recalls a late Friday-night meeting with the top management of the agency about five months after he arrived. By then, he had hired Iron Vine Security LLC and its president, William Geimer, to conduct a risk assessment (using nCircle IP360 risk management products).
"We had done some scanning and found some stuff that was scary," he said. He declined to specify the threat but said, "Let's just say, it made us nervous enough that we had to brief the CEO, the chief of staff and other key people that night."
"We were saying, 'Hey we gotta lock this thing down and there is going to be some pain,' because staff is used to working without a lot of constraints and security comes with hurdles, like encrypting, like two-factor authentication and some of the other U.S. government compliance we had to put in place," he recounted.
"Even in that room, even with the evidence we presented, there was mixed reaction -- 'Well, do we really need to do this?' Because we are a progressive, 'nonbureaucratic' agency, they were afraid we were becoming like everybody else and that this would slow down our ability to be lean and agile," Lauer said. "And they didn't want to do that. Essentially, we had to find a way to inject all of these rules without affecting our business model."
Building trust with the business
Lauer's challenge is actually the challenge of information security these days, according to security and risk management experts. Eric Maiwald, vice president and research director for Burton Group Inc.'s security and risk management strategies group, said security implementation cannot be done in a vacuum.
"Security for too long has ignored the business requirements in implementation," Maiwald said. "If business does not function, we have not done our job." The CIO's job, he said, is to accurately assess the risk to the business, present those risks in a manner the business can understand and let the business decide what to do about them.
The hallmark of an effective security organization, agreed Gartner Inc. analyst Paul Proctor, is how well it can communicate to senior management the overall current risk position of the organization.
Security professionals need to have operational metrics to help them do a better job, but Proctor said they should not be used in executive communications. Instead, he laid out an approach that maps key risk indicators, or KRIs, to the business's key performance indicators, or KPIs, as an effective means for communicating how security can contribute to business value (or losses). But the objective is to show how and why security matters to what the business is doing.
From executive dashboards to outsourcer oversight
At MCC, Lauer had to broker with two constituencies: MCC management, which was worried that a rigorous information security program would undermine the organization's raison d'être (nonbureaucratic foreign aid), and Computer Sciences Corp., the IT service provider responsible for MCC's IT operations.
First, he and Geimer conducted "very detailed briefings for almost every single member" of top management and every group in the agency, "to provide awareness of the threat and why we were doing what we were doing to mitigate it," he said. That effort took nearly eight months of weekly meetings with domestic staff and people overseas. "As a result, we really did not have a lot of resistance when we implemented our program," Lauer said.
One thing that helped was translating the security metrics collected by the scans and putting them on a dashboard for management. "I am not certain that all those metrics are 100% understood by everyone at the enterprise level, but at least they know the numbers should go down," said Geimer.
A "lucky" break was that MCC had already budgeted a worldwide technology refresh, which gave Lauer "the resources to actually touch every device." And touch they did, working many months to lock down the FDCC-compliant image that would go on every desktop and laptop, testing it in the lab and testing it again using nCircle's configuration manager to 97% compliance.
But the key to turning the security program around, Lauer said, was hiring an independent security firm to oversee operations run by CSC. "It is the single biggest thing we did."
Splitting out IT oversight is especially hard for government agencies, because acquiring services is a difficult, protracted process. "It is easier to just buy it all from one vendor." But IT operations providers will tell you what they want you to hear, in their view. "If you go to your operations contractor and ask, 'How are we doing on patching?' you might not get the same answer if you have an independent security person looking [at patching] through the security lens," he said.
He acknowledged that the process has been painful at times. "There has been some bantering, but it has been healthy and we have found a happy medium," he said.
When an "F" is a good grade
Where is MCC now? The scorecard Lauer derived from the nCircle metrics offers a range of grades, with 100 to 300 vulnerabilities earning an A, 300 to 600 a B and so on. The first scan on the IT systems in April 2008 showed a vulnerability average score per device of 27,719."That is not on the grid," Lauer said -- indeed, it is leagues below the 1,320 score for an "F" grade. A year-and-half later, progress is being made. "We are approaching just getting to the point where we are getting on the grid," he said.
But success is more than getting on the grid. Lauer said the trust he has built with agency management will help sell an upcoming enterprise content management project he is pursuing. "We will go through a large communication component early on, just as we did with security," he said. And, he's become something of a go-to security person in government circles.
"A couple of agencies have contacted us because they are hearing we have a pretty robust IT security methodology, and they want to bring in the program as a best practice."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
This was first published in October 2009