Courion Corporation

Driving Security Value and Innovation in Today’s Economy

Tweet

  

 

As reported in CSOonline, Art Coviello, the president of RSA, the security division of EMC, noted in his overview of RSA's research report "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy", these are difficult times for IT security executives.  Regulations that require organizations to implement strong access and compliance management controls are not being relaxed just because the world economy is in a recession.  In fact, given the history of the US Congress, such regulations are likely to increase.  Hacking, business espionage and the like aren't decreasing, they are increasing.  So how can Chief Information Security Officers (CISOs) deliver on their responsibilities - and dare we say, enable their businesses to be more successful - within current budgetary constraints?

Mr. Coviello offers some very sound advice to CISOs.  Top on his list is "prioritize based on risk/reward".  Underlying this and his other recommendations is a revolutionary thought for most IT security departments:  that the security organization must mature from an insurance provider into a business enabler.  Now, this is much easier said than done of course (as my long-time CTO and co-founder Brian Milas is fond of saying: "If it was easy, everyone would be doing it!").  However, Mr. Coviello provides some pragmatic points of advice, to which I would add two:

1. Communicate business value.  Very clearly identify the impact of your security programs on the business in terms of business speed, revenue generation and cost savings.  Do not shy away from identifying hard cost savings attainable by eliminating manual activities through automation of security functions that are required by today's business operations and regulations.
2. Take a phased, portfolio approach.  Do not approach your CIO and Executive Team with individual projects, but rather present a portfolio of projects/capabilities and their aggregate value to the organization, that is delivered in phases.  A dirty little secret of our industry is that while many vendors try to convince practitioners that the world revolves around point solutions, CISOs are faced with protecting the company against a portfolio of risks.

And while some might try to convince practitioners that a monolithic stack helps them manage all the risks, 2009 is clearly the year of "incremental improvement over delayed or unattainable architectural perfection".  CISOs need to create a portfolio of capabilities to manage risks effectively, that can be delivered and expanded over time.

By taking the portfolio approach and including the sort of projects that deliver clear cost saving and business agility value (such as automated provisioning) along with security projects that protect the organization against difficult to define events of unknown probability, the CISO can build credibility and gain acceptance to his or her entire program.  And by delivering "incremental progress" measured in business value, CISOs will create the credibility and political capital for the continuing rollout of their portfolio of security operations.