We often hear from CIOs who are frustrated by the amount of money they allocate to security projects and technology,compared to the results they achieve. In some cases, executives perceive that security seems to worsen even as spending increases. The reasons vary, but the root cause usually is the same: the lack of a well designed, enterprise-wide security strategy.
Most organizations take a reactive approach to security, implementing point solutions in response to security threats or breaches. Such an approach is costly, and it results in a patchwork of solutions that paradoxically make the organization less secure.
What's needed is a comprehensive security strategy that clearly defines the current state of the security environment and aligns with business objectives for the next three years. Without it, the CIO won't be able to elevate security to the level of corporate strategy—where it belongs.
The first step in designing a security strategy is to understand the current state of the security environment. That may seem obvious, but many companies skip this critical step.
The "spider diagram" (Figure 1) shows the eight security functional areas (SFAs) that make up the security environment of an organization. To evaluate the current state of the environment, organizations must rate the level of security in each area, on a scale of 1 (manual processes, not integrated) to 5 (integrated, automated, optimized processes). This exercise will reveal the organization's security gaps and identify which are most critical. Focusing on these eight areas will enable the organization to address security proactively—the only way to gain control.
Many organizations approach security as a technical problem, installing firewalls, antivirus software, and other technology to defend against external threats. But research by PricewaterhouseCoopers (Global State of Information Security Survey 2008), in collaboration with CIO Magazine and CSO Magazine, and studies by others suggest that it's the insiders—the employees who have ready access to systems and sensitive information—who are responsible for the bulk of security problems. If employees are careless with customer data, share passwords or take home laptops filled with credit card numbers, the best technology in the world won't keep the organization secure.
This helps to explain why, despite spending millions of dollars on technology, many companies fail to create a secure environment. In focusing on technology, they neglect the people and processes that make the technology work—or render it irrelevant.
So education and awareness is a critical SFA, and in my experience, it's where organizations struggle the most. Too often companies fail to implement the security processes and training required to ensure that employees (especially employees outside the IT department) understand what they must do to keep the organization secure. Educating employees is effective, and it costs relatively little compared to the price tag for technology solutions (not to mention the fines and brand damage that result from security breaches).
Another area in which companies often fall short is security management. PwC research on the state of information security indicates that one of the key predictors of fewer breaches and less downtime is having security management at a senior level, usually a CISO or CSO. (The other key predictor is having a documented security strategy in place.) In organizations with major security problems, you'll often find a CSO who is accountable for security but may not have the necessary level of authority and/or responsibility to require employees to take the steps needed to maintain a secure workplace, such as changing their passwords each month.
By contrast, in companies with strong security environments, the CSO or other security officer has responsibility and authority for ensuring security, and the backing of a steering committee to enforce compliance with security rules. We recommend that this committee include the CIO, auditors, the leaders of all business units, and senior managers from IT, compliance, risk management, and other key functional areas, such as marketing and finance.
The steering committee should be involved in developing the security strategy as well as providing oversight, and it should help to foster education and awareness of security processes. The committee also can keep an eye on the "big picture" of security initiatives throughout the organization, and identify ways to streamline security efforts.
For instance, we have seen some clients approach SOX, HIPAA and PCI remediation as individual projects, even though the security requirements of the standards are largely the same. Integrating similar compliance processes can produce quick wins for an organization, in terms of enhanced security, reduced costs and increased efficiency.
The next step is to define the projects required to achieve the target ratings over the next 12 months to three years. We've found it useful to develop a Gantt chart (Figure 3) that lists required security projects and indicates which have funding and support. The chart should include all potential security efforts, including those that may not be pursued because of resource constraints or competing priorities. Doing so makes it clear to senior management that all security needs were considered. It also may help to prevent recriminations later, if a problem arises because the company decided not to implement a particular project, based on a cost-benefit analysis.
The steering committee should review the Gantt chart to evaluate how each proposed project advances both the security agenda and the corporate strategy. If the alignment isn't clear, the project should not be approved.
The spider diagrams and Gantt chart capture the organization's strategy for security in three simple graphics. We suggest that CIOs bring these documents with them when presenting their case for the security strategy to the CEO. Together they provide a solid basis for discussion: The spider diagrams paint a clear picture of the current and desired security states. The Gantt chart shows how to reach the target destinations, and which projects have not yet been funded, opening the door to a productive discussion about priorities and tradeoffs.
The spider diagrams and Gantt chart should be updated quarterly by the CSO or other security officer, with the oversight of the steering committee. Quarterly reviews can help to identify major organizational changes so that the security ramifications can be addressed upfront, when it's less expensive and more effective to do so. For instance, many organizations will upgrade their SAP and Oracle systems in 2009, when new versions of those products are released. It will be far easier and less expensive to incorporate security features into such systems before they are installed than after they go live. (Time and again companies get this backwards—and pay the price.)
When CIOs approach senior executives and the board with a sound business plan and project roadmap for security, they significantly increase the odds of getting appropriate funding and support—and gaining recognition for the critical role of security in achieving the business strategy. And they eliminate the frustration that comes with allocating money to ad hoc security efforts and achieving the predictable, lackluster results.
Gary Loveland is a principal in PwC's Advisory group and has more than 22 years of information systems management and implementation experience. He is part of the Southern California Technology practice that includes Security, Data Management, IT Effectiveness, and Outsource Advisory Services. Gary has deep expertise in information technology, security, and risk management.