CIO — We often hear from CIOs who are frustrated by the amount of money they allocate to security projects and technology,compared to the results they achieve. In some cases, executives perceive that security seems to worsen even as spending increases. The reasons vary, but the root cause usually is the same: the lack of a well designed, enterprise-wide security strategy.

Most organizations take a reactive approach to security, implementing point solutions in response to security threats or breaches. Such an approach is costly, and it results in a patchwork of solutions that paradoxically make the organization less secure.

What's needed is a comprehensive security strategy that clearly defines the current state of the security environment and aligns with business objectives for the next three years. Without it, the CIO won't be able to elevate security to the level of corporate strategy—where it belongs.

The first step in designing a security strategy is to understand the current state of the security environment. That may seem obvious, but many companies skip this critical step.

The "spider diagram" (Figure 1) shows the eight security functional areas (SFAs) that make up the security environment of an organization. To evaluate the current state of the environment, organizations must rate the level of security in each area, on a scale of 1 (manual processes, not integrated) to 5 (integrated, automated, optimized processes). This exercise will reveal the organization's security gaps and identify which are most critical. Focusing on these eight areas will enable the organization to address security proactively—the only way to gain control.

Many organizations approach security as a technical problem, installing firewalls, antivirus software, and other technology to defend against external threats. But research by PricewaterhouseCoopers (Global State of Information Security Survey 2008), in collaboration with CIO Magazine and CSO Magazine, and studies by others suggest that it's the insiders—the employees who have ready access to systems and sensitive information—who are responsible for the bulk of security problems. If employees are careless with customer data, share passwords or take home laptops filled with credit card numbers, the best technology in the world won't keep the organization secure.

This helps to explain why, despite spending millions of dollars on technology, many companies fail to create a secure environment. In focusing on technology, they neglect the people and processes that make the technology work—or render it irrelevant.

So education and awareness is a critical SFA, and in my experience, it's where organizations struggle the most. Too often companies fail to implement the security processes and training required to ensure that employees (especially employees outside the IT department) understand what they must do to keep the organization secure. Educating employees is effective, and it costs relatively little compared to the price tag for technology solutions (not to mention the fines and brand damage that result from security breaches).

Another area in which companies often fall short is security management. PwC research on the state of information security indicates that one of the key predictors of fewer breaches and less downtime is having security management at a senior level, usually a CISO or CSO. (The other key predictor is having a documented security strategy in place.) In organizations with major security problems, you'll often find a CSO who is accountable for security but may not have the necessary level of authority and/or responsibility to require employees to take the steps needed to maintain a secure workplace, such as changing their passwords each month.

By contrast, in companies with strong security environments, the CSO or other security officer has responsibility and authority for ensuring security, and the backing of a steering committee to enforce compliance with security rules. We recommend that this committee include the CIO, auditors, the leaders of all business units, and senior managers from IT, compliance, risk management, and other key functional areas, such as marketing and finance.

The steering committee should be involved in developing the security strategy as well as providing oversight, and it should help to foster education and awareness of security processes. The committee also can keep an eye on the "big picture" of security initiatives throughout the organization, and identify ways to streamline security efforts.

For instance, we have seen some clients approach SOX, HIPAA and PCI remediation as individual projects, even though the security requirements of the standards are largely the same. Integrating similar compliance processes can produce quick wins for an organization, in terms of enhanced security, reduced costs and increased efficiency.

Continue Reading