Last April, Donald Cantwell, vice president of I.T. for the New York City School Construction Authority (NYCSCA), witnessed one of a CIO’s worst security frights: An employee caused a breach that had criminal implications.
One of Cantwell’s employees was indicted on charges of identity theft. A 27-year-old programmer, who had written the agency’s HR applications, was caught in a police sting after authorities alleged that he stole and sold the names, addresses, phone and Social Security numbers from the personnel files of 76 NYCSCA employees.
If there was a silver lining it was that the incident gave us the opportunity to review everyone who had remote access, and [that] caused us to tighten our security practices,” says Cantwell.
The review led to action. To prevent another breach immediately following the sting, Cantwell and his staff brought down the agency’s remote access servers. Once they rebuilt the servers, they also had to re-enable remote workers so that they could again log in to the systems. During the two days it took IT to clean up the mess, remote employees couldn’t access systems. And after the problem was allegedly rectified, employees remained uneasy about the privacy of their personal information.
As a result of the incident, Cantwell was able to push through a number of security policies he had on the table when he joined NYCSCA in June 2001 and continues to evaluate others. He’s instituted password policies and rules for systems access. NYCSCA now strictly limits employees’ and contractors’ access to information based on their function in the organization. For example, a field engineer can still access an application that manages construction in the field to submit a request to pay a vendor, but she can’t initiate a new contract with a vendor in that system. Cantwell is evaluating access controls on legacy systems applications so that he can set up audit trails that will track when someone uses a system or accesses information he shouldn’t. And this summer Cantwell hired a senior security officer to head up info security efforts.
Notably, Cantwell has not rushed out and spent a bundle from his limited security budget on new security technologies in response to the incident (though he does plan to invest in key fobs for remote employees). Instead, he prefers to focus his security efforts and his spending on policy. “If you have no policy, you have no place to start [your security strategy],” he says.
That emphasis on setting up employee policies and systems access controls is unusual among IT executives. A security spending survey of 276 IT and business executives conducted by CIO last April and May confirms that companies spend more on technology than they do on IT security staff or on administrative moves such as setting policies for e-mail use. Indeed, most of the 11 IT executives interviewed for this article allocate the bulk of their spending to technology products.
It turns out that, according to our survey, organizations with a chief security officer (CSO) or a dedicated security team tend to spend more on technology, policy, staffing and education to mitigate their risks than companies that don’t have an individual dedicated to information security. Arguably, those companies with dedicated security staff are more aware of security threats and better positioned to combat breaches and viruses.
This is not to say that security-savvy CIOs all have hired a CSO; indeed, 53 percent of our survey respondents haven’t added one to their staff. (For more survey results, see www2.cio.com/research and the charts located in this article.)
But what clearly comes through in research and interviews is this: CIOs are saying that while they will continue to invest in security technologies, it’s time to raise the profile of people in IT security. There needs to be an emphasis on leadership, as well as leading-edge tech, and time and money spent on staff to both set up access controls and educate colleagues about security threats and their consequences.
Security Bedrock: Systems Usage Policies and Employee Education
In our CIO survey, spending on IT security takes $8.40 out of every $100 in an average organization’s IT budget. While technology products get the biggest share (42 percent) of CIOs’ wallet for security, these products by themselves can fail to prevent the little accidents that can turn into big headaches.
That’s why IT executives stress the importance of setting up systems usage policies and educating employees about both them and about threats that crop up.
The CIO at an IT, engineering and logistics consulting company in Alexandria, Va., tells the story of how, in spite of all his fancy firewalls and antivirus software, a virus managed to squeak through, infect an employee’s computer, and put gray hairs on the head of the employee who lost data and on the heads of the IT staff who spent hours attempting to reconstitute it. The CIO estimates that the cost of the incident in terms of staff time, lost productivity and damages is between $2,000 and $3,000 because it affected only one user’s computer.
“During the ’I Love You’ virus, we had a guy in the company who’s very jealous wife went into their AOL account and saw an ’I Love You’ message. She called him up and asked him about the message. He went into AOL and opened it. Fortunately, it did not infect the rest of our systems. It just screwed up his machine,” says the CIO, who asked not to be identified by name.
In retrospect, the CIO realizes that the incident could have been avoided if he had tightened his systems access policies and regularly spoken to the organization about new viruses. “If we are going to get better, we have to learn from mistakes like that. We have to come up with policies for employees about what to do and what not to do when they get a virus.”
NYCSCA’s Cantwell agrees that policies are the foundation for good security. The budget-strapped CIO knows that while policies can’t prevent internal and external hacks, they can make employees accountable for their actions and delineate potential penalties if they don’t treat confidential information with care. “We have a rigorous policy that requires internal and external people to sign for the fact that they’re getting access to confidential data and acknowledge that they have to protect it. That won’t stop [every in-house breach], but at least they know the rights, duties and responsibilities they have with regards to [handling] this information,” Cantwell says.
Even companies that spend heavily on technology realize that they need to devote more attention to policy and education.
Cheryl Bertrand, CIO and vice president of IT at Seattle-based Text100, a $33.7 million global high-tech public relations company, has invested heavily during the past year in building up her company’s security infrastructure along with its global networking capability. She has invested in VPN firewalls, intrusion detection systems, content filters and key fobs (a security token the size and shape of a credit card that hangs off a key and issues a numerical ID that changes frequently). Now, Bertrand says, she sees a need to focus on policies, procedures and education.
“Since our global network is such a new thing for the company, it’s important that we have proper access policies in place?establish permissions, policies for adds and deletes, and normal code-of-conduct procedures for using the network,” says Bertrand.
Deborah P. Close, CIO of the Doris Duke Charitable Foundation in Hillsboro, N.J., also plans to increase her emphasis on security policies. While Close’s security budget contracts by 3 percent during the next year as she moves from spending mode into maintenance mode, she still intends to allocate 10 percent more of her reduced security budget in 2003 toward establishing policies for password management, procedures for dealing with viruses, and security education for the entire staff of the $1.4 billion foundation. After all, dealing with viruses is a productivity killer for her staff, and the training will help users recognize potential viruses earlier.
But going too far, creating policies that are too restrictive, is a productivity killer too.
Steve Williams, CIO of $250 million retailer Mattress Giant in Addison, Texas, says that after a former employee disclosed confidential data when he went to work for a competitor, the first reaction by field management was to completely stop disseminating the information that the employee had stolen. The company reversed that course after changing the business processes that allowed that employee access to privileged information.
“To recoil and pull all the information away would have made the rest of the company in similar positions ineffective in their roles. The company would have lost a lot more money,” he says. Instead, Mattress Giant examined what legal recourse it could take in similar situations and made sure the ramifications of breaching the company’s confidentiality agreements were made clearer to employees, Williams adds.
An Argument for the CSO
These kinds of discussions about management approaches to security have led some companies to appoint a CSO or other person to lead IT security efforts.
Rod Hamilton, CIO of Hygeia, a privately held company based in Miami that provides services to health-care insurers and providers, is among the 28 percent of IT executives CIO surveyed who say with conviction that they are confident in their company’s security measures.
Much of Hamilton’s peace of mind comes from having appointed an information security chief who has many years of experience in the field. “It’s because of his presence that we’re able to handle things,” says Hamilton. The CIO adds that Hygeia’s security officer has raised the entire company’s awareness of the issue?to the point that information security is among the company’s top priorities?and has put technologies, policies and processes in place to keep sensitive information under lock and key.
Of the 276 companies surveyed, just under half (47 percent) have a point person such as a chief security officer in charge of their IT security efforts. These companies spend on average 15 percent of their IT security budget on staff (those without a CSO equivalent spent 6 percent of their IT security budget on staff, on average).
For Hygeia, “Our awareness of the threats we face is heightened by having [our CSO] present,” says Hamilton. (To be fair, Hamilton says the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, which will require Hygeia and other health-care companies to follow strict federal rules for protecting the privacy of patient data, is also driving the company’s vigilance about information security.)
If his security director should leave Hygeia?after all, his skills are in hot demand, a reason Hamilton declined to name him?Hamilton’s not going to start biting his nails unless he can’t find a ready replacement. “Once you have someone like that in your organization, it’s hard to get by without them,” he says. Hamilton says Hygeia’s contingency plan includes making sure his security chief thoroughly documented all of his work, having him perform some network penetration tests to identify any vulnerabilities and assigning his security director’s routine tasks to another employee. “If we couldn’t get somebody in quickly [to replace him], we would ask a third party to review our environment to make sure he hadn’t introduced any holes,” he adds.
Even so, appointing an IT security chief doesn’t remove the burden of authority from the CIO, according to the CIO survey: 64 percent of those IT executives who have named a security officer said their company’s CIO or CTO still retains the final say over IT security investments. Only one respondent said a CSO is in charge of such spending decisions. So, who is the boss of Hygeia’s CSO? Hamilton, of course.
Security Is Everyone’s Business
Not everyone buys the IT security chief argument, rejecting the idea of appointing one person to lead the corporate information security effort.
“Security should be the focus of every IT employee,” says Mattress Giant’s Williams, who manages a 17-person IT staff. “Every functional head in my IT department has a security role for their respective function. You put too many eggs in one basket when you have one person in charge of security,” he adds.
Text100’s Bertrand also makes security part of the job of everyone in her 12-person IT group. She says that each function in her IT department?applications, infrastructure and help desk?approach security from their own perspective.
Doris Duke’s Close has gone a step further and has hired an outside company to manage her organization’s VPN firewalls, content filter and intrusion detection system. She says it’s cheaper for her to outsource information security than hire full-time employees to manage it. “They’re basically my security department,” she says of her outsourcing partner, Square One of Holmdel, N.J.
CIOs who worry about losing control or authority if they dedicate a person or staff of people to security are missing the point?at least according to our survey findings, which suggest that that companies with a CSO or dedicated security staff may very well be better off.
The companies with someone overseeing the information security function spend slightly more of their IT budget on security, while spending less of that budget on outsourcing and consulting. Companies that have a CSO or equivalent reported spending an average of 9.2 percent on third-party services, while companies without a CSO spend 16.5 percent on security consulting and outsourcing. (The ratio on IT security staff spending flips; companies with a security chief spend an average of 15 percent of their budget on staff, while those without a security point person reported spending an average of 6 percent of their security budget on staff.)
Furthermore, organizations that don’t have a CSO or equivalent plan to increase their security spending on technology, education and policy more than those that do have a CSO, which suggests that they may be playing catch-up in areas that the CSO organizations have already made investments. Their plans to beef up their spending on technology also suggest that they rely on technology to do the work that people might otherwise do.
The bottom line? Security is an involved, full-time job, and therefore, you need a dedicated security staff to monitor incidents and develop and disseminate policies.
Al Garcia, vice president of IT for Comac, a $25 million marketing fulfillment company based in Milpitas, Calif., says that if you don’t have someone monitoring those systems, they’re useless. “If we buy tools, we need staffing. Looking at log files and incident reports can drive you nuts. You need two to three people in your organization to make sense of it,” he says.
Finally, having dedicated information security personnel doesn’t preclude the rest of your IT department and your entire organization from being vigilant about security.
Though no one (except possibly the CIO of the Department of Defense) has carte blanche over security spending these days, it’s still important to keep some guidelines for smart spending top of mind.
“There are a lot of tools out there, but are they the right tools for us? Will they do what we want?” asks Comac’s Garcia. “We have no fear of spending money, but we have to do it wisely,” he says. “Our smart money goes to ensuring we’re doing the basics properly: Do we have good firewalls, good antivirus software?”
For NYCSCA’s Cantwell, spending wisely also means focusing on the basics. He believes in evaluating processes before investing in fancy technologies. Recently, he had a situation where a colleague had allocated money for biometric security devices to safeguard laptops. As Cantwell looked at the security practices in that part of the organization, he noticed that there was widespread sharing of passwords, a glaring security gap. He vetoed the biometric system and tightened up password policies enterprisewide.
“I need to do the meat and potatoes first. It does no good to put two dead bolts on a door when the patio window is open,” Cantwell says.
So how do you know when you’re safe? Bertrand suggests doing a security audit, a process usually conducted by an independent company that evaluates an organization’s security measures?such as the configuration of firewalls, employee vigilance about security and systems administrators’ ability to identify an attack?and then recommends improvements. But even after you’ve hired the hackers and the consultants, you can’t become complacent. And few CIOs are. Just 2 percent, in fact, according to our survey. Even the CIOs who appear to be covering all their bases still say they’re at risk.
“I’d rather be of the mind-set that there is risk,” says Bertrand. “That keeps you sharper.”