Chief information security officers have to get back to basics in order to cut their departmental costs, according to the ex-CISO at BP.
Paul Dorey, now director at the Security Faculty, which offers training and development to CISOs, acknowledged it was a “really difficult” time for information security professionals, who are faced with the challenge of fighting growing levels of data theft and malware, while having to cut their budgets.
Insider threats were also growing fast, particularly with disgruntled employees after they are made redundant, he said. Nearly two thirds of employees admitted to stealing information when they left their jobs, according to research.
“We in the security industry have all been a bit lazy when the money is good. We implemented software and never used it, we even bought software and never implemented it,” he said, speaking to an audience of CISOs and CSOs at the Forrester EMEA Security Forum in London. “Now the money isn’t there and we have to be cleverer.”
CISOs needed to focus on efficiency, automating processes, standardising, and centralising wherever possible, he said. At the event, much of the focus of different speakers and delegates was on how to keep security strong in spite of tightening budgets.
“We have to make cuts and eliminate any overlap in our systems. Think about security software-as-a-service, avoiding all the infrastructure and server costs,” he said. Businesses could even consider free security software on the web, but they needed to be highly aware of legal issues, lack of support and concerns over manageability.
He added: “We have to focus on the important stuff. Do your security initiatives address the most important risks? Are you just reacting or are you thinking ahead? You need to put your energy into protecting the crown jewels, and let the other assets take more risk.”
CISOs would be wise to free space in their budgets by shifting non-security functions to other departments, he advised, such as addressing anyone who makes inappropriate use of the internet at work. “Is this more of an HR issue? Probably.”
It was vital for CISOs to link their work to the chief executive’s overall strategy, so “you can show you’re making a difference”.
“If you don’t know the CEO’s priorities, you have to ask them. It’s in the CEO’s interests, they don’t want to be running blind – and if you don’t address that you know who will get the blame: you.”
There are many ways IT – outside of security – is cutting costs, he said, “but most increase your security workload”. These included virtualising servers, offshoring, moving to open source, consolidating suppliers and infrastructure, and moving to cloud computing.
Among all the cost cutting, businesses needed to be very wary of outsourcing security itself, he told Computerworld UK. “People are the rarest resource and you need them well trained.
“There are some security aspects that could be outsourced, but you absolutely must not be doing the type of outsourcing where you blindly throw it over the edge and leave it to someone else to sort out. The accountability for security rests firmly with you.”