On the train back from a meeting with the CISO of a major organisation I couldn’t help but ponder what advice I could provide to help solve a fundamental challenge that he and many of his respective peers seem to be facing: doing more with less under an increasingly bigger spotlight and communicating this in a relevant way to the rest of the business (something security seems to struggle with).
This is a major issue, he said. As the quantity and complexity of security threats increases, CISOs like him are being asked to deliver heightened levels of security using recession-bitten budgets – and be able to prove that security has been beefed up. He explained how he risks not being able to explain the department’s case and justify the right expenditure.
Many security departments, if they haven’t done so already, will have to accept a cut in their overall budgets, but in my opinion the glass isn’t necessarily half-empty. CISOs, and indeed other roles responsible for an organisation’s information security, need to make the CIO and the board aware that they deliver a vital function to the business that should not be recklessly cut.
This view is echoed in a research summary published by Gartner titled, Top-Five Issues and Research Agenda, 2009-2010: The Chief Information Security Officer. Foremost among the recommendations, according to the authors Jay Heiser and Tom Scholtz, is that CISOs need to find compelling ways to convince their respective CIOs, and executive-level sponsors, that information security is business-critical and a necessary investment.
With more and more CISOs reporting into, or sitting on the board (Forbes stated that in 2009 employment of CISOs increased by more than 50 per cent), it’s clear that demonstrating business value is becoming increasingly important. However, it’s also clear that it can be very tough for CISOs to demonstrate the value security brings to the business in terms of return on investment and real reduction in business risk. So what’s the solution?
One way is to quantify the potential costs of inadequate security and compliance defences in terms of compliance failure, downtime and disruption to business services or the costs associated with compromised data. There has been interesting press coverage in this area of late.
My colleagues at HP Labs are looking to go further with their research into ‘Security Analytics’. Through the use of economic and mathematical techniques combined with predictive modelling, the research claims that it’s possible to measure the effectiveness of an organisation’s security controls and therefore guide better investment by understanding the trade-offs. Needless to say, it makes for interesting reading and this will certainly be an area to watch.