Security is a collaborative effort
Kris Rowley, CISO, state of Vermont
It is imperative that a team approach be used to meet the security needs of state business, says Kris Rowley, CISO, state of Vermont.
Not all security solutions involve the use of expensive technologies. A valuable resource for security professionals is most likely sitting right in their department: the project management office.
As the economic downturn continues to have a significant impact on state governments, it is imperative that a team approach be used to meet the security needs of state business, as well as its citizens and customers. In hard times, IT tends to take the brunt of doing more with less. This has been reflected in numerous nationwide surveys that have been conducted over the past few years.
In the best of times, information security is often an IT afterthought. When budgets tighten and requirements for efficiencies and economies of scale heighten, security is often looked at as a frivolous expense. (Do we really need that employee training program or those encrypted USB drives?) However, as many states turn to consolidation efforts to function with the most efficiency at lower costs, it is essential that security be in the forefront of these efforts. Huge amounts of data, often contained in disparate systems, being consolidated into a centralized system is, potentially, an information security disaster looking for a place to happen. The CIA (confidentiality, integrity and availability) of data must be a top priority within project requirements.
Information security professionals need to approach the challenges of incorporating security into projects right from the beginning. This can be accomplished through a multilayered approach of working and communicating with all areas of the IT team. However, a good place to start is meeting with the project management office (PMO). In an enterprise environment, the project managers are the folks who are involved with all large projects state-wide. These teams can provide a wealth of knowledge, contact information and project detail. They are an indispensible asset for security professionals.
In discussions with the PMO, policy, regulations and other security requirements can be addressed up front. The “how” and “where” security should fit into a project can be determined in relation to the project phases. This approach will help to keep those doing the actual project work aware of security requirements and hold them accountable for addressing those requirements as the project moves forward.
A strong, collaborative relationship with the PMO has its own return on investment for the security team. Project managers know who is responsible for various aspects of a project. Having this information available saves the security professional vast amounts of time by circumventing the need of tracking people down only to find out that individual isn't the person responsible for the project. High-level information allows the security professional the opportunity to judge when to join in meetings, what information to bring to the table, and what security needs have to be met at a particular phase in a project. The PMO can also advise security of any change in the project plan, scope or timeline. Information such as this may result in changes to the security plan and, thus, save time and energy spent by the security team.
Developing a good working relationship between security professionals and all IT teams is critical in securing the data that a state is charged with protecting. Best of all, it is very cost effective.