Security is a collaborative effort

Share this article:
Kris Rowley, CISO, state of Vermont
Kris Rowley, CISO, state of Vermont

It is imperative that a team approach be used to meet the security needs of state business, says Kris Rowley, CISO, state of Vermont.

Not all security solutions involve the use of expensive technologies. A valuable resource for security professionals is most likely sitting right in their department: the project management office.

As the economic downturn continues to have a significant impact on state governments, it is imperative that a team approach be used to meet the security needs of state business, as well as its citizens and customers. In hard times, IT tends to take the brunt of doing more with less. This has been reflected in numerous nationwide surveys that have been conducted over the past few years.

In the best of times, information security is often an IT afterthought. When budgets tighten and requirements for efficiencies and economies of scale heighten, security is often looked at as a frivolous expense. (Do we really need that employee training program or those encrypted USB drives?) However, as many states turn to consolidation efforts to function with the most efficiency at lower costs, it is essential that security be in the forefront of these efforts. Huge amounts of data, often contained in disparate systems, being consolidated into a centralized system is, potentially, an information security disaster looking for a place to happen. The CIA (confidentiality, integrity and availability) of data must be a top priority within project requirements.

Information security professionals need to approach the challenges of incorporating security into projects right from the beginning. This can be accomplished through a multilayered approach of working and communicating with all areas of the IT team. However, a good place to start is meeting with the project management office (PMO). In an enterprise environment, the project managers are the folks who are involved with all large projects state-wide. These teams can provide a wealth of knowledge, contact information and project detail. They are an indispensible asset for security professionals.

In discussions with the PMO, policy, regulations and other security requirements can be addressed up front. The “how” and “where” security should fit into a project can be determined in relation to the project phases. This approach will help to keep those doing the actual project work aware of security requirements and hold them accountable for addressing those requirements as the project moves forward.

A strong, collaborative relationship with the PMO has its own return on investment for the security team. Project managers know who is responsible for various aspects of a project. Having this information available saves the security professional vast amounts of time by circumventing the need of tracking people down only to find out that individual isn't the person responsible for the project. High-level information allows the security professional the opportunity to judge when to join in meetings, what information to bring to the table, and what security needs have to be met at a particular phase in a project. The PMO can also advise security of any change in the project plan, scope or timeline. Information such as this may result in changes to the security plan and, thus, save time and energy spent by the security team.

Developing a good working relationship between security professionals and all IT teams is critical in securing the data that a state is charged with protecting. Best of all, it is very cost effective.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Heartbleed, Shellshock and POODLE: The sky is not falling

Heartbleed, Shellshock and POODLE: The sky is not ...

While it may seem like 2014 is the year of the vulnerability, in reality, this year has not been much different than years past.

Technology alone isn't going to secure IoT connected devices

Technology alone isn't going to secure IoT connected ...

It's clear that vulnerabilities continue to exist, despite our best efforts to combat them. In fact, we have addressed many of the same problems before.

DDoS is the new spam...and it's everyone's problem now

DDoS is the new spam...and it's everyone's problem ...

As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action are playing a very dangerous game.