Some firms are finding unique ways to make sure their resources go to the right places, reports Angela Moscaritolo.

Faced with an exploding threat landscape, the rapid pace of technological innovation and ever-increasing compliance demands, the job of an information security professional is daunting at best. Add a still-struggling economy, tight budgets and thin workforces and it all adds up to a now well-known fact: security practitioners are facing greater pressure to do more with less.

To ensure their limited resources are being put in the right places, some security practitioners have adopted an approach dubbed “lean security.” A main focus of this approach involves cutting out activities and investments that do not provide value to the organization.

“Lean security is not about less money being spent,” says John Stewart, CSO of Cisco. “It is a change from our industry’s traditional approach – where each step solved a problem and added operational complexity – to an architectural approach where simplicity, effectiveness and [security that is] ‘designed-in’ are its pillars.”

At Cisco, Stewart says that he works hard to develop efficiency metrics that ensure that his team is appropriating technology to the most critical issues.

“I want to know the efficacy of what it is that we’re doing,” he says.

For example, he says he spent nine months convincing Sarbanes-Oxley auditors that he did not need to use intrusion detection systems that track incoming malicious traffic when most of his concern is focused on traffic leaving the organization – a sign of compromised machines.

“We need to look at making the most of our security dollar,” says Joshua Corman, research director of the enterprise security practice at technology analyst firm The 451 Group. “One of the challenges is that some mandatory [compliance-related] spending provides the least value-per-dollar based on real-world attacks and breach types.”

Knowing this, forward-thinking CISOs strive to pass compliance assessments as cheaply and easily as possible to liberate time and funds that could be used for efforts that provide a greater benefit to the organization, Corman says. While it is not a strategy he necessarily advocates, Corman says he knows of several “very sophisticated and savvy” CISOs who seek “disreputable, cheap, lazy” assessors for the fastest, easiest road to a passing audit.

On the other side of the spectrum, some CISOs find they can get benefits out of compliance-related activities by going above and beyond what is required.

For example, one of the common requirements included in the Payment Card Industry Data Security Standard, as well as other security rules, is that organizations have adequate log management controls. Those who strive for the minimum get a low-value log management product, but others satisfy the requirement by budgeting for a security information and event management (SIEM) tool. With the latter, organizations can get a security win – not just a compliance win, Corman says.

Tim McCreight (left), executive director of the corporate information security office of the Canadian province of Alberta, says  SIEM technologies can help improve security and provide cost-saving benefits. About a year ago, McCreight rolled out a SIEM platform, aggregating about 10 to 12 disparate log sources into one efficient repository.

The tool has provided greater visibility and insight into what is going on inside the network and IT systems, McCreight says. Moreover, it has prompted the security team to make changes that have reduced the amount of virus infections by about a third.

“We were able to do a mini-project to identify users who were elevating their privileges on PCs,” McCreight says. “The SIEM tool was able to pinpoint issues that helped give us ammunition for reducing the number of accounts with elevated privileges.”

When striving to make the most out of limited resources, some say “human capital” may provide the greatest return on investment.

McCreight recommends that security professionals expand their group of friends beyond the IT department to achieve the greatest overall risk reduction. After coming on board about a year-and-a-half ago to lead the government of Alberta’s information security management program, McCreight reached out to other security and risk professionals within government to find ways to mitigate risk for the entire organization, not just for IT.

The IT security team now meets with those in physical, financial and personnel security once a month to share information, he says.

“This has been a very successful part of the IT security program at the government, and one [strategy] that could be modeled for other companies,” McCreight says.

During one meeting, it was discovered that each team’s risk assessments were generally kept in ad-hoc Excel spreadsheets, McCreight says. To better use this data, the group purchased risk management software that aggregates information from all four teams and allows security personnel to assign risk levels to different parts of programs, systems or buildings. This way, teams know which areas of the organization pose the greatest threat when funds to reduce risk become available.

“We are never going to be 100 percent risk free,” he says. “I look at my role as identifying the risk, ensuring senior management knows what the risk is, and making sure we have reduced that risk as much as we can.”

[sidebar]

Metrics help: Decisions

Many experts agree that creating a clear set of metrics can help enable a security group to delineate risks.

“Without metrics, I find it hard to believe that a company can make the right investment decisions,” says Becky Swain (left), program manager of security assurance services at Cisco.

Often, though, defining what is most important to measure poses a challenge. Consequently, most organizations measure what is easy to calibrate – not what is important, says Joshua Corman, research director of the enterprise security practice at analyst firm The 451 Group.

Swain recommends security practitioners ensure the metrics they take will provide executive management the information they need to make risk-based decisions about where to invest money.

“You can’t employ security for the sake of security,” she says. “You should apply the right security, keeping in mind there may be a cost, but the benefit could outweigh the cost.” – Angela Moscaritolo