Americas

  • United States

Asia

Oceania

Contributor

What defines a mature IT security operation?

Opinion
Jun 15, 20155 mins
Internet SecurityNetwork SecuritySecurity

Hint: The answer does not relate to the amount of money you spend.

security spending
Credit: Thinkstock

RSA recently published their inaugural and aptly named Cybersecurity Poverty Index. This study is based on self-assessments by organizations who compared their current security implementations against the NIST Cybersecurity Framework. According to the report, almost 66 percent rated themselves as inadequate in every category. With all of the recent breaches in the news, part of me is astounded at this finding. The other part is not surprised, given that this matches what I see in the field every day.

It would appear that the lack of focus on information security is a top-down problem. TechDirt reported this week that the United States’ CIO ordered all government web sites to implement SSL by the end of next year. SSL is not exactly a new idea, and yet the U.S. government is just now getting around to it, and may fix it by next year, if the deadline does not get extended, and if they don’t use a vulnerable version of SSL/TLS. I have also spoken to a number of customers with known web application issues, who just have not gotten around to fixing them. Folks, we have a problem.

The revelations above, along with the recent news about the government employee breach, made me wonder why corporate America is not fixing their cybersecurity problems. If I had a major revelation on this topic, I might be able to write a book and retire comfortably. I would offer, however, that part of the problem is simple and fundamental (there goes my book deal), stemming from the perception on the part of company management that good security requires the expenditure of large sums of money. As a result, some companies throw money at the problem, and don’t get the return they expect. Others decide they can’t spend the money, and hope becomes their security plan.

A few years ago, I managed security for a busy and highly regulated and audited credit bureau, with no recorded data breaches and a very modest security budget. What I have learned from experience is that good information security only has an indirect relationship to the amount of money spent. You can’t win by throwing money at it, any more than you can by ignoring it.

So, how can you have a secure operation without emptying the corporate bank account? It starts with good fundamentals, and a daily focus. The following are some of the elements:

Involvement by company leadership

Security maturity begins in the boardroom. Company management must acknowledge information security as a priority, and support the IT team in its implementation. While a fortune is not required, it isn’t free either, so they must come up with some money to address the issue.

board room security Thinkstock

Someone in charge

There must be someone, staff or service provider, with whom the IT security buck stops. This job is not a good candidate for shared responsibility, as it requires far too much focus. At present, this responsibility often falls on the IT head. Having been an IT head for many years myself, I recognize the futility of this approach. An IT director or VP must by definition be a generalist. Such a person cannot also be a security specialist.

A defined budget

While maturity is not defined by the size of the budget, the infosec budget must be segregated and discreet from overall IT expenditures. If it ever comes down to choosing security or purchasing new laptops, security will always lose.

Good art work

By this I mean network and data flow diagrams making clear how data moves in an organization. The importance of this cannot be underestimated. I have been working this week with a PCI customer on a firewall review. I was struggling to get a clear picture of how their many firewalls fit into the operation, until they sent me their network diagrams, which I printed on large paper in full color. They answered more questions that would fit in 100 email messages.

One of the key principals of data protection is knowing what assets you have, and what they are worth. A picture in this case is truly worth a thousand words.

Tools that get used

Too often, we treat information security like the game “he who dies with the most toys, wins.” Beyond the basics like firewalls and malware software, expensive tools are not essential. Such investments must be viewed as automating what can be done manually. When the tool becomes less expensive than the equivalent cost of man hours, you buy the tool. Regardless of what tools you buy, however, they must get used. In a recent post, I mentioned the term “shelfware,” defined as security tools that sit on the shelf, or are not used to their full potential. If you buy it, get the full return on your investment.

Detailed recordkeeping and planning

At times, I think that terms like “incident response” and “incident management” scare people away unnecessarily. The basic concept is very simple, however, requiring just that you keep good records about what happens, and know in advance how you will deal with problems when they occur.

Testing, testing, and testing

Test your systems and application, and keep testing them, even when nothing changes. Find your issues before a hacker does, and then fix them.

Involvement by everyone

Everyone in the organization must accept that their responsibilities include information security. It has been my experience that most employees, once someone explains the high stakes, will do their part. The few that won’t are a liability, and should be directed to alternate employment opportunities.

The bottom line — security maturity is not measured by the amount of money you spend, but by how well you handle the fundamentals. It is all about focus.

Contributor

Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of togoCIO.com. Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author