Managers may speak in broad terms about the need for security policies and procedures – but when it comes time to pay for them, they can become a hard sell in complex organisations with multiple customers and competing interests.
Such was the experience of Puneet Kukreja, executive advisor of security advisory firm Affirm Risk, during more than two and a half years he previously spent as an agency security advisor and enterprise architect with Victorian government shared-services organisation CeniTex.
“Eight months into the program they realised they had ignored information security,” Kukreja told the audience at the recent CSO-NetIQ Agile Security breakfast. “They realised that they couldn’t do it as part of the desktop upgrade, the platform implementation or the network upgrade – and it needs to have a consistency across all of them.”
This led the organisation to act to lay down a formal security program that would, in keeping with CeniTex’s mission to commoditise technology services across state-government organisations, apply broadly across 15 government departments.
The program combined best practice in enterprise security controls, system security plans, an accreditation framework, security governance, technology risk management and continuous control monitoring – and it quickly created a morass of security regulations that all but overwhelmed the CeniTex team’s efforts at consistency.
“We had PCI, ISO 27001, CoBIT, ISM, and other guidance to manage,” Kukreja said. “If you combine those with local security, regulations and so on, we had over 1100 controls from go to whoa. As a service provider, we were queried to provide a position on every one of them.”
Interestingly, only about one-third of that volume were security controls; the rest were management controls, reflecting the highly proceduralised environment in which CeniTex was operating.
The predominance of management rather than technical controls often conflicted with the need to implement a unified security framework delivering the identified security controls.
Since back-end security technology lacked high visibility amongst department managers, CeniTex often found itself encountering resistance. Those managers expected certain levels of security to meet their own objectives, but were often less than happy when they were presented with the bill.
Risk and process maturity was the hardest thing,” Kukreja explained. “In establishing a Security Operations Centre, for example, they might say ‘we’ve already got a security operations team’. You'd spend three months creating a process - a security centre, or a security incident management process, say - and they would ask 'what did I get [for my money]?"
“We might have spent three months creating a process around a security centre and response to an incident, but – because people weren’t seeing a particular device or gateway spam solution implemented – the challenge was to tell them there was a process tying these things together.”
Overcoming this resistance required ongoing work in stakeholder education – for example, showing decision makers the logs that were generated, and could help in departments’ fraud analysis later on. “It was all about taking people on a journey to demonstrate the value of the operations,” Kukreja said. “The process might say which part of your organisation had a risk exposure, but that systemic risk might not be technical.”
“For us it was about meeting different levels and maturity of customer demand, but there was no way a one-size-fits-all approach would work; we had 15 customers with 15 different risk values and 15 different risk budgets.”
Ultimately, Kukreja said, the team learned that the best way to promote security consistency was to sell the value of information security in terms of business risk. This helped convey the importance of a baseline security service – and the value of paying CeniTex for it – with add-ons that could address specific needs for an additional charge.
“It started as a cost saving exercise to improve standardisation and competitive advantage – but these costs had never been documented before,” Kukreja said. ”People were comparing the service we were looking to design and build from the ground up, to the cost of the service from an established cloud services provider.”
This presented problems in selling the value – but careful discussions with stakeholders highlighted the importance of a broad, consistent security platform.
“The service we were presenting was a lot more expensive because of the setup costs, Kukreja said, “and once the businesses realised what the cost of security was, there was a period of healthy negotiations. In the end, moving forward was all about healthy customer engagement.”