Enterprise Security Program Challenges and Learnings

Puneet Kukreja

Managers may speak in broad terms about the need for security policies and procedures – but when it comes time to pay for them, they can become a hard sell in complex organisations with multiple customers and competing interests.

Such was the experience of Puneet Kukreja, executive advisor of security advisory firm Affirm Risk, during more than two and a half years he previously spent as an agency security advisor and enterprise architect with Victorian government shared-services organisation CeniTex.

“Eight months into the program they realised they had ignored information security,” Kukreja told the audience at the recent CSO-NetIQ Agile Security breakfast. “They realised that they couldn’t do it as part of the desktop upgrade, the platform implementation or the network upgrade – and it needs to have a consistency across all of them.”

This led the organisation to act to lay down a formal security program that would, in keeping with CeniTex’s mission to commoditise technology services across state-government organisations, apply broadly across 15 government departments.

The program combined best practice in enterprise security controls, system security plans, an accreditation framework, security governance, technology risk management and continuous control monitoring – and it quickly created a morass of security regulations that all but overwhelmed the CeniTex team’s efforts at consistency.

“We had PCI, ISO 27001, CoBIT, ISM, and other guidance to manage,” Kukreja said. “If you combine those with local security, regulations and so on, we had over 1100 controls from go to whoa. As a service provider, we were queried to provide a position on every one of them.”

Interestingly, only about one-third of that volume were security controls; the rest were management controls, reflecting the highly proceduralised environment in which CeniTex was operating.

The predominance of management rather than technical controls often conflicted with the need to implement a unified security framework delivering the identified security controls.

Since back-end security technology lacked high visibility amongst department managers, CeniTex often found itself encountering resistance. Those managers expected certain levels of security to meet their own objectives, but were often less than happy when they were presented with the bill.

Risk and process maturity was the hardest thing,” Kukreja explained. “In establishing a Security Operations Centre, for example, they might say ‘we’ve already got a security operations team’. You'd spend three months creating a process - a security centre, or a security incident management process, say - and they would ask 'what did I get [for my money]?"

“We might have spent three months creating a process around a security centre and response to an incident, but – because people weren’t seeing a particular device or gateway spam solution implemented – the challenge was to tell them there was a process tying these things together.”

Overcoming this resistance required ongoing work in stakeholder education – for example, showing decision makers the logs that were generated, and could help in departments’ fraud analysis later on. “It was all about taking people on a journey to demonstrate the value of the operations,” Kukreja said. “The process might say which part of your organisation had a risk exposure, but that systemic risk might not be technical.”

“For us it was about meeting different levels and maturity of customer demand, but there was no way a one-size-fits-all approach would work; we had 15 customers with 15 different risk values and 15 different risk budgets.”

Ultimately, Kukreja said, the team learned that the best way to promote security consistency was to sell the value of information security in terms of business risk. This helped convey the importance of a baseline security service – and the value of paying CeniTex for it – with add-ons that could address specific needs for an additional charge.

“It started as a cost saving exercise to improve standardisation and competitive advantage – but these costs had never been documented before,” Kukreja said. ”People were comparing the service we were looking to design and build from the ground up, to the cost of the service from an established cloud services provider.”

This presented problems in selling the value – but careful discussions with stakeholders highlighted the importance of a broad, consistent security platform.

“The service we were presenting was a lot more expensive because of the setup costs, Kukreja said, “and once the businesses realised what the cost of security was, there was a period of healthy negotiations. In the end, moving forward was all about healthy customer engagement.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AgileetworkISMISONetIQNetIQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts