Like a lot of other security professionals these days, Mike Hager, security chief at OppenheimerFunds Distributor in New York, is under excruciating pressure to provide top-notch protection of data, ensure privacy and manage user access — all on a drum-tight budget. He also needs to justify all project costs and results to top management.
Knowing this, Hager says he doesn't try to sell a security project unless he can first explain its value in terms the business side understands. The best method is to show a reduced cost of administering security, which IT managers say is the only way to demonstrate return on security spending.
"Show me the money" is something of a new commandment for security professionals long accustomed to concerning themselves more with passwords than with payback projections. But fortunately, there are proven steps that security managers can take to get their networks and systems ready for future security investments that could yield a positive return. There's also a spate of new products aimed at reducing security overhead costs. Using the two together, there's hope for beleaguered security professionals seeking to quantify the positive results of their work and show where and how it adds value to the business.
Know your business
"You can get value from security programs if you map your technical measures to your business needs," says Steve Hunt, an analyst at Giga Information Group (US). But, he adds, "unfortunately, over 30% of all IT security spending is poorly focused and ineffective by best-practices criteria." Mail servers are a prime example, Hunt says. "If the mail server goes down, the response team goes to Defcon 5, the highest and most expensive security response," he explains. "But in many cases, the business manager says . . . 'Ho-hum, maybe now I can get some real work done.' "
The lesson: Know what's critical to the business and adjust security accordingly. "If you've got systems that are really critical to a business process, [and] you know where your most proprietary secrets are, then you know where to prioritise [security] money and allocations," says Charles Neal, vice president of managed security services at Exodus, a Cable & Wireless Internet Services in New York. "For other systems, it may not be a catastrophe if someone broke in, so you spend less."
Locating risk-sensitive data and systems also means building alliances with business managers. Motorola does this by placing an IT security officer in each of the company's six business units to represent the business requirements to the IT team and vice versa.
"The job of our business unit security officers is to adapt, refine and deal with the implications that support the critical priorities of the business, while following our corporate policies and standards for enterprise-level technologies," says Chief Information Security Officer Bill Boni.
By blending business requirements with best practices, the security team can establish rules-based security standards for operating systems and platforms. This way, IT organisations can better target security spending, including training dollars, for secure systems administration, says Boni. These operational standards should include specific instructions for where and what to patch, which services to disable or leave on, which operating systems to harden, which types of systems to allow on the network, and where to implement additional security capabilities, such as row-level encryption or public-key infrastructure.
Standards-setting is especially important in mergers. "We're taking the best of policies and standards for each company and coming up with new policies, and then setting operational security standards as part of the autobuild procedures for each new system that gets deployed," says Pat Hymes, manager of corporate information security engineering at Wachovia Corp., a North Carolina-based financial services firm that merged with First Union Corp. in September.
Standardising security rules can reduce the cost of providing secure configurations to other IT departments, Hymes notes, because it requires IT groups to "bake-in security in products and processes at the onset, rather than repair after the fact."
In May, the Hoover Project, a research arm of @Stake Inc., a Massachusetts-based security company, released the results of a quantitative study that rated the cost savings of pre-engineered security against postdeployment security repairs. Forty-five homegrown and commercial applications were tested. "If you build in security during the design phase of your applications, you can reduce your risk by 80% and achieve rework savings of 21%," says Andrew Jaquith, Hoover's program director.
Assess, benchmark, and then count the savings. Knowing whether established standards are being met is where the process can become more technical. Consider Motorola's ambitious goal of aligning standard build features with audit compliance. Boni is automating this task with the help of a vulnerability scanning tool called FoundScan from Foundstone in California. Like many assessment tools, FoundScan reports on the state of security throughout the network and sends alerts when something falls out of specification.
For benchmarking, the best type of assessment products or services would be those that adapt to the corporation's own security standards, send notification when corporate policy has been violated and provide audit reports that can be used to show security effectiveness. Corporate boards and regulators are beginning to require all three, according to Michael Ressler, director of security services at Predictive Systems a network security consulting company in New York.
Since assessing the network manually with internal staff is financially prohibitive, the products are easily cost-justifiable. For example, John Shields, senior vice president of e-business at Patelco Credit Union in San Francisco, says IP360, a tool from nCircle Network Security in San Francisco, costs him $US50,000 per year. That's $US100,000 less than he would have spent on the manpower to do the same tasks. And Motorola is paying tens of thousands of dollars per year instead of millions for its perimeter assessments alone, says Boni.
But technology doesn't fully gauge the effectiveness of policies as they pertain to people and processes. For this reason, Giga has launched an assessment service called the Security Action ReportCard, which is suitable only for large organisations. The Giga service goes beyond technical assessment programs to assess people and processes, compare them to industry best practices, and map security measures to business requirements to help achieve better cost-effectiveness.
Don't go it alone
There are many other vendor services coming to market to help IT managers reduce administrative overhead for current security processes. For example, managed security services provided by outsourcers are saving some midsize companies up to 80% of what it would cost to monitor security events in-house. New forms of middleware are also springing up to consolidate security report information from intrusion-detection, antivirus and firewall sensors to offer better response and correlation. And larger vendors, such as Symantec, are cobbling together suites with central management interfaces.
The bottom line: "The reality in business is budget," says Gartner Inc. analyst John Pescatore. And that goes for security as well.
"Security has to help the company make more money by supporting business processes, instead of just preventing bad things that could happen," Pescatore says. "So good security officers usually have good security organisations, even if they're spending less than industry average."
Getting the Best Bang for Your Security Buck
Do a risk analysis: Know where your most proprietary secrets are to ensure that you're spending money to defend information that really matters to the business.
Take advantage of your size: Leverage purchases with vendors by standardizing and buying products and services in bulk.
Assure quality: Set and align security configuration policies, then audit compliance.
Don't build a security empire: Share security responsibility -- and expenses -- with business units, other IT departments and auditors.
Avoid duplication: Merge multiple security management control networks into one.
Cross-train: Have incident response teams learn firewall administration and other skills they can use between incidents.
Source: Charles Neal, vice president of managed security services at Exodus Communications, a subsidiary of Cable & Wireless Internet Services in Santa Clara, California.
Additional Online Resources:
Cambridge, Mass.-based Giga Information Group Inc.'s Security Action ReportCard: www.gigaweb.com/mktg/sarc/default.asp
The Center for Internet Security: www.cisecurity.org
Carlsbad, California-based Computer Economics Inc.: www.computereconomics.com