Recommendations from the Security for Business Innovation Council

In the current economic climate, enterprises are taking a hard look at their spending, including investments in information security. As budgets tighten, many security programs will be expected to achieve more with less.

But even in the best of times, every security team should be continuously striving to run a tight ship. Enabling business innovation requires building the business case for security expenditures, using resources wisely, and achieving efficiencies so you have more to invest in strategic endeavors. The following recommendations are based on a recent report from the Security for Business Innovation Council, a roundtable of leading information security executives that is sponsored by RSA, The Security Division of EMC.

Prioritize based on risk/reward tradeoffs

The demands on security programs are not letting up. In an environment where budgetary and staffing pressures are coupled with heightened regulatory requirements and threats, knowing how to prioritize is key. By focusing on both the potential risk and reward, security teams can align resources to business needs. Making good risk/reward decisions takes an understanding of the business objectives and the ability to quantify risks and rewards. Says Andreas Wuchner, Head of IT Risk Management, Security, and Compliance at Novartis, "If you have a good risk overview and know which business processes are critical, which roles, data assets, or systems are important; then you can say, for example, 'Okay, I have my top 10 priority business processes, and these are the IT systems supporting them.' And if you have this full picture, when you are under budget pressures, you can prioritize the list of projects to reduce the risks to the business."

Match the right person to the right job

"A key job of a chief information security officer (CISO) is security capability management, i.e., getting the right person in the right job," says Dr. Paul Dorey, Director, CSO Confidential, and former Vice President of Digital Security and Chief Information Security Officer at BP. "A mature program balances self-assessment and self-help, support from full-time security specialists and contractors, and also uses third-party consultants. And a CISO needs to do that in a proportion appropriate to the workload and fixed plus variable cost requirements. The reason that you use the security specialists, in my view, is to focus on those assignments with the greatest risk and also the greatest innovation."

A company that augments its internal team with contractors and/or consultants should not assign those individuals to major new projects. The inside team is probably a better choice as they have enough knowledge about the business to make well-informed decisions and will be less likely to make costly mistakes or slow things down. Also, remember that consultants who work on a new project will take any project or business knowledge with them when they leave, resulting in a costly loss for your team.

A potentially cost-effective way of resourcing security is to distribute and decentralize security capabilities. Make sure that key personnel (such as network administrators, application developers, and system architects) are trained in security. Then find others in the organization who, although not full-time security practitioners, have an aptitude and an interest in security. You may be able to work with HR to provide them with incentives such as recognition or bonuses. Some tasks may even be managed by line-of-business personnel, supported by the right tools, training, and standards.

Build repeatable processes

By driving efforts to rationalize processes and tool-sets, the security team can help the enterprise become much more productive. There are areas that are considered "low-hanging fruit" for easily gaining efficiencies such as identity and access management. Does every division really need, for example, a different ID admin request mechanism or a different privilege access management system?

Another key strategy is to leverage resources that are already available in the enterprise such as security information and event management or change management systems. Often tools like these are acquired as a point solution, but their use can be extended more broadly and provide value beyond the original purpose. Says Roland Cloutier, Vice President and Chief Security Officer at EMC, "You need to take a productivity angle to information security rather than a pure controls angle. Then the trick is to take what you save and throw it into further investments to help you get even more efficient in other places. A key point is: don't reinvent the wheel. There are incredible opportunities throughout a company to leverage assets from other groups to reduce the cost of ensuring the protection of information. That may be from IT, audit, or the finance group. Spend the time looking at what's already been done rather than just going and doing it again. Then trust and use the information from your internal partners."

Create an optimal shared-cost strategy

Costs for security are often shared between the centralized enterprise security organization and the business units and departments that need to protect their information assets. The cost-sharing formula varies from one enterprise to the next, but the objective is to make sure that spending aligns with objectives and needs, and that there is accountability and transparency. It is important to have a standardized method—both for determining risk and budgeting for the necessary controls—that works within your organization's cost-accounting structure and collaboration model.

In the experience of Dr. Claudia Natanson, Chief Information Security Officer at Diageo, "The groundwork is getting people to come to the table to agree on a common problem and how each area would benefit from a common solution. And that is often very challenging, but it's worth the time up-front." Continues Natanson, "Before you even tackle the problem, have a cross-functional forum where you get together your main stakeholders and get buy-in, so that going forward you have a common understanding and an agreement about how to leverage things like economies of scale, which clearly is going to help you in discussions about pricing and resourcing."

Security can enable everything from advanced supply chains to collaborative workspaces, through expertly managing the risks to information. So even against the backdrop of an economic downturn, security organizations need to drive fast and forward in making security more strategic to business innovation. Central to this mission will be the ability to identify the right priorities and make every investment count. Otherwise, the wrong projects will be funded while business-critical efforts languish. Top security professionals recommend a laser-like focus on the risk-reward equation in order to build the most efficient and cost-effective security programs possible.