Yet despite the spending, enterprises are still playing catchup. As IT organizations master the security and management of one set of technologies, something disruptive and new always comes up, whether it's virtualization, cloud, the consumerization of IT purchasing or increased worker mobility. And it's this change that, if not properly managed, can create so many hazards for CIOs and their security teams.
A Proper Alignment
One of the best ways to ensure that enterprise technology doesn't rush past IT's ability to secure it is to keep business management and IT security management aligned.
One of the big reasons that business management and IT security remain misaligned, says Mike Rothman, president of independent research firm Securosis, is the lack of proper metrics available to measure the business impact of security activities. "That remains a huge gap. Business managers understand business metrics, and IT security—for better or for worse—doesn't lend itself to those business impact metrics. And there is the disconnect," Rothman says.
"In the last 10 years, we fought just to get the CISO recognized and have a seat at the table," says Tim McCreight, CISO for the government of Alberta. And although CISOs are more widely recognized now, they don't all have the same levels of influence. The position means different things in different organizations, and all those organizations are at different levels of security maturity. In some places, the CISO is buried deep in the management structure, while in others it's equivalent to a vice president and reports directly to the C-suite.
In too many organizations, decisions regarding new IT projects, application design and deployments, and procured services are made without getting any input from IT security groups. And when security is actually brought in, it's often toward the very end of the initiative, when it's too late to offer constructive advice or establish cost-effective security controls.
To improve his organization's ability to make smarter risk-based decisions, McCreight shifted Alberta's CISO role to that of a risk adviser to the business, not a service provider. For instance, a business manager recently asked McCreight to endorse the architecture for a new initiative.
"I said no, it's your architecture," he says.
Now, individual business unit owners accept the risk posture of their systems. How did McCreight get the organization to that point? It required that everyone speak the same language when discussing risk.
Something as seemingly simple as determining what low, medium and high levels of risk means can in reality be incredibly complicated, because "acceptable risk" means different things to different people depending on their experience and personality. To get everyone aligned, McCreight assembled a team of subject-matter experts from various business units and management teams, including representatives from business continuity teams, IT teams and the ranks of project leaders. "We got everybody into a room, and they didn't come out until they determined their shared definition of high, medium and low risk—and they understood what the likelihood and impact [of a security event] meant to them," he says.
Sign up for MIS Asia eNewsletters.