CIOZone.com - Professional Network for CIOs and IT Professionals

This subject has been simmering for a long time but the events of the unfolding economic crisis and so many colleagues and acquaintances in the industry who have suffered substantially in their efforts to advance information security within their organizations have prompted me to organize my thoughts in this area.

 The bottom line is almost no one is seeing their security program thrive in the sense of growth and extension reaching toward well documented objectives. In fact many if not most security leaders I've talked to have suffered cuts to their program as economic chaos took hold in the spring of 2008. Since then, flat or down is the norm. If security is really important into the future then what are we to make of this general trend to leave its resource levels flat?  The answers to this are complex and reflect developing external influences as well as some underachievement by industry practitioners.

 Symptoms: a number of programs exist on paper but have not been candid and kept up to date in the way originally envisioned.  For example, business continuity planning; global organizational penetration testing; review of organizational access privileges, etc., etc.  Other initiatives have languished and failed to get off the ground: PKI; two factor authentication; IDS and IPS; global desktop security; protection of mobile devices, etc., etc.  In those cases where a portion of the program has taken flight and reached toward its potential, oftentimes leaders go back to their offices and say "we were lucky."

 Of course the inevitable external influences include such things as lower overall IT spending; economic downturn; hiring freeze; escalating health care costs crowd out other budget lines, etc., etc.  However, it should be noted that lots of other programs and major investments within the organization have survived the economic dislocations and continue to thrive.  My argument is that security has languished primarily because it has failed to become aligned with the business in the sense of being part of the top line revenue story and value proposition to customers.

 How do you know when your security program is aligned in the way I am describing?  There is a tendency to recall the saying of the Supreme Court Justice Potter Stewart when asked to define pornography.  He replied, "I can't define it but I know it when I see it."  Such may be true with information security alignment.  But let's provide a couple of indicators of probable alignment with enterprise top line and customers.

 First, do customers ask about your information security?  Do sales reps approach you to talk to XYZ customer as a part of the customer sell cycle or product renewal decision?  Is there a defined set of information security functionality and value within the products which suggests that there is a value proposition to the security components of the products or services? Is information security a defined part of the product development cycle?  In other words, is there a required set of assumptions and security requirements that must be present -- or else "not applicable" -- in every product specification? Is the same true for project specifications?  Is information security a part of your contract with customers?  

Of course, if you're in the information security product business as your primary business then your task is somewhat different: usually in this situation information security functionality is totally outside of the traditional infosec program definition and often functions with only the slightest collaboration as an independent entity. In this situation, the infosec leader has the most challenging task to grow information security because all of the alignment has been detached and moved to other parts of the company, leaving you with the part that is internal cost driven only.

 Going from zero to well aligned is usually a huge challenge. A number of obstacles stand in your way: cultural resistance; lack of knowledge of products and customers within the infosec function; CIO reluctance to allow direct contact between security and key customer facing departments; turf issues; etc., etc.  And of course in times of shrinking overall budgets, and the attendant "zero sum" mentality that pervades larger organizations, any new initiative is likely to be resented. However, you do have several options for establishing security as a key part of the customer relationship and the value proposition of the products.

In part two of this blog we will discuss how to transform your information security program from traditionally cost driven to a state of high alignment with the products and customers of the organization. We’ll provide some strategies and approaches to beginning the transformation, reasonable objectives, and a discussion of how this change is interrelated with the overall maturity of the information security function.