Print Page   |   Contact Us   |   Sign In   |   Register
ISSA International Conference
Blog Home All Blogs
Search all posts for:   

 

View all (11) posts »
 

Don’t get snagged in the IT security "Poverty Trap"

Posted By George Hulme, Friday, October 26, 2012

Security professionals are always in need of more resources. But getting the necessary budget isn't easy. In his talk, Social Engineering the Risk Hindbrain: How to avoid Security Subsistence Syndrome Andy Ellis, CSO at Akamai proposed a different idea: get the budget to come to you.


When IT security teams operate without the right resources, they operate in what Ellis calls the security subsistence syndrome. "If one barely has enough resources to even cover their own ass, then they will do nothing but try to cover their own ass,” Ellis said. 


What security managers and CISOs need to do, argued Ellis, is to make it clear how security efforts provide value the business. "Sometimes that value is very hard to quantify,” he said. "But the reality is that security people often pay too much attention to technology, and not enough attention on how they can provide value to the business,” he said.


The battle for resources is won, or lost, by providing - and demonstrating - value to the business, he said. "The business will provide budget to where they know it will be put to the most effective use. When you ask for $100,000, that’s a salesperson's salary. Is the business better off investing in a new security tool, or in someone who will bring revenue into the business,” he said.


"CISOs often fail at messaging their value and frankly half of their projects aren't providing value,” Ellis said, citing examples of persistently requesting additional funding for areas that were thought by executives to be previously handled, such as endless PCI DSS budget requests. "So when it comes time to allocate resources in the business where are they going to put it? They’ll invest it in the people who have the most capability because they will turn it into the most value for the business,” he said. 


"Security professionals have been trained to go and ask for additional budget and how to effectively argue for more resources. But that’s the wrong focus,’ he said. "What we should be doing is talking about how do we increase our capability. How do we actually do more with the same,” he added.


Certainly not an easy challenge to meet. What Ellis said he’s accomplished at Akamai has been to switch the functional role of security from security implementer to that of security advisor and gatekeeper. So rather than design the security implementations for new products or services, it’s up to the product architects to design security into their own applications. That means before the service or application goes live, it must be vetted by the security group where it will receive a pass or fail grade. 


This, says Ellis, shifts the onus onto the product team to implement a secure design, because they don’t want the project halted or slowed down, and the associated embarrassment, by a failing security grade. "The concept is that security is a judge of risk management practices. We're not a judge of risk itself. So if you want to launch a product you only get one grade from us. We're going to give you a pass or a fail grade. And that grade, simply put, says ‘Did the product manager or whoever owns this product understand the risks that they're exposing the business to, and are they making appropriate risk decisions with appropriate controls,’” he says. "Ultimately, that's what we want. We want them to understand and manage the risk on their own,” he said.


This post has not been tagged.

Share |
Permalink | Comments (0)
 
Community Search
Sign In
Sign In securely
Calendar

1/25/2018 » 1/26/2018
January CISO Forum Scottsdale 2018

1/25/2018
Women in Security Special Interest Group Monthly Webinar Series

2/6/2018
February 2018 Women in Security - Denver Chapter




Copyright © 2016, Information Systems Security Association, All Rights Reserved
Privacy PolicyCopyright Information