There are many information security associations competing for corporate membership dollars. Dues can be pricey, running as high as tens of thousands of dollars a year. With budgets under pressure from a slow economy, it may appear to be difficult to justify a large expenditure on this non-tangible item. However, when properly used, association memberships can have a positive return on security investment. In this column, we'll examine some best practices for choosing the right associations to join and getting the most benefit for the cost.
1. Understand the charter of the organization. There are different types of information security associations that a company can join. ISACs (Information Sharing and Analysis Centers) provide information feeds on risks, vulnerabilities and threats, as well as an anonymous reporting mechanism that allows members of an industry sector to share security information such as attack patterns and prevalence without exposing proprietary data. Other associations concentrate on sharing best practices amongst organizations, and prepare documents and tools to allow the improvement of security practices in a more general way. Within these broad categories, each association has unique characteristics. Some are geographically specialized, or concentrate on specific industries or segments. Others are made up of companies of specific sizes. You can see a list of some of the better known industry associations and their characteristics in this sidebar.
MORE SECURITY MANAGEMENT BEST PRACTICES:
2. Understand the benefits of joining the association. Read the fine print, and make a list of the benefits (tangible and intangible) that you think your company is going to receive by writing that membership check. Discuss this list both with the membership folks at the association, and more importantly, with members who are in companies of similar size and/or industry.
3. Understand the obligations of membership. Membership in industry associations is a two-way street. Especially in the case of ISACs, the return on investment is directly dependent on member firms contributing information. Make sure management understands this concept and the steps taken to "sanitize" data sent to the ISAC, and buys in to the benefits of sharing security data with other firms. In any case, don't over commit. Joining too many industry associations will reduce the focus you can place on each one and in turn reduce the benefits you'll receive from membership.
4. Appoint a representative and a backup. Have someone in your company take responsibility for the relationship with the association. This person should be designated to receive all publications, newsletters and other membership materials, and should be the conduit through which communications from your company to the association is funneled. In addition to insuring that someone in your company fully understands the benefits and obligations of membership, this also makes it easier to evaluate the value that the membership provides. You should also appoint a backup representative who can "fill in" in the absence of your primary representative. It is also important to insure that the representative be clearly informed of the ground rules for sharing security information with other members of the group.
5. Participate in key events. Most of the major information security associations hold meetings, training sessions, webcasts, conference calls and other events during the year. In some cases the costs for attending these events is partially or completely included in the membership fee. These events can be the key to getting the most out of your membership and in determining return on investment. Make sure you account for any additional costs and out of the office time that they require.
6. Re-evaluate your memberships yearly. Before you approve that renewal invoice for payment, it is important to sit down with the representatives you designated for the association and determine if it makes sense to continue participating for another year. The representatives should be able to provide examples of benefits that the company has received as a result of membership over the past year. Benefits that you might consider include:
- Early warning of a new vulnerability allowing patches to be applied before a major attack was mounted.
- Sample security policies and guides adapted for your company's use, thereby saving approximately $x in development costs.
- Established contacts with other companies in your industry and have shared information on attacks and threats.
- One last best practice: Remember that "I got to go to the annual meeting in Hawaii" is not a company benefit!
Yes, the membership fees for some of these organizations are substantial. However, used wisely, the information and resources they offer can pay for themselves and offer a significant return on investment.
About the author
Al Berg, CISSP, is a technical director in the Corporate Information Security Department of a firm providing computer services to the financial services industry. Al has been in the information security industry for more than 10 years and has provided consulting services to major corporations and the U.S. Defense Department. Al has spoken at numerous industry conferences in the U.S. and Europe, and has published many articles on networking and security topics, including some in our sister publication Information Security magazine.
