IT IS A SUBTLE YET NOTEWORTHY DISTINCTION that Gary Swindon's job title reads "corporate" information security...
officer, and not "chief."
"As corporate ISO, I am responsible for security strategy, risk assessment, risk management and audit functions--things that are strategic in nature," says Swindon, who reports to the director of compliance and internal audit at Orlando Regional Healthcare, and not to the CIO. "If you're going to report to the CIO, then the job takes on the flavor of technical security rather than it being a business process."
Meet the new CISO, not quite the same as the old CISO.
This transition from operational security responsibilities to strategic ones resonates throughout the results of Information Security's 2006 Priorities Survey. Security organizations, driven by regulatory mandates, are segregating responsibilities and giving more attention to people and process issues.
"In a nutshell, security is now about risk management," says Ron Woerner, information security manager for ConAgra Foods. "You cannot properly manage risk at the operational level. You must be at the strategic level in order to match the severity of threats and vulnerabilities with the business' risk appetite. This shifts the knowledge and experience requirements for information security from the technology to the business."
|How Much Money Will You Have?|
"This cannot be accomplished by a technician, but by a business leader with the proper authority to see that appropriate business decisions are made," Woerner says.
Ironically, the strategic shift emerges from the confidence that the tactical side of the house is in order. Only four percent of respondents were unsure about their abilities to harden network perimeters against external attacks and to hold malware attacks in check.
"My job as information security officer is not technical," Swindon says. "I own everything that touches and contributes to the protection of information. Information systems are some of my customers. They involve me in project development and looking at security before we do things like implement new systems. It gets less expensive from a business perspective."
Security managers are instead turning their attention and wallets toward risk assessments and evolutionary technologies for streamlining identity management needs, providing secure remote access for employees and partners, and complying with federal regulations. Sixty-seven percent of those who took the survey expect security budgets to increase, and 34 percent project at least a 10 percent jump.
Offloading to Operations
With more focus on risk management, security managers are offloading duties in other areas. Operational teams like network, application and server administrators remain the most logical place for security duties like firewall maintenance, IDS management and safe server configurations.
"We guide our network team and approve security actions that they implement," says John Kramer, information security manager at the University of Pennsylvania Medical Center. "Local understanding always outweighs corporate-level decision making lest the users get impacted by broad-brush decisions that are not viewed from a local business-needs perspective."
|How Are Things Going?|
"Security can only be adequately interpreted at the local level to be most accommodating to the users and their business needs," Kramer says. "Centrally, we cannot do justice to these disparate and specific local needs. We provide the high-level direction, and they interpret and implement local solutions that best meet the needs of both the central direction and the local quirks."
The integration of risk into the security operation is an offshoot of the need to comply with regulations. For most public companies, complying with SOX, HIPAA, GLBA and other industry-specific regulations is an ongoing initiative. As the routines are ingrained in everyday operations, confidence grows that the compliance challenge will lessen.
ConAgra Foods, for example, has created a homegrown risk-assessment methodology called the System Security Plan, based on NIST Special Publication SP-800-30 and the Microsoft Security Risk Management Guide. New systems or applications must adhere to the plan before it's put into production. The plan has three components that describe the new system and any risks associated with that system, and a 10-point checklist that determines its compliance with policy.
While 72 percent of respondents said they'll be spending more time and money on compliance-related activities in 2006, Woerner says ConAgra's initial push is over.
"The cost for compliance is dropping as it becomes a regular activity," Woerner says. "Now that the processes and procedures are in place, there are fewer costs involved. Most of the expense is on outside auditors to attest compliance."
Who's On First?
Infrastructure complexity spawned concern among respon- dents in several areas, notably identity, access and vulnerability management, and reporting mechanisms.
|Where's Your Money Going?|
Some managers are reticent to dive into expensive identity management systems until the industry settles on implementation standards. "Like most organizations, we don't want to commit to a vendor-specific approach that will constrain our ability to deliver flexible solutions in the future," says Jon Stanford, chief security officer for the American Criminal Investigators Network.
Meanwhile, access control technologies like two-factor authentication and enterprise single sign-on remain a wait-and-see proposition in most organizations. A quarter of the survey respondents said they'd be spending more on both technologies in 2006, but some, like Stanford, are still cautious of hidden costs, like the replacement of lost tokens.
While most organizations have their patching processes down pat thanks to automated tools and scheduled patch-release cycles from Microsoft and Oracle, vulnerability management remains a top operational priority. Spending on network vulnerability scanners and patch management tools is expected to rise. Security managers also want to improve the integration of vulnerability, patch and configuration management tools into a single console. Spending is expected to head upward there as well.
"Exploits are so pervasive that keeping systems current is more important than ever. It's a challenge because there's always the balance of needing to minimize system downtime," Stanford says. "There's also a lack of real expertise in vulnerability management. It's hard to find and hire staff who has the training and experience to assess systems for secu-rity control effectiveness and manage mitigation efforts."
|What's On Tap For 2006??|
"When a vulnerability alert comes out, I get information from the lists and newsletters. If it pertains to our organization, I submit call tickets for research," says Justin Francis, a security administrator for a national entertainment retail chain. "The process is there, but it's manual."
Tying it all back to risk, respondents want to have better automation around reporting mechanisms in order to placate not only management, but auditors. Many rely on homegrown reporting applications that produce outputs in spreadsheets and PDFs, or via Crystal Reports.
"Giving management the warm and fuzzies is always important," Kramer says. "Sometimes, varying communications with a common message is needed. You can't tell whether your audience is tactile, visual, or auditory in receptiveness, so you just have to keep trying."