|
CISO: The Technology Sheriff |
As a midmarket organization grows, the environment gets more complex. Regulators come into the picture. Hackers take dead aim. Perhaps it's time to hire a chief information security officer (CISO). But when does a midmarket company need one? What triggers the need to hire one? The standard answer, of course, is that each company is different. But CISOs and other experts offer some suggestions.
"Our rule of thumb," says John Pescatore, security analyst at Gartner Inc., "is as soon as you need a chief financial officer, you know you need a chief security officer. If your finances are complicated enough to have somebody in charge, then securing your systems and data is complicated enough that somebody has to be in charge."
The size of a company's IT department can also indicate the need for a full-time CISO. "If there are 1,000 employees, there usually is a minimum of a couple dozen IT people," Pescatore says. With that many IT people, "there usually is a complicated enough IT structure that a chief security officer is needed," he adds.
Stephen Fried, vice president for information security and privacy at Milwaukee-based Metavante Corp., says companies may need a CISO even earlier. "A lot of companies, even as they are starting up, are thinking of security as a specific discipline, which is something we didn't see 10 or even five years ago," he says. "It's almost considered a due diligence kind of best practice now to have a specific security person." Fried suggests that when company security advances beyond basics such as antivirus, firewalls and intrusion detection, it's time for a CISO.
A CISO position can also allay fears from business partners or regulators. Business partners may insist that a company have a CISO who can protect their investments. Publicly held companies and those in heavily regulated sectors will probably need CISOs sooner than private companies that lie outside the government's more direct view.
Of course, many midmarket companies learn too late that they need a CISO. Lee Kushner, CEO of recruiting firm L.J. Kushner and Associates LLC in Freehold, N.J., warns, "For a growing company, one bad story or one damaging blow to a reputation can be completely disastrous."
So what should companies look for in a CISO? Kushner prizes leadership above all else. For a smaller firm, he says, the most important thing is having someone who can "get the message across and actually execute and build a security function."
Joyce Brocaglia, CEO of executive search firm Alta Associates Inc. in Flemington, N.J., admits she's changed her CISO criteria. "When we started recruiting information security officers, we always looked for the most technical person in the room. Today we're replacing them with people who truly understand the business."
A CISO needs to be able to show business units the value of a security initiative in terms of savings and explain how security plays into operational risk, including factors such as uptime and recovery from a security breach. "They have to be able to align investments with potential benefits," says Brocaglia.
Communication is key for any CISO, says Mark Weatherford, chief security officer for the state of Colorado. "I never miss an opportunity to speak to any group of people -- whether it is one person or a hundred -- about what we are doing and why."
Nurturing relationships with business units is crucial in terms of finding advocates for security initiatives. Khalid Kark, senior analyst at Forrester Research Inc., notes that advocates don't even have to be top managers in a business unit. "Basically, it's getting security advocates within business units to point to specific things and say, 'Hey, this may need a security review.'"
-- J.C.
|
SIMply Secure
Some CIOs draw on multiple security technologies to defend against multi-vector attacks. Security information management (SIM) systems, for instance, monitor and analyze huge volumes of data in the logs of firewalls, intrusion detection systems and other tools to spot attacks, thus taking the burden off human eyes.
"The challenge I have from the SMB perspective is having the staff and cost-effective tools to monitor all of our systems," says Mark Willford, manager of IT at DirecTV Castle Rock Broadcast Center in Castle Rock, Colo. "We don't have the luxury of having a dedicated security department. I have a staff of 19 people that is responsible for everything from toner replacement to managing a very large ATM backhaul network. So my staff wears a lot of hats, and part of our responsibility is making sure that our data is secure."
Willford wanted a system that could correlate log files from various servers, firewalls and other components and offer real-time alerts about suspicious activity. He also wanted to be able to audit those log files. After weighing the pros and cons of four vendors, he chose TriGeo Network Security Inc.'s SIM solution. "It was almost a live-by-lunch solution that required very minimal setup," he says. "It was priced very competitively and met all requirements that I had, including minimal management and total cost of ownership."
The SIM system correlates most of the security device log files and provides real-time alerting by tracking event data from multiple firewalls, switches, routers and intrusion detection systems. Willford notes that his company may be an exception in the midmarket; rather than looking back after a problem occurs, he proactively audits logs. "We're able to catch things a lot earlier in the process, especially with virus activity that isn't necessarily recognized by one device but is recognized when correlated between two devices," he says. Previously, virus activity or a denial-of-service attack may not have been spotted until users complained.
Another midsized organization turned to SIM because it was a cost-effective way to extend the reach of its alerting capabilities. For about a year, Stillwater National Bank in Stillwater, Okla., had outsourced key monitoring functions such as alerting. While the monitoring service worked fine, it covered only one-fifth of the bank's 100 servers. It also didn't provide crucial log monitoring and reporting functions, including those required by various regulations such as the Sarbanes-Oxley, Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts, says Laura Briscoe, vice president for information security at the bank.
"We already had the need for this type of monitoring. Your auditors and the laws all require that you have this type of monitoring and reporting in place, that you know who's accessing what kind of data on which box," Briscoe says.
Rather than extend its commitment -- and annual payments -- to the service provider, the bank looked at in-house SIM technology. Like Willford, Briscoe chose TriGeo. She says it not only offers functionality that beats out competitors, such as desktop agents and USB lockdown, but it also focuses on the midmarket, so the price was right. The bank was paying about $120,000 a year for limited coverage of its systems; for a little less than that on a onetime payment, Briscoe gets added functionality and network-wide coverage.
But it's important to note that SIM technology is still evolving. One IT manager says SIM's data monitoring rules, which vendors often define, allow SIM to catch some kinds of attacks but not all. Murphy says SIM also presents a resource challenge for midsized companies, which are less likely to have a dedicated analyst who can make the most of such a system through heuristic analysis. "There are some tools starting to put this stuff together," Murphy says. "But usually some human being has to put the rules in there to say what all this information coming from different locations means."
Research labs are developing technology to help midmarket companies better utilize SIM, creating tools that use histographic analysis to spot anomalies in SIM reports. The histogram would help map the mean behavior for traffic associated with specific applications. So if there is an increase in traffic on part of the network -- a sign of a possible problem -- an administrator could investigate. There may be a legitimate business reason, such as a special promotion, that creates additional activity surrounding that specific application, or it may be caused by malware.
|
 |
|
|
