The document discusses challenges facing information security professionals and provides advice for achieving success. It outlines 4 common but flawed mindsets executives have about security and recommends focusing on governance, strategy, staffing levels, and evolving the security program incrementally over time. The author describes 3 levels of security program maturity - Version 1.0 (immature), Version 2.0 (risk management approach), and Version 3.0 (mature policies and infrastructure). For a Version 1.0 program, the priorities are perimeter protection, antivirus, and patch management. For long-term success, the security professional should gain management support, implement services incrementally, and partner with operations.

1. Information Security:
Organizing and Managing for Success
By Aurobindo Sundaram
Introduction ▼ Corporate governance, including reporting relationships, clear
delineation of roles and responsibilities (and most important,
The Information Security industry has suffered historically from 4 differ- accountability)
ent mindsets of executives: ▼ Recognizing that a coherent, execution-based strategy is critical
to success.
1. Security is firewalls—the techie model ▼ Setting staffing levels and expectations with peers and business
2. Security is a destination—the project model owners
3. Security must be perfect—the purist model ▼ Evolving an information security program from immature (few
4. Security is an engagement—the consultant model policies, no business support, little security infrastructure—we call
this Evolution v1.0) to the Risk Management Approach (substantial
In this article, we discuss the challenges facing our industry and the management support, mature policies, robust network security
CISO role and discuss how an aspiring security professional can achieve infrastructure—we call this Evolution 3.0) incrementally and over the
success out of these scenarios by focusing her efforts on: period of a few years.
©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006

2. In sum, we guide the new information secu- The Wrong Way The Right Way
rity manager into making the right strategic deci-
sions to create a successful program, and point ▼ Initiate a vulnerability management ▼ Initiate a vulnerability management
her towards robust, but incremental execution program program
as a tool to enable this success. ▼ Create SLA of level 4 and 5 issues to be ▼ Create desired SLA of level 4 and 5
fixed in a week issues to be fixed in 1 month/1 week
Historical Problems with ▼ Perform first scan, find 74 level 5, 223 ▼ Perform first scan, find 74 level 5, 223
Information Security level 4 level 4
▼ Open tickets for operations ▼ Open the top 20 level 5 tickets every
Some of the historical problems with week after consulting with operations
Information Security revolve around how CISOs ▼ Progress to level 4 when level 5 tickets
have positioned the department. The three are at manageable level
most common (and generally wrong) para- Figure 1: The Wrong and Right Ways to Implement a Version 2.0 Initiative
digms have been:
Privacy Information Legal Human Operations Business
1. Security is firewalls–the techie model: Office security Counsel Resources unit
This has generally been perpetrated by IT Security Policy/Assess Approve Approve Execute Execute
system and network administrators who
have been promoted into the CISO role. Fraud/incident Execute Policy/ Initiate
response/law Co-ordinate
Although the technical side of security is
enforcement
well handled under this model, the major
issues with it are that business management DR/BCP Consult Policy Consult Execute
does not understand that information
Regulatory Policy/ Execute Consult Execute
security is more than just firewalls and compliance Assess
technical controls. The mapping between
Customer audits Execute Execute Execute Execute
technology and risk is unclear to them. To
them, security is implemented by preventing
hackers from accessing websites. The CISO Physical security Policy/Execute
is ineffective at communicating risk.
Figure 2: Sample Governance Matrix. This is by no means supposed to be a real-world matrix,
Eventually, Security is sidelined, made to because the reader will notice that there are several rows (focus areas) without any columns (account-
report to the CTO, Operations, or Internal able departments) having the “Execute” function. The CISO should ensure that Policy, Execute, and
Audit and effectively made irrelevant. Assess are owned by at least one department for every focus area.
2. Security is a destination–the project
model: inflexible because it does not account for managed consultant can actually provide
CISOs who have moved up through risk mitigation and compensating controls. value by documenting operational gaps
Internal Audit and Project Management Security is either black or white, and there and prioritizing goals. All too often, this
can sometimes propagate this model, is no scope for compromise. This model does not happen.
where it is believed that if a set of projects results in business management overriding
is completed, Security is achieved. Information Security in most cases, and the Challenges Facing the CISO Role
Unfortunately, this is not true of Security, entire department getting a reputation for
as the threat landscape is continuously being hard to work with. Recovering from Quite separate from the mistakes CISOs make,
evolving. Unfortunately, because of the this model can take years because of the there are also inherent challenges in the role
promises made to business management, tarnished reputation to overcome. itself. Over the last several years, the role of the
the department goes through a boom to 4. Security is an engagement–the CISO has become short and rocky, with higher
bust cycle; boom when project funding is consultant model: risk and lower reward. Consider the following:
requested and received, and bust when In this unfortunate model, the new
projects are completed. Security is not CISO brings in a consultant to perform a 1. The average CISO tenure is shorter than
cyclical – effective programs depend on risk assessment to make the department ever and often considered a transition
staff continuity and a stable environment. look as inept as possible, so that she can role. An average CISO serves 2-3 years in
When these are not present, the security gain headcount. What generally happens is her job1 before moving on. At this rate,
culture is hard to implement. that the consultant spits out a the CISO is always thinking in short-term
3. Security must be perfect–the purist comprehensive strategic plan involving mode, trying to make sure she pads her
model: large service-intensive projects. The CISO is resume as much as possible. This is the
In this model, the CISO believes that a rebuffed by his superiors on his additional worst strategy for the organization, but it
situation is either secure or insecure, and resource requests and only implements a does make the CISO look good to create
to make an insecure situation secure, there portion of the projects without studying and execute several new programs in the
must be a certain set of steps followed, their inter-relations. This, in fact, makes the first 2-3 years and not have to stay
with no deviation of any sort. This model is situation worse, rather than better. A well around to complete the job.
THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.

3. 2. The position involves greater risk than in for the successful implementation of a manda- members with good project management and
the past (California’s SB1386 has been tory security awareness testing for 75,000 users, communication skills rather than just superb
especially responsible for amplifying this vulnerability remediation for over 2,500 sys- technical skills. It is also important to associate
risk). However, the rewards have not kept tems, placement and training for 400 security headcount with services, and incrementally
pace with the elevated risk. This could be coordinators internationally, and updated anti- build the case for headcount.
another reason for the quicker turnover virus software for 75,000 desktops. Along with the governance matrix, the CISO
among CISOs. Sometimes, support is shown by the report- should try to create SLAs with business units and
3. The CISO is continuously pulled between ing structure and the power given to the CISO. operations. These should be gradually phased in
contradictory objectives. Budgets are low, This can involve reporting up to business opera- (the following sections discuss this) rather than
security products are expensive, integration tions so that the traditional problem of CISOs pushed through all at once.
is difficult, and business managers want (security department is stigmatized as a “tech- The CISO should also realize that there are
time to market to be small, which means nology cost center”) is somewhat mitigated. three areas of concentration—People, Process,
security is often asked to rubberstamp a There is a lot of buzz around the topic of and Technology – that can be used to secure a
decision that has already been made. “convergence”—where a CISO manages both computing system. Depending on the culture of
4. Regulations such as SOX, customer physical and logical security. The CISO should be the company, the budget available to her, and
compliance requirements, and ever- careful about being sucked into thinking conver- the maturity of the security program, the CISO
expanding federal and state regulations gence makes sense, without a very careful should focus on one area. For instance, in an
keep the CISO constantly modifying her analysis of the corporation. It is much more immature organization where building a secu-
game plan and having to do much more important that a clear documentation of roles rity awareness culture will be a challenge, the
work with the same resources. This can and responsibilities is performed. CISO should initially concentrate on using
quickly lead to burnout both at the staff It is wiser for the CISO to work with business automation (i.e. technology) to protect users
and executive levels. management, Legal Counsel, HR, Operations, from viruses and other threats. As another
5. It is difficult for the CISO to create a and other departments to create a governance example, in a mature organization where a
corporate security governance matrix and matrix for the organization. A sample matrix is budget is hard to find, the CISO should use the
execute on it successfully within 2-3 shown in Figure 2. By working with these differ- security culture to help protect against threats
years. It takes time to learn the corporate ent stakeholders, a clear sense of accountability (e.g. social engineering, phishing, viruses, etc.).
culture, build a security culture, and build is created, and if that involves convergence, so
the relationships required for successfully be it. Information Security Version 1.0
implementing a culture of accountability … and Beyond
within the entire organization. Strategy, Staffing and Program
Positioning In my experience, there are three distinct lev-
Organization and Support2 els of Information Security Program maturity.
The CISO should decide on a portfolio of serv- There are different challenges in each level, and
There are many thoughts on how security ices she will provide to the enterprise. Care the aspiring CISO would do well to quickly iden-
should report into management. While there is should be taken to not tread into operations, tify which level she is in, and make the appro-
no sure way to gain the support of your man- since that will violate the separation of privileges priate managerial adjustments to succeed at
agement, here is one common myth. doctrine. The portfolio should be risk based and that level.
address defenses in depth. A portfolio would
Myth: Security must report to Business include services in the following areas: Evolution Version 1.0
Management to be effective. This is the profile of an extremely immature
Corollary: Security is best served by reporting to ▼ Network and System Security organization with respect to Information
Information Technology. ▼ Data and Application Security Security. Small startups and even some larger
▼ Identity and Access Management companies that have had bad experiences with
These are both somewhat inaccurate. While it ▼ Business Support Services one of the defective models above can often be
is certainly advantageous to report to business ▼ Policy and Compliance in this level. Some of the characteristics of this
management, without business management version are:
support, this reporting is not useful. It is important to position these initiatives as
scalable, repeatable, services. The CISO should ▼ Few documented policies or procedures
Truth: Reporting is not as important as support emphasize their longevity and demonstrate and ▼ Security is an afterthought
and high-level commitment. quantitatively prove their value. ▼ No business support for security
The CISO should realize that her team will ▼ Little or no existing security infrastructure
I have been at different organizations where make or break her career. It is critical to hire the
support has been demonstrated in different right people into the high-performing team. While the new CISO maybe tempted to create
ways. At a large oilfield services firm that I While education and certifications are impor- a strategic plan to address the deficiencies, this
worked at (in IT, no less!), commitment was tant, it is even more important that team mem- is often not the appropriate thing to do. The
shown by setting information security objectives bers be able to communicate to business enterprise is at too great a risk, and immediate
from the CEO down (accounting for 20% of their management in terms that they can understand. action is required. The CISO should create and
annual bonus). This executive support allowed Therefore, it is more important to hire team
©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006

4. immediately execute on a very tactical, network security-centric plan. The management support for the security program.
elements of such a plan should include: 5. Ignore Data and Application Security. This may seem surprising, but,
again, the security program, while well developed, is not yet at the
▼ Robust perimeter protection using firewalls and intrusion detection level of maturity that can support application security scans, secure
systems: There are thousands of targeted and random (script kiddie coding, and data encryption (except in special cases).
based) attacks propagated across the Internet every day. It is critical
that the enterprise protect against this by using access controls and The CISO should pursue a methodical, reasonable approach to embed-
detection mechanisms. ding security into the operations mindset, keeping in mind that operations
▼ An anti-virus implementation: Viruses and worms are the single largest is generally lightly staffed and heavily loaded to start with. While putting her
source of damage for enterprises. Implementing up-to-date virus foot down on critical risks, the CISO should provide a level of flexibility to
protections on all systems is critical to ensuring business continuity. win over the hearts and minds of the different operations groups. In the
▼ A patch management implementation: New vulnerabilities are released long run, operating as partners leads to far more effective security programs.
every week, sometimes by the day. An enterprise that does not manage Figure 1 demonstrates the dangers of trying to do too much too soon.
these patches, even manually, will be compromised at some point. In “The Wrong Way,” a CISO sets unreasonable expectations, and can move
the program backwards by losing credibility with her peers. In “The Right
The sharp reader will notice that there is nothing mentioned about user Way,” however, she sets reasonable expectations, focuses on risk-based
awareness or security policy. This is precisely because in such an early remediation, and manages the program as a partnership.
stage of the evolution, policies do not appreciably reduce risk. In addition,
there is no business support for security and thus no driver to build secu- Evolution Version 3.0
rity awareness and culture. Few organizations reach the plateau of Version 3.0. This is because suc-
The emphasis for the CISO should be on ensuring some quick “wins”— cessfully executing through Version 2.0 takes a few years; the discontinuity
building credibility and support within the organization, while quickly reduc- between successive CISOs generally leads to a one-step-forward, one-step-
ing major risk issues to a more manageable level. To this end, the CISO may back scenario for the program. Some characteristics of this level, however, are:
want to outsource some of the tasks at this level – managed security serv-
ices can be a cost-effective way to do this when headcount is at a premium. ▼ There is substantial management awareness of, appreciation of, and
support for the Information Security Program.
Evolution Version 2.0 ▼ Policies are mature, well maintained, and control items
Assuming our intrepid CISO makes it through Version 1.0, she will land implemented and assessed for most policy items.
into the challenging Version 2.0 of an Information Security Program’s evo- ▼ The network security infrastructure is very robust and completely
lution. Most organizations are at this level of maturity. Some characteristics fleshed out in implementation.
of this version are:
Successful CISOs at this level generally should do the following:
▼ There is headcount available with the proper justification
▼ There is adequate staff to handle current needs ▼ Flesh out their enterprise encryption strategy and execute on it.
▼ There is some (but limited) management support ▼ Build Application and Data Protection programs including
▼ Policies and procedures exist but are immature and not always classification, web application scanning, secure coding standards, etc.
complete ▼ Start measuring and enforcing compliance standards and SLAs.
▼ Start reporting risk metrics to business units.
The great danger at this phase is that the CISO tries to do too much. ▼ Drive accountability for mitigating risks through business management.
From the exit of level 1, the CISO has many choices, both tactical and
strategic. Her success in version 1 may embolden her to attempt sweeping Conclusion
new initiatives. Caution is recommended – the support systems for a
robust security program are not yet completely developed. We suggest that The CISO has a thankless and difficult job. Depending on the state of the
the CISO perform the following strategic tasks: organization, there are various pitfalls she can encounter; I hope this arti-
cle gave the reader some essential things to do (and NOT to do) depend-
1. Start building a comprehensive policy umbrella and related ing on the maturity of the security program. The CISO should:
compliance programs.
2. Build Network and System Security programs, such as vulnerability ▼ Build the governance model for execution early on
management. This is the next stage in the evolution of the program, ▼ Implement a service/program-based approach
and is important because script kiddies and malicious insiders often ▼ Staff up with the best resources possible
target vulnerable systems. ▼ Set reasonable expectations with business management and
3. Build Identity and Access Management programs, such as for user operations and achieve them
provisioning, access controls, and security awareness. These are the ▼ Evolve the program incrementally, eventually integrating risk
building blocks for ensuring the correct controls around access to management and accountability
data/systems, and ensuring that a security culture is established.
4. Build Business Support Services, such as enabling the business to The thoughtful, execution-focused CISO who incrementally implements
create revenue (RFP responses, customer audits, etc.). This is change is far more likely to be successful than the flashy, buzzword-com-
important because creating a business value is crucial for future pliant CISO who tries to bring in an entirely new system. ¡
THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.

5. Aurobindo Sundaram, CISSP, CISM, has worked in the Information Security
industry for over 10 years.
1
From: http://infosecuritymag.techtarget.com/articles/december01/columns_logoff.shtml
2
This section is largely excerpted from a previous article “Risk Management Returns Results” in The
ISSA Journal’s July 2005 issue by the author and a colleague.
©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006