secureworld

CISOs seek frugal ways to secure systems

It is budget cutting time. Companies in all industries are looking for ways to save money in a down economy. Security analysts say companies are slowing ongoing projects and delaying others signaling the acceptance of more risk.

Security pros that attended the two day SecureWorld Expo on March 25-26 in Boston learned about a number of ways to keep sensitive systems locked down while trimming their already tightening budgets.

Candy Alexander, CISO at Long Term Care Partners LLC, urged attendees of her session, “Security compliance program on a shoe string budget,” to develop a framework by using guidelines outlined by NIST. Alexander said NIST would be a cheaper source over the ISO standard. Although the benefits of ISO over NIST or vise versa is debatable, ISO is also not a widely adopted standard in the U.S., she said.

While much of the information doled out during the 45 minute presentation was basic, it certainly could serve as a starting point for some security pros looking for ways to keep systems secure despite a tightening budget. The most important piece of the talk: Know your data. Know where it is. Know how it flows through your systems. It’s so simple, yet time after time I hear that many data breaches happen because an attacker found a hole in a database that IT didn’t even know existed.

A friend who works for a major university in Massachusetts told me that in the first few weeks on the job he followed the basic steps of identifying the most sensitive information, where it was and how well it was protected. During the process he found a database containing thousands of credit card transactions in a small office off one of the university’s dining facilities. It had been there for years. Few knew it was there and those that did — dining facility staff with little technical expertise — didn’t realize the data residing on it was so sensitive.

Having a sound security policy and enforcing that policy was also one of the takeaways from the expo. Although it’s another fundamental part of being a security professional, we’ve heard countless times that some organizations have policies that they downloaded off of a website and rarely refer to them or educate end users about them. Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif-based consultancy, gave the SecureWorld keynote, urging those listening to rethink their security policies. If an organization doesn’t have policies that align with business objectives then they should be written with that in mind, Wood said.

Wood advised attendees to conduct an annual risk assessment tying it into the company security policies. He said some of the best security programs also create an environment that fosters higher security standards among employees. Management plays a big role, he said.

Finally, an information security officer tag team of Leilani Lauger of Loyola University and Morey Straus of NHHEAF Network Organizations tackled ways CISOs can do their job frugally. Straus said CISOs can consider managed security services and should also take a look at the company’s existing contracts with third-party vendors. Some of them may be able to be renegotiated at a cost savings, he said. Straus said CISOs can also help foster the culture of valuing information security by acting “less as a cop and more like a guide.” Lauger said security pros should also design training programs that are interesting and replace outdated posters and material with fresh content on a regular basis. Send out security messages in multiple forms, not just weekly email messages or security posters, she said.