The (Almost) Budget-less CISO: Winning, Not Surviving

Tuesday, July 12, 2011

Rafal Los


Welcome back everyone - in my last post I told you CISOs (and would-be CISOs) out there that your budget is killing you.  

Some of you refuted this - but have been eagerly awaiting the 2nd part of my post. I'm here today to tell you that you don't need a big budget to run a successful team, and protect the business from unnecessary risk, and 'hackers'.

How much money would you need to 'secure' your organization?  A million? Ten million? More? You probably don't know, or worse yet, that number is probably so large it's impractical. How about I ask the question a slightly different way... How much budget are you asking for, as a CISO?

The reason this I advocate that a CISO should hold as little budget as possible is because the business tends to equate the budget a CISO holds with the amount of money to secure the business. I dare you to tell me I'm wrong... Those of you who've spent years in the trenches managing enterprises' security understand this to be generally true.

Divorcing Your Budget

As a Chief Information Security Officer or some other enterprise-level security leader, your job is to secure the company right?  Wrong. Your job is to apply rational risk-reduction to business practices, to lower the likelihood and impact of catastrophic failure from a security-related incident.  

How does a huge budget help you achieve that? In reality, it doesn't... not really. A huge budget is often the signal that you've not understood your business well enough to apply the right technical and non-technical controls in the right places.

Or you simply haven't mastered the Jedi mind trick I'm about to teach you yet. Now - let me drop a caveat and say that a huge budget does not necessarily mean a bad thing - I'm simply talking in proportionality to the rest of the IT budget year over year.

I'm a strong believer that it's important for the CISO to divorce him/her-self from the budget as a means of achieving broad-stroke goals within the business framework.

Sure, if you want to keep putting more firewalls in place you'll need to hoard your budgetary dollars... but is that making you more 'secure' or achieving that thing I highlighted above?

Divorcing from CISO-controlled pennies means that you, the {security|risk} team within your organization have a much better chance of understanding the business and thereby reaching some goals within that business framework.

There are a few things you will need a budget for. You'll want your core team's headcount for sure, count this as your 'advisory' team, or IT risk consultants. (More on this at some future date.) You'll also want to budget for anything you strongly feel about - label this "toys"... make your peace with the fact that it'll probably be cut.  

Now list out all the technical controls that don't align directly with business goals but are entirely necessary and make sure you can justify and pay for those. This may be things like forensic toolkits, high-end laptops/desktops/servers for analysis and some training for your staff. Pretty much everything else... well that falls to this Jedi mind trick.

This is the Security You're Paying For

So, if the CISO has this absolutely minimal budget... how is this team to get anything done? Simple - follow this simple formula.

  1. Understand your business' strategic goals/directives
  2. Design non-technical controls to aid those directives
  3. Design technical controls
  4. Price out required technical/non-technical controls
  5. Insert 'security' costs into the business capital and operating budget

This post would be a little too long if I went into the details of each of these 5 steps, so I'll explain them in some high level, and then dig into them individually over the next several posts depending on whether you all want to hear more or not.

Understand your business' strategic goals/directives

Get real. If you've seen the #SecBiz hash tag build on Twitter lately, it's because we're gathering a following among executives, and practitioners alike who are trying to figure out why security <> business goals.

My suggestion for security leaders, and those who want to be security leaders, is to dig into the board-level directives your organization has.

If you're a hospital you probably have some goals around how many patients survive your ER. If you're a widget company, you probably have some goals around operational excellence (maybe Six Sigma?), or maybe if you're a financial you have the goal of doing more acquisitions.

All those aren't easily mapped against firewalls, IPSs, app security and scanning... so you have to think critically - how will your team enable business goals?

Design non-technical controls to aid those directives

Listening to the business, and designing ways to keep is safe are entirely two different things. Like my wife says, listening to her and understanding what she's saying are two different things... I know most of you will nod along with that one.  

Don't just throw technical controls at the things you see... first design non-technical controls. This is harder than throwing technology at any problem we see, although that's what we've been trained to do since our first day on the job, right? Malware is a classic example.

We keep burdening our laptops and mobile devices with  more and more 'agents' yet we completely neglect the non-technical controls like user awareness, and other things we can do that don't require installing anything.

Design technical controls

Sanely. I'll just leave it at that.

Price out required technical/non-technical controls

Figure out what it's going to cost in terms of people, process, technology all while keeping business objectives in mind. Your objectives matter less than business objectives. Trust me.

Do what you do already -find many bidders, test technology and find what works. Here's something novel though - understand that while you may want the Maserati, your business objective may only require the Lexus.  Think about that.

Insert 'security' costs into the business capital and operating budget

Now here is the Jedi mind trick.  This is the part that takes practice, and a lot of experience. You will need to take all those dollars that are needed and give them to the business to insert into their budgets.

You'll need to justify and make them understand why they're paying for them - and not you - but that's another post entirely. You'll probably have to dog-fight this the first couple of times around, or maybe not... it all depends on where you work. Let me just say that THIS is what you're after though.

There you have it. This is the secret. This is how to run a team with absolutely minimal budget and still achieve the goal. Oh, and that goal, in case you've forgotten it is:

Your job is to apply rational risk-reduction to business practices, to lower the likelihood and impact of catastrophic failure from a security-related incident.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Enterprise Security Budgets Risk Management Security Strategy Controls CISO
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked