Scaling Your Information Security Organization

Every Information Security manager I speak with sooner or later comments to me on how finding good security people is so difficult and even mediocre security staff are so expensive. How do you address the challenge of keeping your organization secure in face of tight budgets and rising workloads while also trying to bring some resiliency into your organization?

A colleague of mine asked for my help to tackle this issue with his Computer Forensics team.  He was overwhelmed because his company was paying an external provider a fortune for doing Forensics analysis. He was having trouble retaining his one CCFE because of burnout and, because of the external spend, he was also having trouble making his budget numbers. I’ll try to reference some of that discussion in explaining the ideas in more detail.

I had discussed applying the ideas from Software Development that address this kind of a challenge. The SDLC offers an avenue for standardizing and streamlining the development process. In fact, my teams have very successfully executed the Best Practices over the past 6 years to reduce the cost of development and improve quality. I wanted to apply the same ideas here and I feel that the same benefits await the CISOs that are willing to see it through.

The Approach:  Our goal is to build processes that can be repeatable and tackle the basics. In all processes, there are some common and well understood steps and activities that can be executed as a matter of routine. The goal is to lay these out in some detail and farm them out to be executed by more readily available personnel. You’re building a Information Security version of the Software Factory – leaving only the more complex tasks, analysis and strategic decision making for your core “senior staff”.

I want to build a system where these senior staff members are intellectually challenged and have the time and opportunity to stay abreast of the developments in the Information Security space so they have avenues for personal growth. Even so, churn is inevitable and if a couple of these team members leave and it is 6 months before I find replacements, my CISO will have confidence that things won’t fall apart.

The junior staff that execute the more routine events will be honed in Security basics and good practices. They will be required to pay attention to detail and those that are talented will form the bench and can be groomed for more senior roles. Over time, this allows you to develop a more resilient organization.

Start with a Checklist. Regardless of what the portfolio is for your Security organization, you should be developing Process descriptions of the activities that you own. It always starts (and ends) with a Checklist that lays out the steps in the process and who owns each one. As with any Business Process, clear ownership of activities and decisions is very important. The checklist tells you the actions. A RASCI chart tells you ownership. The RASCI (Responsible, Accountable, Support, Consult, Inform) Chart is a document that lays out the roles that members in the organization play during the process.

Make sure that the checklist and RASCI are:

  • Complete: they shouldn’t have gaps and should leave little to the interpretation by the person executing the process
  • Unambiguous and Prescriptive: if not, you will have variations in how staff members will execute the process. I’m anal, I go as far as to check and double check the grammar of the instructions.
  • Don’t assume too much about the knowledge of the person executing the process … expertise level can vary significantly depending upon the background of the personnel.

Aligned with the checklist is generally some training for staff members that walks them through the process. A recorded “demo” that takes them through a live session executing the checklist is ideal – with commentary added to provide context. This would be required training for all staff members prior to them working on a project. And periodically they will be required to have a refresher as well.

Executing the Checklist:  I’d like reference back to my colleague’s request and consider how this would work for Forensics. The checklist would lay out SOPs for preserving the Data, documenting each step meticulously to ensure that the copy of the data that you’re analyzing is true to the original (complete with MD5 checksums), making sure that you consider each potential issue in turn (hidden data, recoverable files, cookie analysis, etc.) and not make assumptions along the way that may be unwarranted. If you use software like Paraben or FTK Suite, the setup of the tools and preparing the host computer on which you’ll execute the analysis should be documented. This will ensure, for example, that your analysis is not contaminated by previous analyses done on the system.

Another example would be when asked to do Pen-Testing for a site, the checklist documents steps to prepare for the testing, the types of tests we’d run, what to do with results (especially vulnerabilities found), mitigation steps, etc.. The goal is to have junior staffers complete the basic PenTesting exercises to address known issues and items. We establish standardized tools/techniques and processes for communications (so the Pen Testing is not mistaken for an attack). This can be extended to other areas within Information Security as well.

The senior Forensic Examiners’ role is to provide oversight and to come in to finish off the job – to see what the process may have missed, and perhaps to apply new approaches that they have learnt. Ditto for Senior PenTesters. Periodically, they compile the new forensic developments or site attack vectors/vulnerabilities and add it to the checklist so that the process covers those as well.

In both these cases, the junior staff members are less expensive and, if you’ve reached a level of confidence in the maturity of your organization, they can even be located overseas. I’d not want to source them from an outside vendor, because you’re effectively training the vendor’s resources. Their work should be periodically audited by the Senior staffers to ensure consistency. As part of the process, they should be logging metrics to measure effectiveness of their work as well as data about the sites they’ve audited.

Maturing the Process using Metrics: At this point, you will have slowly built an approach that leverages lower cost and more abundantly available (less skilled) staff to reduce your overall cost per Forensic or PenTesting request, and you’ve also lightened the load of your highly skilled resources in the process so they can focus on more value-add activities – like keeping up with new developments in the area.

One goal that we’re trying to achieve is repeat-ability. The process should result in the same outcome if repeated – by another staff member, or at a different time.  For Forensics, given that the legal department is also often involved in these, having a robust and repeatable process ensures that the results you obtain will hold up under scrutiny.

Metrics need to be developed to measure your progress in achieving goals. The broader metric is to not only increase capacity of the organization, but also to reduce cost. These are easy to measure – you can tally up how many of your Forensic requests were handled internally, and how many went out to an external provider because you were short of internal bandwidth. Another important metric is the speed with which a Forensic Analysis is completed – because the findings in an initial analysis will allow you to decide if more detailed analysis is appropriate.

There are other metrics that can be borrowed – re-use would be a good metric, as would any of the audit metrics (having two staffers perform the analysis on one case to measure variance in results) … but you should look at the what you want to measure based upon the value that the activity is bringing to the organization. Adopting metrics without understanding its meaning and the value to the organization would be counter-productive.

Challenges: Aside from organizational resistance (because people are threatened by change), there are considerations that must be taken into account in setting expectations. By far the hardest to measure is effectiveness. This is where Information Security differs so much from Software Development – there is no real equivalent of a Traceability Matrix that will tell you that you’ve delivered the goods.

Be aware that, as you go further down this road, this will also inevitably lead to adopting other aspects of and disciplines within the SDLC – following on the heels of the use of Metrics for measuring Quality, there will be Iterative Process Optimization (Deming’s Cycle) and Project Management methodologies.  But the CISOs that want to change the nature of their organization will have to lead their organizations through this type of change. Those are the visionary CISO’s that will Get It Right.


Leave a comment

Filed under Information Security

Getting Identity Management (or any InfoSec efforts) Funded

As I have discussions with CISOs and senior Information Security staff members from Fortune 500 companies, I am struck by how much trouble they have in trying to obtain approval and funding for their projects. I think part of the reason is that CISOs don’t necessarily speak the same language as other lines of Business IT in larger corporations. This, in turn, results in an inability to showcase to Business IT groups the fact that InfoSec is good common sense and should be a foundational plank for all their efforts.

To get buy-in from other IT groups, CISOs need to understand the perception of Information Security from others in the CIO’s extended staff. They also need to understand the concerns that these IT groups have and how there can be better alignments. This is how CISOs convey in practical terms that Security is a shared responsibility and makes sense for all IT leadership teams to have awareness of.

Let me illustrate what I mean by taking Identity and Access Management projects as an example. For the past few years, government and regulatory compliance mandates have been used to drive the adoption of IAM tools and streamlined processes. Fear of getting carted off to jail worked for a little while. Alternatively, much was made of the subjective and often unsubstantiated suggestion that IAM will save money by speeding up provisioning and de-provisioning of access. This approach seems increasingly less effective. CISOs and their staffs always struggle with the costs of a typical IAM program that irks business teams and costs a lot of money for little apparent gain. So, how do you convince IT teams that IAM will save them money and is in their interests?

Know the pain points for your business: CISO staff should know where IAM would help with issues. For example, if delays are indeed occurring in provisioning and de-provisioning access to systems, then it makes sense to try to calculate the impact to the budgets.

I’d start at the budgets for Projects and in-business initiatives. Here is an example:

  • If it takes a week to approve and deliver access for a new contractor, that translates to 40 hours that the contractor is being paid from the project budget. At $100/hour, that is $4000 per contractor.
  • In a highly leveraged IT development effort, if a project has, on average, 10 new contractors, that means each project could be wasting a minimum of $20K where resources are engaged (i.e. billing) from vendor but not delivering any value.
  • My team delivered 64 projects in 2010 – by this math, I would have avoided $1.28M in costs.

I would do a little more detailed exercise in extracting data from tickets etc. than the above. But I would wager that the impact I outline above is borne out by actual numbers in a typical Fortune 500 IT Organization.

It is important that decommissioning of access be similarly regulated. If the systems for which you are developing the software is a SOX L1 system (e.g. your company’s ERP), then you know the importance of following the proper procedures in the SDLC to remain SOX Compliant – as an example, Build (development) staff cannot perform Code Migrations into Production environments. Given the fact that contract resources may play multiple roles, it is important that IAM is used to de-commission access at the end of the project so that it doesn’t conflict with that developer later taking a role on the Support team. Opportunities like this would be used to lay the building blocks for IAM that can then be expanded to encompass other requirements.

Tying IAM into Contractor Management process would be an obvious benefit. You can track exactly who is or isn’t able to access your networks. In a multi-vendor environment, this becomes key because now metrics can be generated to allow an objective view of vendor engagements. This would be a great set of metrics for your Supplier Management and Procurement teams to have when they negotiate rates and engagement models.

Look for non-traditional drivers: IAM is not just about access management – it’s really about people (Identity), and what is associated with them (in this case it’s Access). We’ve often heard IAM vendors tell stories about cell phones bills being paid by the company months after the employee has left the company simply because there was no clean way to trigger a cancellation. And this should spark an opportunity for CISOs to look at how IAM can be extended beyond simple Access Management to show value and thus generate support and funding for the project.

I wrote a proposal in 2009 for IAM to be tied into our Asset Management system so that, for each employee or contractor, we could easily trigger an action when warranted. Instead of having separate systems being tasked with tracking cell phones, laptops, security tokens, software licenses, etc., we would use IAM to trigger those processes to recover assets provisioned to the user when they left the company. This streamlines the process and allows for better tracking of assets and their disposition.

In some companies, this is even more crucial because an employee often had multiple sets of these assets provisioned to account for contractors that may be under their oversight. In most companies, these are tracked by different groups using different tools. Having a single streamlined process gets the company to a point where there is less opportunity for abuse. This is good Information Security practice as well because company data on those de-provisioned laptops and cell phones is not “at large”. We estimated that we could reduce costs associated with these resources by 20% or so.

How can the potential savings be quantified?  For that, we would need some baseline data from these departments or the Finance controller can likely get you the data you need. But some back-of-the-envelope calculations would make for a good starting point. For example, if we expect that contract staff have laptops provisioned by their companies, given an employee base of 50K, with approximately 25% of them as direct labor, we should not have had more than 40K laptops in the field and under a support contract (including 2000 in reserve for change-outs etc.).  If the number of laptops is 45K, then there are 5K laptops in excess – this represents about $4.5M in excess inventory that the company has paid for (at $900/laptop). In addition, I’d estimate that another $500K is being paid out to keep these under maintenance. That’s a $5M bogey that is out there.

Other targets we needed to address were Cell Phones ($500 for each smartphone) and even RSA Hard Tokens. Software licenses posed a special problem – some licenses are available under an Enterprise License Agreement (e.g. Microsoft Office Professional) while others are on a per use basis (Microsoft Visio, Microsoft Project, Acrobat Professional are common ones). Some are expensive enough to warrant the use of a FlexLM type license server. If the license usage was tracked on a monthly basis allowing for co-ordination with the IAM systems, a very accurate picture of usage across the company by month. This would extremely useful when Procurement sets out to renegotiate licensing arrangements because the company would be less prone to overpay to the tune of millions of dollars. This one is much harder to quantify without detailed analysis of the software licensing for the company.

IAM (and Information Security) is simply a good way to run your business. The idea above really is that IAM is an enabler and simply implements some common sense process and tools that make IT more efficient and adds value to the business. The key really is to be able to showcase to the business that integrating IAM  provides a metrics driven approach to bootstrap the program.

So, there we have 3 groups that are in a position to directly benefit from IAM efforts: Asst Management, Finance, Procurement and Supplier Management. In addition, the CIO could be persuaded to allocate a percentage of the budget in any project to funding IAM activities. Taken together, I’d say that this is a solid foundation for bootstrapping the IAM Program.

Other Information Security programs can go a long way in bootstrapping themselves in this manner as well. For example, information security can be used to improve Program and Resource Management, Employee and Contractor Training processes (by tying this to LMS). At the end of the day, analysing the data that Information Security tools collect will shed a light on the inefficiencies in the organization and allow you to prove the value of actively integrating Information Security into the way that IT works.

Leave a comment

Filed under Information Security