Over the past few years, as the importance of information security has crept on to the agenda of board meetings at all of the world’s big companies, information security teams have been showered with cash.
But those that lead these teams – often called chief information security officers (CISOs) – now find themselves capital rich but labor poor. A common refrain in CEB’s network of information security professionals is, “I am doing absolutely fine in terms of budget. The CIO will pretty much give me whatever money I need. The problem is having enough staff to keep up with all of the requests I have from the business.”
Although many CISOs come to the understandable conclusion that their problems with increasing demand come from not having enough qualified individuals, there is in fact a lot more Security can do that does not require the effort and money of finding new talent.
And on top of that, although the biggest proportion of CISOs’ budget goes on staff at 38%, according to CEB data (see chart 1) and the percentage of new hires in 2016 has risen in proportion to the overall budget growth, hiring good information security talent has become far more difficult in the past 18 months and some CISOs already report a slowdown in their budget growth.
So it’s becoming apparent that Information Security needs to change its approach to managing increased demand from stakeholders. A more pragmatic solution involves finding efficiencies in existing security processes.
Chart 1: Categorical division of the CISO’s budget Percentage of total budget under the CISO’s control, average Source: CEB 2015 Controls Maturity Benchmarking Survey
Reduce the Strain on Resources and Cope With Rising Demand
Find interdependencies between corporate functions and reduce overlapping effort: Since corporate functions often work in silos, employees tend to duplicate efforts when different functions perform similar activities. For example, Legal, Information Risk, and Compliance each require project risk assessments that ask the same questions but are administered separately.
To counter this, McDonald’s, for example, consolidates risk assessments from risk functions, which frees up time and resources for everyone – both functional staff and line managers that have to fill out the assessments.
Work with other functions to design more secure corporate processes: Functions often have their own priorities when designing new processes, making information security often a second (or third, or fourth) consideration. For example, just within IT, Agile developers on quick sprint cycles often do not take the time (or lack awareness) to include secure code into their applications.
To combat this, Security can create an incentive structure that offers developers bonuses for implementing secure code into their applications. They can also deliver immediately deployable, production-ready platforms and APIs, rather than document-based policies that are slow and difficult to apply. Security can then work with infrastructure teams to make these platforms and APIs easily available (ideally self-provisionable) to development teams so they can self-serve and rapidly deploy them as needed.
Triage projects Security needs to engage on: One member in CEB’s network of information security professionals recently described how he uses a “business partner facing decision tree” that asks questions like “Does the project involve building a new capability?” and “Is this internet facing or internal?” to help everyone see whether this is a project that requires Security’s attention.
He also keeps in mind his audience — if more technical Security questions need to be answered, a member of the team is quickly dispatched to investigate further.