Security group ISC2 recently set up an Irish chapter. Co-chairman of its EMEA advisory board and a 20-year veteran of the financial services sector, Richard Nealon talks about a common-sense approach to information security, building a better business case, and the importance of getting buy-in from senior management.
Do you think technology people can get too caught up in the technical stuff and maybe lose a sense of the bigger picture of what the business is all about?
I think that’s the key of a good security professional: that they can put that into context. From my simple way of looking at it, technology is easy because it’s logical. So you can sit down and work out the technology with a pen and a piece of paper.
It’s reasonably simple to do in terms of design, implementation and so forth. But the difficult part is then trying to align that to the business. Because security itself doesn’t have a reason for being. We’re only there, really, to provide a control that the business wants.
And it’s really about old-fashioned risk management. There’s no reason on its own for our being. We’re only there to serve as a risk-management mitigant for the business. So if you’re out there taking credit risk, market risk or operational risk or whatever type of risk that you’re taking, all you’re doing is saying ‘we’re going to apply certain controls to it: security is just one of those controls.
How well accepted is security among other IT disciplines?
Security has grown up a little bit; people are a little wiser now. I’d rather not think about it as the IT portfolio but the business portfolio. Business people are starting to get engaged.
I’d make the same argument for IT as I do for security: IT doesn’t exist for IT’s sake. It only exists to serve the business. And when IT is making the business case, if the security case is mature and robust enough, then the business needs to be able to buy into it.
Is security better understood these days, compared to before?
I don’t see that conflict that used to be there, where the business used to say: ‘we define security as a non-functional requirement and therefore we de-scope it out of the project and all that. That may be because some of the recent occurrences and the profile some of the security incidents have got – you’re talking about the theft of intellectual property – very much in the news – not just commercial property, but government property. You’re talking about people being attacked and suffering large outages as a result of it.
And the business is conscious of those news stories and the fact they have an underlying security element to them. So really, if you make the business case well enough and present it to the business in the right way, present it to IT in the right way, you should be able to get buy-in and the resources to implement it.
In an ideal world, does security deserve its own focus from a dedicated member of staff, or should it be in the broader remit of an IT director or CIO?
I think it’s easier to do with a dedicated member of staff, but that’s obviously a resource thing that every organisation has to consider: can they afford to pay for somebody who’s purely dedicated to security control?
Isn’t there a risk that security doesn’t get enough attention if it’s one part of a bigger portfolio?
There are conflicts. If you have things like costs, availability, security, speed to market – all of those things conflicting with each other – sometimes it’s easier to say that a security risk might be accepted for the benefit of something else. And they’re all really important things. But it makes it more simple when different people are playing those different roles.
Is it easier to get budget approval for security in the current environment or is it still a hard sell?
I think it’s easier to get now, given the fact we now write better business cases. If you say: ‘this is why we need it, this is what we’re going to spend it on and this is what control it’s going to put in place’, people put that into context then, based on what they’ve read in the newspaper. And it’s that contextual thing that makes it an easy decision to pull the purse strings.
What’s the secret to making a successful case for more security?
I think the key to writing a good business case is, you put in what’s necessary and you leave out what’s not necessary. So you really have to be very pragmatic and you hear people on both sides of the argument, saying that ‘secure enough is the enemy of security excellence’, but in business terms it’s an 80:20 rule. You say ‘I’m going to put in 80pc of the security for 20pc of the cost’.
What security have been notorious for in the past is putting together business cases for stuff that’s not really necessary. We were our own worst enemy as a result of it. Whether we wanted to play in the toy shop, or whether we wanted to get involved in new technology for the sake of new technology or a really successful salesman that courted us for our business, we went off and bought a whole pile of stuff. And that stuff then got left on the shelf or got implemented but didn’t get managed properly as a result of that.
Really, you have to be very pragmatic now and say ‘we have limited resources, so if we’re going to invest in something, one is, that it has to be necessary, two, we’re going to have to utilise it, and three, we’re going to have to allocate enough resources to it to ensure it’s implemented properly, configured properly, it’s managed properly, and it gives us back the return on investment. It’s the same as buying IT!
You talk about pragmatism, but there are a lot of shrill voices around, saying security is so important …
Fear, uncertainty and doubt is a great seller. You hear the prophets of doom: ‘it’ll happen to us if we don’t implement such and such a thing’. And what you have to say is, ‘what’s the likelihood of this happening, or why are we a particular target, what mitigant strategies have we got in place? If it does happen to us, what’s the impact on the business?’ You’ve got to be able to weigh up all of those risk control disciplines and then make a decision.
You have to sit down and look at it objectively. Get all the subjective issues out of it. A lot of security people are very passionate and they say ‘the business doesn’t understand the risk’. The business well understands risk: they’re dealing with risk on a day-to-day basis and you really have to go out and make a decision. Sometimes, you don’t get what you want but you have to move on from that, as well.
Are there ways to improve an organisation’s security posture by doing things more cleverly, rather than just throwing more money at the problem?
In development, there’s the buy rather than build dilemma that we always face. You say, ‘what I’m going to do is get the core functionality with the tool and I’ll build an API that wraps around it and gives the extra 20pc’.
That’s smart resourcing, and that’s what security really needs to do an awful lot better rather than just buying a tool for this, for that and the other, and not being able to manage all those. When in reality, maybe one tool will do – with a little bit of tweaking.
Do some organisations fall into the trap of focusing on security as compliance rather than treating it as good business practice or giving it the respect it deserves?
I don’t think it deserves an awful lot of respect: I think it has to be a risk mitigant factor. And if organisations are prepared to take a lot of risks, they’re prepared to take them in other ways, as well. Really, it’s a business decision: are you willing to invest in a control to mitigate against that risk? And security is only one of the risks to be mitigated. So if they’re going to take risks in security, they’re going to take risks in other ways.
Big risks have the potential to provide big revenues and big money but they also have the potential to cause failure in the organisation. And security is no different there. You can reduce your costs by cutting security way out, but what you’re doing is increasing the risk of the service being no longer available for the organisation.
In your experience, how important is it to get buy-in from senior management to change an organisation’s information security culture?
It is the one key differentiator that I’ve seen. If senior management aren’t committed in terms of what they do, not what they say: they have to be prepared.
I’ve always been a big fan of active control of risk rather than passive risk. So if you have passive risk, you don’t understand what your risks are: you’re accepting a level of risk that is completely unknown to you. Whereas if you assess your risk and put a value on that risk, you say, ‘this is the amount of it if you want to call it residual risk that I’m accepting’, and this is the amount of risk that I’m controlling. And it becomes very logical at that stage.
If you reduce all risk, you’ve no profit, so the big key is active control of that risk. So if senior management have that kind of a mindset, then security gets its place as much as everything else does, and that’s where money is made.