In Depth
How you fund a CSO
Genzyme's CFO-An exec who gets it; Finding security equilibrium; Are our harbors safe?; Better budgeting; What employees who travel need from a CSO; Protecting your company's intellectual property; A true story of employee termination
By CSO Contributor
2. Your CSO must target spending more wisely. But sometimes it's hard to tell if the budget a CSO gets is being well spent. Think of it this way: If you wear your seat belt for a year but don't get in an accident, was that an effective security measure? What will help answer that kind of question is, again, an increased focus on metrics and viewing security not as a binary spend (either it makes us safe or it doesn't) but as a risk equation (how safe does it make us relative to the cost?).
3. You should spend less on technology and more on education. CISOs, especially, seem to think the solution to every security problem is to throw more technology at it. "It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember an editorial suggesting that cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective," says Spernow.
4. Last, you should use common sense, even in the wake of a major incident. Too often, top executives succumb to their emotions after a major incident. Someone steals intellectual property, and, to avoid bad press, the company pays a hacker an extortion fee. That kind of overreacting is human, but it's also not the way to budget for security. It leads to wild overspending, followed by severe curtailing. It sends mixed signals about the value of security. It is a characteristic of a corporation that is reactionary to security, not proactive.
Trust us on this one: When you're reactionary, security execs will take advantage of you. "What's amazing about major incidents," says Stephen Northcutt, a former CISO with the Ballistic Missile Defense Organization, "is that the status quo ceases. At that moment, you can go to the top brass and ask them for anything, and they'll do it. Boom. And, 100 percent of the time, I've got something on my shopping list. And I'm completely brazen about it. It might have nothing at all to do with the incident at hand, but I'll get it."
The organization that inculcates security into its culture is more likely to budget well, so it all starts with awareness, education and executive endorsement. (By now, these are recognizable, recurring themes in this handbook.) And if your CSO asks for a budget of 4 percent to 10 percent of total revenue, it's OK to laugh
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
