Cut Costs and Improve Security through Investment Control

In my travels, one of the most perplexing yet seemingly easy issues to solve for very large organizations is the decentralization of information technology activities. Let me explain. There are organizations that have disparate geographic locations that, over time, have established their own local information technology shops and in turn, their own information security functions. Each of these locations is tasked with a different function that supports the overall organizational mission. Each of these locations are funded separately using their dollars to procure technology, hire staff and establish their own full-fledged IT shop with an occasional information security professional or at best, someone tasked with that responsibility. As time has passed, these shops have become operational IT centers with budgets in some cases in the millions. The idea of centralized control of most any type slipped away as focus on individual missions took center stage. The individual missions integrate at the business level forming a cohesive model, but IT remains a silo of autonomy focused solely on supporting the location mission.

The IT shops establish relationships with vendors, hire contractors, develop their own systems, staff their data centers, purchase their own security technologies and have their own CIOs and associated structures. These are not shadow IT organizations but fully sanctioned and functioning IT shops with ever-growing budgets.  The visibility into the individual IT shops decreases in direct relationship to the local independence gains directly tied to increased local IT budgets.  

Eventually, someone in a finance position starts to look at the exorbitant cost of information technology and information security across the organization. They realize that each of the separate missions is costing scores of millions of dollars in information technology, support, staffing, vendor contracts, compliance, audits and all the trimmings that represent an enterprise IT program, yet at the local level. Information security costs skyrocket as localized data breaches bring greater attention to the funding issues of a decentralized approach. The initial request to control costs is made.

These organizations may or may not have a centralized CISO function but the role of the CISO is at best a figurehead with little funding, limited influence, and not financial control over information security spending. Over the years, they have tried to establish some modicum of influence usually in the form of some sort of information security advisory board where all information security professionals from each of the local organizations meet to discuss problems. Periodically there may be some cooperation in the form of labor support but any sharing of technologies requires an act of God.

In time, the central CISO role grows with staff of their own but only in the mode of dealing with auditors, compliance issues, some level of centralized policy management, and a false sense of leadership over the disparate, local organizations. They may even gain funding from time to time to establish a security operations center even though the center only supports maybe half of all organizations. They may gain funding for a governance, risk and compliance software solution that only half of all organizations decided to use. In time, they too are sucking off the teet of central source of income.

Attempts to centralize IT and information security functions fail as frequently as the concept is brought to the table. No one has an enterprise view of all information security technologies and services. No one has knowledge of contracts with vendors and services provided. No one has an understanding of the local much less enterprise security posture of the organization. Any attempt to do so means peering into the local IT organizations, which is met with great suspicion and contempt.  This model of futility continues for years sometimes bearing fruit but nothing of real sustainable value that solves the issues. The problems grow info:

–          Cost overruns

–          Massive financial outlays for technology and services

–          Facility costs establishing IT redundancies and capabilities

–          Full-fledged local IT shops

–          Information security functions some of which represent an overall local program

–          Information security functions that are partially funded

–          Information security functions with no information security professionals in tow

–          Individual contracts with the same vendors only local managed

–          Individual contracts bleed dollars as vendors maintain contract silos

–          Individual maintenance contracts

–          Deployments of the same or like technologies

–          Creation of local skills with only a local viewpoint

–          A continuous spate of data breaches

–          An inability to truly understand the local security posture

–          An inability to truly understand the enterprise security posture

–          Localized authority with more influence and control than any centralized IT and information security function

–          Attitudes that foster little cooperation, limited visibility, and a hands-off approach

Senior level organization leadership push and cajole the centralized IT organization to reign in the costs. All efforts to do so fail as years go by. All the while, the answer has been at their fingertips. It all comes down to economic control.

Everything has an economic base. IT and information security are no different. If they really want you to fix the problems, they need to control the dollars. Changing the flow of dollars, shifting the review of projects, modifying the approval process, forcing project reviews for enterprise benefit, cost and risk criteria all change the balance of power. The information technology and security investment life cycle shifts from local review and approval to centralized prioritization and enterprise approval. At the same time, a full review of all information technology and security capabilities (technology, services, and skills) occurs. This is both a review of all contracts across the enterprise as well as a full physical review of each local IT shop and information security program. As resistance to the effort occurs, investment pressures increase. It is the only way to get their attention. 

If you want to shift how information security is managed, follow the money.  Once you know where it goes, you can work with the CFO and other financial concerns to control IT and information security investments. It is never too late to start. If you need guidance, look at NIST draft SP800-65rev1 at csrc.nist.gov.  Examine OMB Circular A-130, Section 8b (3). Review OMB Circular A-11.  Believe me, the naysayers and those that resist will come to the table once the flow of dollars shift. In the end, your program will improve. It won’t solve everything but it will bring the proper attention to the problem.