The Frugal CISO : Using Innovation and Smart Approaches to Maximize Your Security Posture book cover
1st Edition

The Frugal CISO
Using Innovation and Smart Approaches to Maximize Your Security Posture

ISBN 9781482220070
Published May 19, 2014 by Auerbach Publications
381 Pages 4 B/W Illustrations

SAVE ~ $17.09
was $56.95
USD $39.87

Prices & shipping based on shipping country


Book Description

If you’re an information security professional today, you are being forced to address growing cyber security threats and ever-evolving compliance requirements, while dealing with stagnant and decreasing budgets. The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture describes techniques you can immediately put to use to run an effective and efficient information-security management program in today’s cost-cutting environment.

The book outlines a strategy for managing the information security function in a manner that optimizes cost efficiency and results. This strategy is designed to work across a wide variety of business sectors and economic conditions and focuses on producing long-term results through investment in people and technology.

The text illustrates real-world perspectives that reflect the day-to-day issues that you face in running an enterprise’s security operations. Focused on managing information security programs for long-term operational success, in terms of efficiency, effectiveness, and budgeting ability, this book will help you develop the fiscal proficiency required to navigate the budgeting process.

After reading this book you will understand how to manage an information security program with a limited budget, while still maintaining an appropriate level of security controls and meeting compliance requirements. The concepts and methods identified in this book are applicable to a wide variation of teams, regardless of organizational size or budget.

Table of Contents

"New Normal"
When Can We Get Back to Normal?
Frugal versus Cheap
Time, Cost, and Quality Paradox
We Are Special?
"It’s the Economy, Stupid," or Is Something Impacting Security Budgets?
     Slowing of Compliance
     Security Technology Fatigue
     FUD Fatigue 
     C-Level Compliancy 
     Waiting for Perfection 
     They Really Don’t Care about Information Security (at Least Now)
What Is Normal, Anyway?

Information Security Maturity Life Cycle
Where Is My Team?
Using the Nolan Model Combined with Information Security-Specific Benchmarks
Why Assess Information Security Maturity Levels?
The Six Levels of Information Security Maturation
     Stage 1: Initiation 
     Stage 2: Contagion 
     Stage 3: Control 
     Stage 4: Integration 
     Stage 5: Data Administration 
     Stage 6: Maturity/Continuous Renewal
You Are Here: Determining an Organization’s Maturity Stage
Approximate Your Final Destination
Skipping Levels
Bridging the Gaps
Stumbles Happen
Spotting Maturity Landmarks of Progress
Tips for Managing the Information Security Maturation Process

Reducing Complexity
Complexity and Volume, Oh My
Actively Managing the Application Portfolio 
     Building a Current Application Inventory
Reducing Application Complexity
Strategies for Reducing Application Complexity
Why Applications Are the Favorite "Hacker Snack"
Application Risk Rating 
     Identification of Appropriate Information
     Protection Classification for Applications 
     Information Classification System 
     Information Classification Scheme and Application Security Rating 
     Application Risk Levels and Definitions 
     Steps to Implementing Complexity Reduction
Legacy Third-Party Applications 
     Strategies for Minimizing Risks and Costs for Vendor Applications 
          Spell Out the Details of Required Support, Security, and Vulnerability Management in the SLA
          Do Regular Information Security Assessments of Your Vendor Applications
Reducing Data Storage 
     Steps to Reducing Stored Data
Strategies for Reducing and Managing Data
     Steps to Finding the Data 
          Electronic Information Inventory 
          Data Discovery Solutions
     The Next Steps in Reduction of Obsolete or Redundant Data
Reduce Security Solutions Complexity 
     Paring Down Security Solutions 
     Other Strategies to Reduce the Cost of Security Solutions
Reducing Complexity and Risks Created by "Bolt-On" Security 
     Bolt-On Security 
     Building in Security: Cheaper and Better 
     Strategies for Embedding Security in Systems 
          Use of Financial Justification
          Use of Secure Development Practices as a Pilot Proof of Concept for Select New Technology Projects 
          Identification of an Internal Champion for the Adoption of Secure Development 
          Integrate Vulnerability Testing into Software Development Process
          Customize the Secure Development Process to Fit the Organization

Frugal Hiring
People, Process, and Technology—In That Order
Relationship between Costs, Hiring, and Effective Team Management
Finding the Right Stuff and Right Fit
Job Descriptions or Looking for the Lord Himself (or Herself) 
     Hiring "On the Cheap"
Developing a Hiring Strategy and Tactics for the Long Run 
     Hiring for the Wrong Reasons
Some Tactics for Strong Hiring 
     Learn to Spot the Candidate with that Je Ne Sais Quoi
     Learn from Past Mistakes and Make a Fresh Start with Each Hiring
     Get Your Team Involved 
     Connection with Candidates on a Personal Level 
     Avoid Ending on a Poor Note 
     Avoiding "Halo Hiring" 
     Cultivate and Close Your Preferred Candidates
Using Recruiters
Interviewing for Understanding and Motivation
Interview Process: Identifying the Right Candidate and Closing the Deal
Strategies for Avoiding Excessive Hiring Costs 
     Attracting Quality Is Not Cheap 
     Know What the Position Is before You Start Recruiting 
     Don’t Play Bait and Switch after Hiring 
     Use Recruiters Effectively
     Consider Internal Candidates When Possible 
     Use a Technical Interview 
     Don’t Stretch Out the Hiring Process Too Long
Hiring the Transitioning Professional

Frugal Team Management
A Team Is the Sum of Its Ingredients
Security Is a Team Sport
Building or Renovating the Information Security Team 
     A Word of Caution: Don’t Try to Clone Your Old Information Security Team 
     Building a New Information Security Team 
     Revamping an Existing Information Security Team 
     Having Existing Team Reapply for Their Positions 
     Next Steps after Restructuring of an Existing Team
Professional Development Planning
Stress and Information Security 
     Tips for Helping Information Security Professionals Combat Burnout 
     Tips for Employers to Combat Information
     Security Burnout
Cost of Turnover 
     Costs of Excessive Turnover of Information Security Staff
Tips on Lowering Turnover of Information Security Employees
Retaining and Nurturing Your Information Security Team
Why Teams Fail to Meet Expectations
     Inability to Gel 
     The Fish Rots from the Head Down
     Toxic Element
Vital Ingredient: Team Learning

Managing External Parties Effectively
It Takes a Global Village
     A Framework for Cost-Effective Outsourcing Management 
     Outsourcing Framework Objectives 
     Outsourcing Assessment Guidelines
Information Security and Outsourcing Service Level Agreements
Contract Staff 
     Risks Associated with Information Security Contractors 
          Some Consultants (and Agencies) May Oversell Their Information Security Expertise 
          Misfit for Corporate Culture 
          Serious Limitations in Some Critical Skills
          Difficulty Getting References 
          Be Realistic about the Length of Your Engagement 
          Overhead for Consultant to Learn the Lay of the Land (Your Organization)
          Attitudes of Employees toward Consultants 
          Generally, You Get What You Pay For (or Less) 
           Poor Role Selection for Contractor Staff 
          BYOD and Contractor Security 
          Loss of Investments in Training and Experience
Use of Specialized Security Services Firms 
     Digital Forensics (Data Recovery and Investigations) 
     Security Breach and Cyber Incident Event Management 
     Ethical Hacking and Pen Testing 
     Regulatory Compliance Management Firms 
     Electronic Discovery (eDiscovery) Firms
Vendor Software 
     Cost-Effective Vendor Application Risk Management

Security Awareness :Fluff or Strategic Investment?
What Is the ROI of Security Awareness Spending?
People Are the New Security Perimeter
Are Security Awareness Programs Budget Wasters?
Have Automated Security Tools Diminished the Necessity for Awareness Training?
Security and Convenience: The Human Factor
Technical Security Control Failures via the Human Factor
Human Factor as an Asset to Information Security
Why Some Practitioners Doubt the Effectiveness of Security Awareness
Why Security Awareness Fails to Meet Expectations
Implementing an Impactful Security Awareness Program
Principles of Effective Information Security Awareness 
     Use KISS
     Stress the Why 
     Lump Messages Around Why 
     Just Say "No" to FUD 
     Avoid "Security Theater" 
     Keep It Fresh 
     Use Stories 
     Make It Actionable 
     Use Tchotchkes Effectively 
     Use Metrics and Statistics Sparingly 
     Avoid Trite, Silly, or Dated Concepts 
     Know Your Audience and Culture 
     Avoid Awareness Materials Mishaps 
     Use Only Licensed Content and Images 
     Do Not Belittle Users (Even When They Are Not Present) 
     Consider Generational Differences in Risk Perception
Maximizing Investment in Security Awareness

Information Security Policies and Procedures
Foundational Elements of Cost-Effective and Efficient Information Security
What Are Information Security Policies?
Why Some Organizations Go "Naked" (without Policy)
Why Does an Organization Need an Information Security Policy?
Benefits of Information Security Policy 
     Policies Ensure Standard Ways of Doing and Measuring Security Activities 
     Creates a Foundation for the Rest of the Policy Hierarchy 
     Communicates to Stakeholders Proof of Commitment to Security 
     Demonstrates a Commitment to Security to Regulatory Bodies 
     Shows a Pattern of Due Diligence to Auditors in Business Operations 
     Provides Guidance for Acceptable Use of Assets 
     Provides Demonstrable Evidence of Executive Management 
     Limits Liability for Organization and Staff
Information Security Policies are Expensive to Create and Maintain
Initial Policy Development Costs
Approaches to Creating an Information Security Policy 
     Use Prewritten Policy Templates 
     Develop a Custom Policy 
     Use the Information Security Policy of Another Organization and Making Adjustments 
     Outsource Policy Development and Maintenance
Steps in Creation of the Information Security Policy 
     Identify the Information Security Policy Team 
     Collect Background Research Material 
     Prepare a Topic Coverage List 
     Design a Policy Standard Structure 
     Develop Policy Content 
     Perform Reviews and Revisions Involving Key Stakeholders 
     Obtain Ratification and Release the Policy 
     Have a Formal Exception Process in Place
     Develop a Policy Rollout Plan and Awareness Campaign
Information Security Policy Faux Pas 2
     Policy Faux Pas 1: The Overly Long Policy
     Policy Faux Pas 2: Policy Cannot Be Monitored or Enforced
     Policy Faux Pas 3: Aspirational Policy
Best and Cost-Efficient Practices in Information Security Policy 
     Strong Version Control
     Policy Review Committee 
     Regular Reviews 
     Determine Policy Ownership
Determining When a New Policy Is Needed
Policy Management Applications
     Simple File Hierarchy and Spreadsheets/General Database
     General Document Management/Version Control Software 
     Specialized Policy Management Solutions
Going Naked (No Information Security Policies)
Major Policy Renovations
Emerging Policy Areas 
     River Called "Denial" 
     Toothless Policies 
     Technology without Written Policy 
     Combining Policy and Technology
Policy Grandfathering
Information Security Policy: Final Words with a Cost-Saving Checklist

"Is This Necessary?"
Do We Need To Do Everything We Are Currently Doing?
Why Some Security Processes Endure beyond Their Expiration Date 
     It Has Always Been Done This Way (Failure to Question Existing Controls) 
     "Invented Here" Syndrome (Proprietary Ownership of Controls) 
     "Zombie" Controls
Team Stagnation and Lack of Control Innovation
Avoiding Team Stagnation: Encourage and Support Questioning
Red Flags for Potentially Ineffective Controls
Evaluating the Current Value of Existing Security Controls
Performing a Security Controls Inventory
Finding the "Sweet Spot" for Controls
Maximize the Value of IT Controls
Special-Purpose Controls
House of Logs
Tips for Getting the Most Bang for the Buck from Logs
What Type of Control Is the Most Cost Effective?
Defense-in-Depth and Layered Security Controls
Human Aspect of Controls 
     Controls Creating User Frustration and Dissatisfaction
Controls Creating Misunderstanding Leading to Security Failures
Humans Bypassing Security Controls
Adding "People Literacy" to Security Controls
Understanding the Total Cost of Ownership of Controls
Developing a Bespoke Security Controls Strategy
Using Maturity Level and Budgeting Availability to Develop a Security Control Strategy
Using Open Source Security Controls
When "Free" Controls Are Not Free
Security Control Strategy: Homogenous versus Heterogeneous Controls
Critical Key Success Factor in Managing Controls: The Need to Document 
     Why Is Documentation So Important and Often Overlooked? 
     What Should Security Control Documentation Include? 
Tips for Implementing Cost-Effective and Efficient Security Controls

Understand the Budgeting Cycle
What Is the Budget and Why Is It Important?
What Makes a Good Budget?
What Is a Budget? (Traditional Approach)
Zero-Based Budgeting
Hybrid Budgeting
Basic Principles of Budget Management
Financial Selling: Getting More Budget 
     Understanding the Budget "Game"
Putting On Your Budget "Game Face"
What Is Financial Selling?
Rebranding Return on Security Investment
Getting to Know the Budget Gurus
The Budget Cycle 
     Budget Planning, Preparation, and Submission Activities 
     Budget Execution 
     Audit and Evaluation 
     Budget Replanning
Budgeting for Multiyear Projects
Avoiding Requesting Additional Fundsm for Nonbudgeted Expenses
Tips for Information Security Budgeting Success

Using the Goldilocks Principle
Getting It Just Right
You Can’t Go Home Again
Do We Need to Be World Class or Best in Breed?
Are Best Practices Really Always "Best"?
Best Practices
Keys to Success in Implementing Best Practices 
     Is It Feasible? 
     Make It Your Own 
     Great Real 
     Consider People, Process, and Technology
Determining the Efficiency of Best Practices for an Organization
Smart Operating Practices
Thirty Nearly Universal Smart Practices for Information Security

The Hybrid (Frugal) CISO
Traits for Evolving, Enabling, and Transforming Information Security Organizations
Not Afraid Not to be the Smartest Person in the Room
Open to the Ideas of Others
Flexible and Proficient across a Variety of Domains
Rolls with the Punches
Problem Solver
Lateral Thinker
Business Acumen
Comfortable with Finance and Budgeting
Plays Nice with Others
Proactive Agent of Change
Strong Leader
Accepts Shades of Gray
Excellent Manager
Bridge Builder
Strong Ethical Core
The Frugal CISO 2.0: Critical Success Factors

Frugality as a Continuing Strategy for Information Security Management
Frugality and the Future
     Achieve Compliance with Emerging External or Internal Requirements 
     Support Controls for Emerging Threats in the Risk Landscape 
     Update, Extend, or Enhance Information Security to Grow with Business Plans (Alignment) 
     Invest in Training to Expand the Value of Staff
     Fund Initiatives Designed to Evolve the Overall Maturity Level of the Information Security Organization 
     Resolve Open Audit Issues
Managing the Budget Merry-Go-Round
Be Prepared for Every Budget Eventuality

View More



Kerry A. Anderson, CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE, CCSK, MBA, MSCIS, MSIA, is an information security and records management consultant with more than 15 years of experience in information security and IT across a variety of industries. She has worked in information security, application development, financial systems operations, network administration, IT audit, records management, business contingency planning, and graduate-program instruction.

Featured Author Profiles