The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture, 1st Edition (Paperback) book cover

The Frugal CISO

Using Innovation and Smart Approaches to Maximize Your Security Posture, 1st Edition

By Kerry Ann Anderson

Auerbach Publications

381 pages | 4 B/W Illus.

Purchasing Options:$ = USD
Paperback: 9781482220070
pub: 2014-05-19
SAVE ~$10.79
Hardback: 9781138436831
pub: 2017-07-27
SAVE ~$41.00
eBook (VitalSource) : 9780429076107
pub: 2014-05-19
from $25.98

FREE Standard Shipping!


If you’re an information security professional today, you are being forced to address growing cyber security threats and ever-evolving compliance requirements, while dealing with stagnant and decreasing budgets. The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture describes techniques you can immediately put to use to run an effective and efficient information-security management program in today’s cost-cutting environment.

The book outlines a strategy for managing the information security function in a manner that optimizes cost efficiency and results. This strategy is designed to work across a wide variety of business sectors and economic conditions and focuses on producing long-term results through investment in people and technology.

The text illustrates real-world perspectives that reflect the day-to-day issues that you face in running an enterprise’s security operations. Focused on managing information security programs for long-term operational success, in terms of efficiency, effectiveness, and budgeting ability, this book will help you develop the fiscal proficiency required to navigate the budgeting process.

After reading this book you will understand how to manage an information security program with a limited budget, while still maintaining an appropriate level of security controls and meeting compliance requirements. The concepts and methods identified in this book are applicable to a wide variation of teams, regardless of organizational size or budget.

Table of Contents

"New Normal"

When Can We Get Back to Normal?

Frugal versus Cheap

Time, Cost, and Quality Paradox

We Are Special?

"It’s the Economy, Stupid," or Is Something Impacting Security Budgets?

Slowing of Compliance

Security Technology Fatigue

FUD Fatigue

C-Level Compliancy

Waiting for Perfection

They Really Don’t Care about Information Security (at Least Now)

What Is Normal, Anyway?


Information Security Maturity Life Cycle

Where Is My Team?

Using the Nolan Model Combined with Information Security-Specific Benchmarks

Why Assess Information Security Maturity Levels?

The Six Levels of Information Security Maturation

Stage 1: Initiation

Stage 2: Contagion

Stage 3: Control

Stage 4: Integration

Stage 5: Data Administration

Stage 6: Maturity/Continuous Renewal

You Are Here: Determining an Organization’s Maturity Stage

Approximate Your Final Destination

Skipping Levels

Bridging the Gaps

Stumbles Happen

Spotting Maturity Landmarks of Progress

Tips for Managing the Information Security Maturation Process


Reducing Complexity

Complexity and Volume, Oh My

Actively Managing the Application Portfolio

Building a Current Application Inventory

Reducing Application Complexity

Strategies for Reducing Application Complexity

Why Applications Are the Favorite "Hacker Snack"

Application Risk Rating

Identification of Appropriate Information

Protection Classification for Applications

Information Classification System

Information Classification Scheme and Application Security Rating

Application Risk Levels and Definitions

Steps to Implementing Complexity Reduction

Legacy Third-Party Applications

Strategies for Minimizing Risks and Costs for Vendor Applications

Spell Out the Details of Required Support, Security, and Vulnerability Management in the SLA

Do Regular Information Security Assessments of Your Vendor Applications

Reducing Data Storage

Steps to Reducing Stored Data

Strategies for Reducing and Managing Data

Steps to Finding the Data

Electronic Information Inventory

Data Discovery Solutions

The Next Steps in Reduction of Obsolete or Redundant Data

Reduce Security Solutions Complexity

Paring Down Security Solutions

Other Strategies to Reduce the Cost of Security Solutions

Reducing Complexity and Risks Created by "Bolt-On" Security

Bolt-On Security

Building in Security: Cheaper and Better

Strategies for Embedding Security in Systems

Use of Financial Justification

Use of Secure Development Practices as a Pilot Proof of Concept for Select New Technology Projects

Identification of an Internal Champion for the Adoption of Secure Development

Integrate Vulnerability Testing into Software Development Process

Customize the Secure Development Process to Fit the Organization


Frugal Hiring

People, Process, and Technology—In That Order

Relationship between Costs, Hiring, and Effective Team Management

Finding the Right Stuff and Right Fit

Job Descriptions or Looking for the Lord Himself (or Herself)

Hiring "On the Cheap"

Developing a Hiring Strategy and Tactics for the Long Run

Hiring for the Wrong Reasons

Some Tactics for Strong Hiring

Learn to Spot the Candidate with that Je Ne Sais Quoi

Learn from Past Mistakes and Make a Fresh Start with Each Hiring

Get Your Team Involved

Connection with Candidates on a Personal Level

Avoid Ending on a Poor Note

Avoiding "Halo Hiring"

Cultivate and Close Your Preferred Candidates

Using Recruiters

Interviewing for Understanding and Motivation

Interview Process: Identifying the Right Candidate and Closing the Deal

Strategies for Avoiding Excessive Hiring Costs

Attracting Quality Is Not Cheap

Know What the Position Is before You Start Recruiting

Don’t Play Bait and Switch after Hiring

Use Recruiters Effectively

Consider Internal Candidates When Possible

Use a Technical Interview

Don’t Stretch Out the Hiring Process Too Long

Hiring the Transitioning Professional

Frugal Team Management

A Team Is the Sum of Its Ingredients

Security Is a Team Sport

Building or Renovating the Information Security Team

A Word of Caution: Don’t Try to Clone Your Old Information Security Team

Building a New Information Security Team

Revamping an Existing Information Security Team

Having Existing Team Reapply for Their Positions

Next Steps after Restructuring of an Existing Team

Professional Development Planning

Stress and Information Security

Tips for Helping Information Security Professionals Combat Burnout

Tips for Employers to Combat Information

Security Burnout

Cost of Turnover

Costs of Excessive Turnover of Information Security Staff

Tips on Lowering Turnover of Information Security Employees

Retaining and Nurturing Your Information Security Team

Why Teams Fail to Meet Expectations

Inability to Gel

The Fish Rots from the Head Down

Toxic Element

Vital Ingredient: Team Learning


Managing External Parties Effectively

It Takes a Global Village


A Framework for Cost-Effective Outsourcing Management

Outsourcing Framework Objectives

Outsourcing Assessment Guidelines

Information Security and Outsourcing Service Level Agreements

Contract Staff

Risks Associated with Information Security Contractors

Some Consultants (and Agencies) May Oversell Their Information Security Expertise

Misfit for Corporate Culture

Serious Limitations in Some Critical Skills

Difficulty Getting References

Be Realistic about the Length of Your Engagement

Overhead for Consultant to Learn the Lay of the Land (Your Organization)

Attitudes of Employees toward Consultants

Generally, You Get What You Pay For (or Less)

Poor Role Selection for Contractor Staff

BYOD and Contractor Security

Loss of Investments in Training and Experience

Use of Specialized Security Services Firms

Digital Forensics (Data Recovery and Investigations)

Security Breach and Cyber Incident Event Management

Ethical Hacking and Pen Testing

Regulatory Compliance Management Firms

Electronic Discovery (eDiscovery) Firms

Vendor Software

Cost-Effective Vendor Application Risk Management


Security Awareness :Fluff or Strategic Investment?

What Is the ROI of Security Awareness Spending?

People Are the New Security Perimeter

Are Security Awareness Programs Budget Wasters?

Have Automated Security Tools Diminished the Necessity for Awareness Training?

Security and Convenience: The Human Factor

Technical Security Control Failures via the Human Factor

Human Factor as an Asset to Information Security

Why Some Practitioners Doubt the Effectiveness of Security Awareness

Why Security Awareness Fails to Meet Expectations

Implementing an Impactful Security Awareness Program

Principles of Effective Information Security Awareness


Stress the Why

Lump Messages Around Why

Just Say "No" to FUD

Avoid "Security Theater"

Keep It Fresh

Use Stories

Make It Actionable

Use Tchotchkes Effectively

Use Metrics and Statistics Sparingly

Avoid Trite, Silly, or Dated Concepts

Know Your Audience and Culture

Avoid Awareness Materials Mishaps

Use Only Licensed Content and Images

Do Not Belittle Users (Even When They Are Not Present)

Consider Generational Differences in Risk Perception

Maximizing Investment in Security Awareness


Information Security Policies and Procedures

Foundational Elements of Cost-Effective and Efficient Information Security

What Are Information Security Policies?

Why Some Organizations Go "Naked" (without Policy)

Why Does an Organization Need an Information Security Policy?

Benefits of Information Security Policy

Policies Ensure Standard Ways of Doing and Measuring Security Activities

Creates a Foundation for the Rest of the Policy Hierarchy

Communicates to Stakeholders Proof of Commitment to Security

Demonstrates a Commitment to Security to Regulatory Bodies

Shows a Pattern of Due Diligence to Auditors in Business Operations

Provides Guidance for Acceptable Use of Assets

Provides Demonstrable Evidence of Executive Management

Limits Liability for Organization and Staff

Information Security Policies are Expensive to Create and Maintain

Initial Policy Development Costs

Approaches to Creating an Information Security Policy

Use Prewritten Policy Templates

Develop a Custom Policy

Use the Information Security Policy of Another Organization and Making Adjustments

Outsource Policy Development and Maintenance

Steps in Creation of the Information Security Policy

Identify the Information Security Policy Team

Collect Background Research Material

Prepare a Topic Coverage List

Design a Policy Standard Structure

Develop Policy Content

Perform Reviews and Revisions Involving Key Stakeholders

Obtain Ratification and Release the Policy

Have a Formal Exception Process in Place

Develop a Policy Rollout Plan and Awareness Campaign

Information Security Policy Faux Pas 2

Policy Faux Pas 1: The Overly Long Policy

Policy Faux Pas 2: Policy Cannot Be Monitored or Enforced

Policy Faux Pas 3: Aspirational Policy

Best and Cost-Efficient Practices in Information Security Policy

Strong Version Control

Policy Review Committee

Regular Reviews

Determine Policy Ownership

Determining When a New Policy Is Needed

Policy Management Applications

Simple File Hierarchy and Spreadsheets/General Database

General Document Management/Version Control Software

Specialized Policy Management Solutions

Going Naked (No Information Security Policies)

Major Policy Renovations

Emerging Policy Areas

River Called "Denial"

Toothless Policies

Technology without Written Policy

Combining Policy and Technology

Policy Grandfathering

Information Security Policy: Final Words with a Cost-Saving Checklist


"Is This Necessary?"

Do We Need To Do Everything We Are Currently Doing?

Why Some Security Processes Endure beyond Their Expiration Date

It Has Always Been Done This Way (Failure to Question Existing Controls)

"Invented Here" Syndrome (Proprietary Ownership of Controls)

"Zombie" Controls

Team Stagnation and Lack of Control Innovation

Avoiding Team Stagnation: Encourage and Support Questioning

Red Flags for Potentially Ineffective Controls

Evaluating the Current Value of Existing Security Controls

Performing a Security Controls Inventory

Finding the "Sweet Spot" for Controls

Maximize the Value of IT Controls

Special-Purpose Controls

House of Logs

Tips for Getting the Most Bang for the Buck from Logs

What Type of Control Is the Most Cost Effective?

Defense-in-Depth and Layered Security Controls

Human Aspect of Controls

Controls Creating User Frustration and Dissatisfaction

Controls Creating Misunderstanding Leading to Security Failures

Humans Bypassing Security Controls

Adding "People Literacy" to Security Controls

Understanding the Total Cost of Ownership of Controls

Developing a Bespoke Security Controls Strategy

Using Maturity Level and Budgeting Availability to Develop a Security Control Strategy

Using Open Source Security Controls

When "Free" Controls Are Not Free

Security Control Strategy: Homogenous versus Heterogeneous Controls

Critical Key Success Factor in Managing Controls: The Need to Document

Why Is Documentation So Important and Often Overlooked?

What Should Security Control Documentation Include?


Tips for Implementing Cost-Effective and Efficient Security Controls

Understand the Budgeting Cycle

What Is the Budget and Why Is It Important?

What Makes a Good Budget?

What Is a Budget? (Traditional Approach)

Zero-Based Budgeting

Hybrid Budgeting

Basic Principles of Budget Management

Financial Selling: Getting More Budget

Understanding the Budget "Game"

Putting On Your Budget "Game Face"

What Is Financial Selling?

Rebranding Return on Security Investment

Getting to Know the Budget Gurus

The Budget Cycle

Budget Planning, Preparation, and Submission Activities


Budget Execution

Audit and Evaluation

Budget Replanning

Budgeting for Multiyear Projects

Avoiding Requesting Additional Fundsm for Nonbudgeted Expenses

Tips for Information Security Budgeting Success


Using the Goldilocks Principle

Getting It Just Right

You Can’t Go Home Again

Do We Need to Be World Class or Best in Breed?

Are Best Practices Really Always "Best"?

Best Practices

Keys to Success in Implementing Best Practices

Is It Feasible?

Make It Your Own

Great Real

Consider People, Process, and Technology

Determining the Efficiency of Best Practices for an Organization

Smart Operating Practices

Thirty Nearly Universal Smart Practices for Information Security


The Hybrid (Frugal) CISO

Traits for Evolving, Enabling, and Transforming Information Security Organizations

Not Afraid Not to be the Smartest Person in the Room

Open to the Ideas of Others

Flexible and Proficient across a Variety of Domains

Rolls with the Punches

Problem Solver

Lateral Thinker

Business Acumen

Comfortable with Finance and Budgeting

Plays Nice with Others



Proactive Agent of Change

Strong Leader

Accepts Shades of Gray

Excellent Manager

Bridge Builder

Strong Ethical Core

The Frugal CISO 2.0: Critical Success Factors


Frugality as a Continuing Strategy for Information Security Management

Frugality and the Future

Achieve Compliance with Emerging External or Internal Requirements

Support Controls for Emerging Threats in the Risk Landscape

Update, Extend, or Enhance Information Security to Grow with Business Plans (Alignment)

Invest in Training to Expand the Value of Staff

Fund Initiatives Designed to Evolve the Overall Maturity Level of the Information Security Organization

Resolve Open Audit Issues

Managing the Budget Merry-Go-Round

Be Prepared for Every Budget Eventuality


About the Author

Kerry A. Anderson, CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE, CCSK, MBA, MSCIS, MSIA,is an information security and records management consultant with more than 15 years of experience in information security and IT across a variety of industries. She has worked in information security, application development, financial systems operations, network administration, IT audit, records management, business contingency planning, and graduate-program instruction.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General