1st Edition
The Frugal CISO Using Innovation and Smart Approaches to Maximize Your Security Posture
If you’re an information security professional today, you are being forced to address growing cyber security threats and ever-evolving compliance requirements, while dealing with stagnant and decreasing budgets. The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture describes techniques you can immediately put to use to run an effective and efficient information-security management program in today’s cost-cutting environment.
The book outlines a strategy for managing the information security function in a manner that optimizes cost efficiency and results. This strategy is designed to work across a wide variety of business sectors and economic conditions and focuses on producing long-term results through investment in people and technology.
The text illustrates real-world perspectives that reflect the day-to-day issues that you face in running an enterprise’s security operations. Focused on managing information security programs for long-term operational success, in terms of efficiency, effectiveness, and budgeting ability, this book will help you develop the fiscal proficiency required to navigate the budgeting process.
After reading this book you will understand how to manage an information security program with a limited budget, while still maintaining an appropriate level of security controls and meeting compliance requirements. The concepts and methods identified in this book are applicable to a wide variation of teams, regardless of organizational size or budget.
"New Normal"
When Can We Get Back to Normal?
Frugal versus Cheap
Time, Cost, and Quality Paradox
We Are Special?
"It’s the Economy, Stupid," or Is Something Impacting Security Budgets?
Slowing of Compliance
Security Technology Fatigue
FUD Fatigue
C-Level Compliancy
Waiting for Perfection
They Really Don’t Care about Information Security (at Least Now)
What Is Normal, Anyway?
Endnotes
Information Security Maturity Life Cycle
Where Is My Team?
Using the Nolan Model Combined with Information Security-Specific Benchmarks
Why Assess Information Security Maturity Levels?
The Six Levels of Information Security Maturation
Stage 1: Initiation
Stage 2: Contagion
Stage 3: Control
Stage 4: Integration
Stage 5: Data Administration
Stage 6: Maturity/Continuous Renewal
You Are Here: Determining an Organization’s Maturity Stage
Approximate Your Final Destination
Skipping Levels
Bridging the Gaps
Stumbles Happen
Spotting Maturity Landmarks of Progress
Tips for Managing the Information Security Maturation Process
Endnotes
Reducing Complexity
Complexity and Volume, Oh My
Actively Managing the Application Portfolio
Building a Current Application Inventory
Reducing Application Complexity
Strategies for Reducing Application Complexity
Why Applications Are the Favorite "Hacker Snack"
Application Risk Rating
Identification of Appropriate Information
Protection Classification for Applications
Information Classification System
Information Classification Scheme and Application Security Rating
Application Risk Levels and Definitions
Steps to Implementing Complexity Reduction
Legacy Third-Party Applications
Strategies for Minimizing Risks and Costs for Vendor Applications
Spell Out the Details of Required Support, Security, and Vulnerability Management in the SLA
Do Regular Information Security Assessments of Your Vendor Applications
Reducing Data Storage
Steps to Reducing Stored Data
Strategies for Reducing and Managing Data
Steps to Finding the Data
Electronic Information Inventory
Data Discovery Solutions
The Next Steps in Reduction of Obsolete or Redundant Data
Reduce Security Solutions Complexity
Paring Down Security Solutions
Other Strategies to Reduce the Cost of Security Solutions
Reducing Complexity and Risks Created by "Bolt-On" Security
Bolt-On Security
Building in Security: Cheaper and Better
Strategies for Embedding Security in Systems
Use of Financial Justification
Use of Secure Development Practices as a Pilot Proof of Concept for Select New Technology Projects
Identification of an Internal Champion for the Adoption of Secure Development
Integrate Vulnerability Testing into Software Development Process
Customize the Secure Development Process to Fit the Organization
Endnotes
Frugal Hiring
People, Process, and Technology—In That Order
Relationship between Costs, Hiring, and Effective Team Management
Finding the Right Stuff and Right Fit
Job Descriptions or Looking for the Lord Himself (or Herself)
Hiring "On the Cheap"
Developing a Hiring Strategy and Tactics for the Long Run
Hiring for the Wrong Reasons
Some Tactics for Strong Hiring
Learn to Spot the Candidate with that Je Ne Sais Quoi
Learn from Past Mistakes and Make a Fresh Start with Each Hiring
Get Your Team Involved
Connection with Candidates on a Personal Level
Avoid Ending on a Poor Note
Avoiding "Halo Hiring"
Cultivate and Close Your Preferred Candidates
Using Recruiters
Interviewing for Understanding and Motivation
Interview Process: Identifying the Right Candidate and Closing the Deal
Strategies for Avoiding Excessive Hiring Costs
Attracting Quality Is Not Cheap
Know What the Position Is before You Start Recruiting
Don’t Play Bait and Switch after Hiring
Use Recruiters Effectively
Consider Internal Candidates When Possible
Use a Technical Interview
Don’t Stretch Out the Hiring Process Too Long
Hiring the Transitioning Professional
Frugal Team Management
A Team Is the Sum of Its Ingredients
Security Is a Team Sport
Building or Renovating the Information Security Team
A Word of Caution: Don’t Try to Clone Your Old Information Security Team
Building a New Information Security Team
Revamping an Existing Information Security Team
Having Existing Team Reapply for Their Positions
Next Steps after Restructuring of an Existing Team
Professional Development Planning
Stress and Information Security
Tips for Helping Information Security Professionals Combat Burnout
Tips for Employers to Combat Information
Security Burnout
Cost of Turnover
Costs of Excessive Turnover of Information Security Staff
Tips on Lowering Turnover of Information Security Employees
Retaining and Nurturing Your Information Security Team
Why Teams Fail to Meet Expectations
Inability to Gel
The Fish Rots from the Head Down
Toxic Element
Vital Ingredient: Team Learning
Endnotes
Managing External Parties Effectively
It Takes a Global Village
Outsourcing
A Framework for Cost-Effective Outsourcing Management
Outsourcing Framework Objectives
Outsourcing Assessment Guidelines
Information Security and Outsourcing Service Level Agreements
Contract Staff
Risks Associated with Information Security Contractors
Some Consultants (and Agencies) May Oversell Their Information Security Expertise
Misfit for Corporate Culture
Serious Limitations in Some Critical Skills
Difficulty Getting References
Be Realistic about the Length of Your Engagement
Overhead for Consultant to Learn the Lay of the Land (Your Organization)
Attitudes of Employees toward Consultants
Generally, You Get What You Pay For (or Less)
Poor Role Selection for Contractor Staff
BYOD and Contractor Security
Loss of Investments in Training and Experience
Use of Specialized Security Services Firms
Digital Forensics (Data Recovery and Investigations)
Security Breach and Cyber Incident Event Management
Ethical Hacking and Pen Testing
Regulatory Compliance Management Firms
Electronic Discovery (eDiscovery) Firms
Vendor Software
Cost-Effective Vendor Application Risk Management
Endnotes
Security Awareness :Fluff or Strategic Investment?
What Is the ROI of Security Awareness Spending?
People Are the New Security Perimeter
Are Security Awareness Programs Budget Wasters?
Have Automated Security Tools Diminished the Necessity for Awareness Training?
Security and Convenience: The Human Factor
Technical Security Control Failures via the Human Factor
Human Factor as an Asset to Information Security
Why Some Practitioners Doubt the Effectiveness of Security Awareness
Why Security Awareness Fails to Meet Expectations
Implementing an Impactful Security Awareness Program
Principles of Effective Information Security Awareness
Use KISS
Stress the Why
Lump Messages Around Why
Just Say "No" to FUD
Avoid "Security Theater"
Keep It Fresh
Use Stories
Make It Actionable
Use Tchotchkes Effectively
Use Metrics and Statistics Sparingly
Avoid Trite, Silly, or Dated Concepts
Know Your Audience and Culture
Avoid Awareness Materials Mishaps
Use Only Licensed Content and Images
Do Not Belittle Users (Even When They Are Not Present)
Consider Generational Differences in Risk Perception
Maximizing Investment in Security Awareness
Endnotes
Information Security Policies and Procedures
Foundational Elements of Cost-Effective and Efficient Information Security
What Are Information Security Policies?
Why Some Organizations Go "Naked" (without Policy)
Why Does an Organization Need an Information Security Policy?
Benefits of Information Security Policy
Policies Ensure Standard Ways of Doing and Measuring Security Activities
Creates a Foundation for the Rest of the Policy Hierarchy
Communicates to Stakeholders Proof of Commitment to Security
Demonstrates a Commitment to Security to Regulatory Bodies
Shows a Pattern of Due Diligence to Auditors in Business Operations
Provides Guidance for Acceptable Use of Assets
Provides Demonstrable Evidence of Executive Management
Limits Liability for Organization and Staff
Information Security Policies are Expensive to Create and Maintain
Initial Policy Development Costs
Approaches to Creating an Information Security Policy
Use Prewritten Policy Templates
Develop a Custom Policy
Use the Information Security Policy of Another Organization and Making Adjustments
Outsource Policy Development and Maintenance
Steps in Creation of the Information Security Policy
Identify the Information Security Policy Team
Collect Background Research Material
Prepare a Topic Coverage List
Design a Policy Standard Structure
Develop Policy Content
Perform Reviews and Revisions Involving Key Stakeholders
Obtain Ratification and Release the Policy
Have a Formal Exception Process in Place
Develop a Policy Rollout Plan and Awareness Campaign
Information Security Policy Faux Pas 2
Policy Faux Pas 1: The Overly Long Policy
Policy Faux Pas 2: Policy Cannot Be Monitored or Enforced
Policy Faux Pas 3: Aspirational Policy
Best and Cost-Efficient Practices in Information Security Policy
Strong Version Control
Policy Review Committee
Regular Reviews
Determine Policy Ownership
Determining When a New Policy Is Needed
Policy Management Applications
Simple File Hierarchy and Spreadsheets/General Database
General Document Management/Version Control Software
Specialized Policy Management Solutions
Going Naked (No Information Security Policies)
Major Policy Renovations
Emerging Policy Areas
River Called "Denial"
Toothless Policies
Technology without Written Policy
Combining Policy and Technology
Policy Grandfathering
Information Security Policy: Final Words with a Cost-Saving Checklist
Endnotes
"Is This Necessary?"
Do We Need To Do Everything We Are Currently Doing?
Why Some Security Processes Endure beyond Their Expiration Date
It Has Always Been Done This Way (Failure to Question Existing Controls)
"Invented Here" Syndrome (Proprietary Ownership of Controls)
"Zombie" Controls
Team Stagnation and Lack of Control Innovation
Avoiding Team Stagnation: Encourage and Support Questioning
Red Flags for Potentially Ineffective Controls
Evaluating the Current Value of Existing Security Controls
Performing a Security Controls Inventory
Finding the "Sweet Spot" for Controls
Maximize the Value of IT Controls
Special-Purpose Controls
House of Logs
Tips for Getting the Most Bang for the Buck from Logs
What Type of Control Is the Most Cost Effective?
Defense-in-Depth and Layered Security Controls
Human Aspect of Controls
Controls Creating User Frustration and Dissatisfaction
Controls Creating Misunderstanding Leading to Security Failures
Humans Bypassing Security Controls
Adding "People Literacy" to Security Controls
Understanding the Total Cost of Ownership of Controls
Developing a Bespoke Security Controls Strategy
Using Maturity Level and Budgeting Availability to Develop a Security Control Strategy
Using Open Source Security Controls
When "Free" Controls Are Not Free
Security Control Strategy: Homogenous versus Heterogeneous Controls
Critical Key Success Factor in Managing Controls: The Need to Document
Why Is Documentation So Important and Often Overlooked?
What Should Security Control Documentation Include?
Checklists
Tips for Implementing Cost-Effective and Efficient Security Controls
Understand the Budgeting Cycle
What Is the Budget and Why Is It Important?
What Makes a Good Budget?
What Is a Budget? (Traditional Approach)
Zero-Based Budgeting
Hybrid Budgeting
Basic Principles of Budget Management
Financial Selling: Getting More Budget
Understanding the Budget "Game"
Putting On Your Budget "Game Face"
What Is Financial Selling?
Rebranding Return on Security Investment
Getting to Know the Budget Gurus
The Budget Cycle
Budget Planning, Preparation, and Submission Activities
Approval
Budget Execution
Audit and Evaluation
Budget Replanning
Budgeting for Multiyear Projects
Avoiding Requesting Additional Fundsm for Nonbudgeted Expenses
Tips for Information Security Budgeting Success
Endnotes
Using the Goldilocks Principle
Getting It Just Right
You Can’t Go Home Again
Do We Need to Be World Class or Best in Breed?
Are Best Practices Really Always "Best"?
Best Practices
Keys to Success in Implementing Best Practices
Is It Feasible?
Make It Your Own
Great Real
Consider People, Process, and Technology
Determining the Efficiency of Best Practices for an Organization
Smart Operating Practices
Thirty Nearly Universal Smart Practices for Information Security
Endnotes
The Hybrid (Frugal) CISO
Traits for Evolving, Enabling, and Transforming Information Security Organizations
Not Afraid Not to be the Smartest Person in the Room
Open to the Ideas of Others
Flexible and Proficient across a Variety of Domains
Rolls with the Punches
Problem Solver
Lateral Thinker
Business Acumen
Comfortable with Finance and Budgeting
Plays Nice with Others
Realistic
Outreach
Proactive Agent of Change
Strong Leader
Accepts Shades of Gray
Excellent Manager
Bridge Builder
Strong Ethical Core
The Frugal CISO 2.0: Critical Success Factors
Endnotes
Frugality as a Continuing Strategy for Information Security Management
Frugality and the Future
Achieve Compliance with Emerging External or Internal Requirements
Support Controls for Emerging Threats in the Risk Landscape
Update, Extend, or Enhance Information Security to Grow with Business Plans (Alignment)
Invest in Training to Expand the Value of Staff
Fund Initiatives Designed to Evolve the Overall Maturity Level of the Information Security Organization
Resolve Open Audit Issues
Managing the Budget Merry-Go-Round
Be Prepared for Every Budget Eventuality
Endnotes
Biography
Kerry A. Anderson , CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE, CCSK, MBA, MSCIS, MSIA, is an information security and records management consultant with more than 15 years of experience in information security and IT across a variety of industries. She has worked in information security, application development, financial systems operations, network administration, IT audit, records management, business contingency planning, and graduate-program instruction.