New Yorkers have a saying: "Tell it like it is." As one security manager writing for other security managers out there, that is what I intend to do. It has been my experience that virtually every security organization-regardless of the vertical market in which it is located-suffers from three pressures inherent in the job.
First, the business areas tell security personnel, "youse guys (remember, I'm in New York) are nothing but a cost to me. You slow down my business, cost me money, and add nothing to the bottom line. You're a waste of floor space."
Second, the regulators and auditors of your organization tell you, "My God, did you know you guys aren't doing (fill in the blank)? Why, without (fill in the blank) your security is wide open. The future of the free world and motherhood are being put at risk and you guys aren't doing diddly!"https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iThird, the organization as a whole does not recognize the value add of its security personnel. Security is one of the few jobs that if done perfectly, no one ever notices. It is only when security is breeched that you are recognized-and negatively at that. I have a saying, "Security is like oxygen. When you have it, you don't think about it. When you lose it, you can't think of anything else." With a negative recognition system like that, is it any wonder that security personnel suffer from chronically bad morale?
But this all comes with the territory, right? Unfortunately, yes, but as a fellow security manager, I believe I have found a way out of this three-horned "trilemma," which I have affectionately dubbed "Cerberus" after the three-headed dog of Greek mythology. Cerberus, you will recall, guarded the gates of Hades. No one could escape Hell unless they somehow got past this tri-jowled, nasty, yowling, snapping beast. With any luck, I am about to give security managers the advice they need to escape the possible hellish existence of their jobs.
The best way security managers have of demonstrating due diligence in exercising their security responsibilities is by adhering to industry best practices. And the best way of doing that is by achieving industry-recognized certifications. As a security manager, I strive to follow industry best practices on the following three levels: organization, individual, and technical systems.
First, on an organizational level I have my security group follow ISO 9000 and BS 7799 standards. ISO 9000 is an international standard for best practices in quality engineering management. It ensures quality engineering, documents critical processes, and allows tracking of customer satisfaction-all important objectives for security groups. BS 7799 is a British standard recently adopted as an international ISO standard for best practices in information security management. Together, these two standards guarantee that your organization is following recommended best practices in security, and is doing so in a way that ensures quality engineering and good customer relationship management.
Achieving ISO 9000 and BS 7799 certification will require contracting with a registrar to perform the audits of your organization against those standards. It has been my experience that Underwriters Laboratories (UL) and the British Standards Institute (BSI) are two of the best. UL is a household name in the U.S. and their auditors tend also to be engineers, which helps for an engineering organization. BSI has certified more organizations under ISO 9000 than any other registrar in the world and has the most experience in auditing organizations under BS 7799.
On the individual level, I have my security staff become Certified Information Systems Security Professional (CISSP) certified. CISSP is an industry certification for information security professionals. It tests competency in 10 basic areas of security, called common bodies of knowledge. Certification ensures that your people have the basic skills necessary to perform adequately as a security professional. As a side benefit, it shows you care enough about your people to invest in them with training. That increases morale in your security organization and helps them to become more effective in performing their duties.
The organization to contact for registering your personnel for the CISSP training and certification is the International Information Systems Security Certifications Consortium also known (thankfully) as ISC2. (See www.isc2.org for more information.)
Finally, on the technical systems level, I have my outwardly facing network components (e.g., firewalls, public Web servers, e-commerce applications) checked by independent third parties to ensure they are securely configured in accordance with industry best practices. Why only the outwardly facing components you may ask? Simple. If these are compromised then it makes the news and your board of directors and stockholders are going to want to know what due diligence precautions you took to guard the security of these systems. Having a third-party certification allows simple verification that you were not asleep at the wheel and thus protects the reputation of the organization.
Why not carry out the same verification for components on the internal network? You could, but from my experience external consultants are expensive and I save the internal checking for my own penetration testing teams just to save money.
Changing the pitch: Service
So, three levels of certifications: organization, individual, and technical systems. Nice, but how does this solve the security manager's trilemma? First, it changes the pitch you make to your business line managers. Instead of being a cost center for the company, you become a service differentiator.
Take e-commerce, for example. Every survey I've seen asking consumers their greatest e-commerce concerns has security and privacy topping the list. By achieving world-class distinction through certifications, you can rightly pitch that security now becomes a service differentiator. All things being equal, potential customers might prefer giving their business to your company because it has achieved world-class distinctions in ensuring privacy and security rather than your competitor who is a regular schmuck on those issues. Your business heads will appreciate that you're now helping to bring business to the organization instead of preventing them from doing their jobs.
Second, regulators and auditors will be pleased that you are benchmarking your organization against industry-recognized best practices. Their write-ups will tend toward the positive since it would take an auditor with a lot of chutzpa to say they know better than industry-recognized best practices how security ought to be run in an organization. Trust me on this one-they'll think you're the cat's meow.
Finally, the morale of the security group should rise based on greater self-esteem and the recognition that comes with belonging to a world-class organization. Your security personnel will appreciate the fact that you've invested time in training them. They will also feel better appreciated by the organization because they will have achieved world-class distinction in their profession.
By now you must be asking, "So what's the catch." Yes, I admit there is a downside. Pursuing this course means fundamentally changing the way security managers conduct business. Most security organizations tend to be tactical and reactive. By that I mean they concentrate on addressing the latest audit findings and feel that by doing so they have successfully secured their companies. Pursuing industry best practices, on the other hand, requires security organizations to become strategic and proactive in their operations. Old habits die hard and security organizations tend to be very conservative when it comes to change. Expect a hard sell to your security personnel on this approach.
Pursuing industry best practices will require much effort and a strong commitment from a security organization. But in the end, it is well worth the effort for the benefit it brings to the company. With any luck, Cerberus will be slain and the security organization will be liberated from a hellish existence of little appreciation for the job they perform. Instead, they will be genuinely esteemed as a value-added, professional organization.
Note: The views contained in this article do not represent the views of Barclays Capital investment bank. Paul Raines writes strictly in a personal capacity.
Paul Raines is head of global information risk management for the investment bank Barclays Capital, New York City. He is responsible for the information risk management of Barclays worldwide, with operations in 66 countries. Prior to joining Barclays early this year, Paul was vice president of electronic security for the Federal Reserve Bank of New York, supervising its computer and network security systems. He was also U.S. representative to the Bank of International Settlements on computer security matters. E-mail him at firstname.lastname@example.org.