Ten of these top-level security managers, including those from eBay, Time Warner, Cigna, Novartis and Motorola, shared their thoughts on coping, in a new report titled "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy."
The report, issued today, grew out of the Security for Business Innovation Council, an ad hoc group formed a few years ago by EMC's RSA division to tap the brains of security managers at Fortune 1,000 companies.
Here are some ideas these security executives expressed in the report:
"I think the days of big budgets, big battalions of security practitioners standing in the overhead cost line are well past," says Bill Boni, corporate vice president of information security and protection at Motorola. "Part of the challenge is that the bigger the team becomes, the more challenging it is for leadership to really align with that kind of large cost with large value."
"In terms of looking for efficiencies, I think there are way too many security products out there now in the environment, and there is tremendous overlap," says Craig Shumard, chief information security officer (CISO) at Cigna. "The security product stack has become unsustainable. I've challenged every vendor that I've met with recently to help me define the seven or eight products that we need to achieve the same level of security that we have today. We can't continue to operate 15 to 25 (or more) security products. I don't believe that we can continue to just add new security products to the environment and expect that we will use them effectively. I keep visualizing the Leaning Tower of Pisa. Maybe the security control tower is standing today. I think that if we keep adding products, the tower will fall over and bury the folks trying to manage it."
"A lot of it is risk-based decision-making," says Dave Cullinane, vice president and CISO at eBay Marketplaces. "You need to be able to quantify the risks and say, for example, 'We've got a $300 million exposure, and we need to spend $30 million this year getting it down to a reasonable level.' Beyond that, the fear, uncertainty and doubt stuff isn't working anymore. People just aren't buying it. Even if it does raise their concern, it doesn't do anything to loosen their wallets. Because most companies are looking at very tight budgets, so you're going to have to have a very good business case as to why you should get funding."
"Fundamentally, we don't want to have a huge security team; you know, we want to have security built into the knowledge of every person working for the company," says Andreas Wuchner, head of IT risk management, security and compliance at Novartis. "For example, if there is an IT operator on the Unix side or the Windows side, he has to have some security knowledge. For us, it wouldn't work to have a huge security workforce going out to the organization saying, 'That's bad; you're doing this wrong; that won't work.' You need to get security built in -- into the business processes, into the development of new software. ... I don't think there is another way to win this race."
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Free Insider Guide