Managing security in bad times: CISOs speak out

Network World - The global economic downturn is making everyone's jobs harder, and IT security executives are in the hot seat too, struggling to hold on to budgets and align IT security projects with business needs amid cost-cutting.

Ten of these top-level security managers, including those from eBay, Time Warner, Cigna, Novartis and Motorola, shared their thoughts on coping, in a new report titled "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy."

The report, issued today, grew out of the Security for Business Innovation Council, an ad hoc group formed a few years ago by EMC's RSA division to tap the brains of security managers at Fortune 1,000 companies.

Here are some ideas these security executives expressed in the report:

• "I think the days of big budgets, big battalions of security practitioners standing in the overhead cost line are well past," says Bill Boni, corporate vice president of information security and protection at Motorola. "Part of the challenge is that the bigger the team becomes, the more challenging it is for leadership to really align with that kind of large cost with large value."
• "In terms of looking for efficiencies, I think there are way too many security products out there now in the environment, and there is tremendous overlap," says Craig Shumard, chief information security officer (CISO) at Cigna. "The security product stack has become unsustainable. I've challenged every vendor that I've met with recently to help me define the seven or eight products that we need to achieve the same level of security that we have today. We can't continue to operate 15 to 25 (or more) security products. I don't believe that we can continue to just add new security products to the environment and expect that we will use them effectively. I keep visualizing the Leaning Tower of Pisa. Maybe the security control tower is standing today. I think that if we keep adding products, the tower will fall over and bury the folks trying to manage it."
• "A lot of it is risk-based decision-making," says Dave Cullinane, vice president and CISO at eBay Marketplaces. "You need to be able to quantify the risks and say, for example, 'We've got a $300 million exposure, and we need to spend $30 million this year getting it down to a reasonable level.' Beyond that, the fear, uncertainty and doubt stuff isn't working anymore. People just aren't buying it. Even if it does raise their concern, it doesn't do anything to loosen their wallets. Because most companies are looking at very tight budgets, so you're going to have to have a very good business case as to why you should get funding."
• "Fundamentally, we don't want to have a huge security team; you know, we want to have security built into the knowledge of every person working for the company," says Andreas Wuchner, head of IT risk management, security and compliance at Novartis. "For example, if there is an IT operator on the Unix side or the Windows side, he has to have some security knowledge. For us, it wouldn't work to have a huge security workforce going out to the organization saying, 'That's bad; you're doing this wrong; that won't work.' You need to get security built in -- into the business processes, into the development of new software. ... I don't think there is another way to win this race."