Christofer Hoff is on a mission. As the director of information security at Western Corporate Federal Credit Union (WesCorp), Hoff has launched an initiative to quantify the benefits of information security spending for business executives at the San Dimas, Calif.-based company.
The constantly evolving technology and threat environment and the difficulty of attaching a specific monetary value to information assets make it hard to come up with traditional return-on-investment numbers, Hoff says. So the focus instead is on gathering corporate metrics that show how the company can reduce risk exposure and avoid costs -- such as those related to virus attacks -- by implementing the appropriate security measures.
As part of this effort, Hoff's team is implementing a process methodology called OCTAVE from Carnegie Mellon University's Software Engineering Institute. OCTAVE helps companies identify infrastructure vulnerabilities, prioritize information assets and create asset-specific threat profiles and mitigation plans.
It's all about showing "reduction of risk on investment," Hoff says. "I'm not interested in showing that I've improved the bottom line. What I can show is how we have managed risk on behalf of the company and reduced our risk exposure."
Hoff is among a growing number of security managers who say it's time to approach information security as an operational risk management issue rather than as a function that's solely focused on implementing tactical fixes for every new threat that surfaces.
The need to comply with regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and California's SB 1386 is one of the primary factors pushing companies to take a more business-oriented look at their information security measures.
Lending urgency to the situation is a wave of legislation that lawmakers are considering in response to a series of well-publicized data compromises at Bank of America Corp., ChoicePoint Inc. and LexisNexis Group .
A New View
Evolving threats and a greater exposure to risk are also pushing the need for a more strategic view of security. The growing use of wireless and handheld technologies and the tendency to connect internal networks with those of suppliers, partners and customers have dramatically increased security risks and the potential consequences of a breach.
"All of a sudden, there are a lot of new stakeholders in information security," including regulators, shareholders, customers, employees and business partners, says Carolee Birchall, vice president and senior risk officer at BMO Bank of Montreal in Toronto. "All of these groups have different expectations of IT, and they all come to a head around information security," she says.
The trend calls for a fundamental rethinking of security objectives, say security managers such as Hoff.
The goal isn't to completely eliminate all risk, because that is unrealistic, says Kirk Herath chief privacy officer at Nationwide Mutual Insurance Co. in Columbus, Ohio. Rather, it's to understand the broad nature and scope of the threats to your specific situation.
You should base mitigation measures on the probability of loss or disruption from those risks. The focus is not on point technologies but on higher-level issues such as system availability, recovery and incident response, says Herath.
It's a risk-mitigation approach that starts with a detailed understanding of the information assets that you want to protect and what exactly you want to protect them against, says Vinnie Cottone, vice president of infrastructure services at Eaton Vance Distributors Inc., a financial services firm in Boston.
The company is currently implementing security changes aimed at addressing five specific issues that were identified during a corporatewide IT and business risk-assessment exercise.
The issues include a need for stronger user authentication and measures for securing and enforcing policies on all endpoint devices -- such as laptops and wireless systems -- attempting to log into the Eaton Vance network.
"We took a look at every possible [information security] threat to Eaton Vance, and from there we came out with a lot of 'what if' scenarios and then determined what we should do" to deal with them, Cottone says.
But most security managers acknowledge that the daily tasks of dealing with unreliable software code and chasing the latest viruses, worms and spyware leave little time or resources to focus on such big-picture strategies.
Changing business requirements and the growing complexity of threats can also keep security managers tied to tactical issues, even if they don't want to be. Adding to the challenge is a troubling disconnect between security organizations and business units, security managers say.
Lloyd Hession, chief information security officer at Radianz Inc., a New York-based provider of communications services to the financial services industry, says a common view of executives is, "We have spent all this money on antivirus tools, Web filters and firewalls, and why hasn't that stopped this problem?"
Security managers say they're too often seen as purveyors of fear, uncertainty and doubt who have little understanding of business requirements.
To change that image, they need to help business managers understand the trade-offs that have to be made to accommodate a new security measure. And that means no geekspeak, says Cottone. "You really can't talk technical or any kind of jargon" when communicating security strategy to the business side, he says.
The key message, says Hession, is that information security is a business problem that is "not addressed simply by the firewalls and antivirus [tools] that are already in place."