1st Edition

The Frugal CISO Using Innovation and Smart Approaches to Maximize Your Security Posture

By Kerry Ann Anderson Copyright 2014
    381 Pages 4 B/W Illustrations
    by Auerbach Publications

    381 Pages
    by Auerbach Publications

    If you’re an information security professional today, you are being forced to address growing cyber security threats and ever-evolving compliance requirements, while dealing with stagnant and decreasing budgets. The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture describes techniques you can immediately put to use to run an effective and efficient information-security management program in today’s cost-cutting environment.

    The book outlines a strategy for managing the information security function in a manner that optimizes cost efficiency and results. This strategy is designed to work across a wide variety of business sectors and economic conditions and focuses on producing long-term results through investment in people and technology.

    The text illustrates real-world perspectives that reflect the day-to-day issues that you face in running an enterprise’s security operations. Focused on managing information security programs for long-term operational success, in terms of efficiency, effectiveness, and budgeting ability, this book will help you develop the fiscal proficiency required to navigate the budgeting process.

    After reading this book you will understand how to manage an information security program with a limited budget, while still maintaining an appropriate level of security controls and meeting compliance requirements. The concepts and methods identified in this book are applicable to a wide variation of teams, regardless of organizational size or budget.

    "New Normal"
    When Can We Get Back to Normal?
    Frugal versus Cheap
    Time, Cost, and Quality Paradox
    We Are Special?
    "It’s the Economy, Stupid," or Is Something Impacting Security Budgets?
         Slowing of Compliance
         Security Technology Fatigue
         FUD Fatigue 
         C-Level Compliancy 
         Waiting for Perfection 
         They Really Don’t Care about Information Security (at Least Now)
    What Is Normal, Anyway?
    Endnotes

    Information Security Maturity Life Cycle
    Where Is My Team?
    Using the Nolan Model Combined with Information Security-Specific Benchmarks
    Why Assess Information Security Maturity Levels?
    The Six Levels of Information Security Maturation
         Stage 1: Initiation 
         Stage 2: Contagion 
         Stage 3: Control 
         Stage 4: Integration 
         Stage 5: Data Administration 
         Stage 6: Maturity/Continuous Renewal
    You Are Here: Determining an Organization’s Maturity Stage
    Approximate Your Final Destination
    Skipping Levels
    Bridging the Gaps
    Stumbles Happen
    Spotting Maturity Landmarks of Progress
    Tips for Managing the Information Security Maturation Process
    Endnotes

    Reducing Complexity
    Complexity and Volume, Oh My
    Actively Managing the Application Portfolio 
         Building a Current Application Inventory
    Reducing Application Complexity
    Strategies for Reducing Application Complexity
    Why Applications Are the Favorite "Hacker Snack"
    Application Risk Rating 
         Identification of Appropriate Information
         Protection Classification for Applications 
         Information Classification System 
         Information Classification Scheme and Application Security Rating 
         Application Risk Levels and Definitions 
         Steps to Implementing Complexity Reduction
    Legacy Third-Party Applications 
         Strategies for Minimizing Risks and Costs for Vendor Applications 
              Spell Out the Details of Required Support, Security, and Vulnerability Management in the SLA
              Do Regular Information Security Assessments of Your Vendor Applications
    Reducing Data Storage 
         Steps to Reducing Stored Data
    Strategies for Reducing and Managing Data
         Steps to Finding the Data 
              Electronic Information Inventory 
              Data Discovery Solutions
         The Next Steps in Reduction of Obsolete or Redundant Data
    Reduce Security Solutions Complexity 
         Paring Down Security Solutions 
         Other Strategies to Reduce the Cost of Security Solutions
    Reducing Complexity and Risks Created by "Bolt-On" Security 
         Bolt-On Security 
         Building in Security: Cheaper and Better 
         Strategies for Embedding Security in Systems 
              Use of Financial Justification
              Use of Secure Development Practices as a Pilot Proof of Concept for Select New Technology Projects 
              Identification of an Internal Champion for the Adoption of Secure Development 
              Integrate Vulnerability Testing into Software Development Process
              Customize the Secure Development Process to Fit the Organization
    Endnotes

    Frugal Hiring
    People, Process, and Technology—In That Order
    Relationship between Costs, Hiring, and Effective Team Management
    Finding the Right Stuff and Right Fit
    Job Descriptions or Looking for the Lord Himself (or Herself) 
         Hiring "On the Cheap"
    Developing a Hiring Strategy and Tactics for the Long Run 
         Hiring for the Wrong Reasons
    Some Tactics for Strong Hiring 
         Learn to Spot the Candidate with that Je Ne Sais Quoi
         Learn from Past Mistakes and Make a Fresh Start with Each Hiring
         Get Your Team Involved 
         Connection with Candidates on a Personal Level 
         Avoid Ending on a Poor Note 
         Avoiding "Halo Hiring" 
         Cultivate and Close Your Preferred Candidates
    Using Recruiters
    Interviewing for Understanding and Motivation
    Interview Process: Identifying the Right Candidate and Closing the Deal
    Strategies for Avoiding Excessive Hiring Costs 
         Attracting Quality Is Not Cheap 
         Know What the Position Is before You Start Recruiting 
         Don’t Play Bait and Switch after Hiring 
         Use Recruiters Effectively
         Consider Internal Candidates When Possible 
         Use a Technical Interview 
         Don’t Stretch Out the Hiring Process Too Long
    Hiring the Transitioning Professional

    Frugal Team Management
    A Team Is the Sum of Its Ingredients
    Security Is a Team Sport
    Building or Renovating the Information Security Team 
         A Word of Caution: Don’t Try to Clone Your Old Information Security Team 
         Building a New Information Security Team 
         Revamping an Existing Information Security Team 
         Having Existing Team Reapply for Their Positions 
         Next Steps after Restructuring of an Existing Team
    Professional Development Planning
    Stress and Information Security 
         Tips for Helping Information Security Professionals Combat Burnout 
         Tips for Employers to Combat Information
         Security Burnout
    Cost of Turnover 
         Costs of Excessive Turnover of Information Security Staff
    Tips on Lowering Turnover of Information Security Employees
    Retaining and Nurturing Your Information Security Team
    Why Teams Fail to Meet Expectations
         Inability to Gel 
         The Fish Rots from the Head Down
         Toxic Element
    Vital Ingredient: Team Learning
    Endnotes

    Managing External Parties Effectively
    It Takes a Global Village
    Outsourcing 
         A Framework for Cost-Effective Outsourcing Management 
         Outsourcing Framework Objectives 
         Outsourcing Assessment Guidelines
    Information Security and Outsourcing Service Level Agreements
    Contract Staff 
         Risks Associated with Information Security Contractors 
              Some Consultants (and Agencies) May Oversell Their Information Security Expertise 
              Misfit for Corporate Culture 
              Serious Limitations in Some Critical Skills
              Difficulty Getting References 
              Be Realistic about the Length of Your Engagement 
              Overhead for Consultant to Learn the Lay of the Land (Your Organization)
              Attitudes of Employees toward Consultants 
              Generally, You Get What You Pay For (or Less) 
               Poor Role Selection for Contractor Staff 
              BYOD and Contractor Security 
              Loss of Investments in Training and Experience
    Use of Specialized Security Services Firms 
         Digital Forensics (Data Recovery and Investigations) 
         Security Breach and Cyber Incident Event Management 
         Ethical Hacking and Pen Testing 
         Regulatory Compliance Management Firms 
         Electronic Discovery (eDiscovery) Firms
    Vendor Software 
         Cost-Effective Vendor Application Risk Management
    Endnotes

    Security Awareness :Fluff or Strategic Investment?
    What Is the ROI of Security Awareness Spending?
    People Are the New Security Perimeter
    Are Security Awareness Programs Budget Wasters?
    Have Automated Security Tools Diminished the Necessity for Awareness Training?
    Security and Convenience: The Human Factor
    Technical Security Control Failures via the Human Factor
    Human Factor as an Asset to Information Security
    Why Some Practitioners Doubt the Effectiveness of Security Awareness
    Why Security Awareness Fails to Meet Expectations
    Implementing an Impactful Security Awareness Program
    Principles of Effective Information Security Awareness 
         Use KISS
         Stress the Why 
         Lump Messages Around Why 
         Just Say "No" to FUD 
         Avoid "Security Theater" 
         Keep It Fresh 
         Use Stories 
         Make It Actionable 
         Use Tchotchkes Effectively 
         Use Metrics and Statistics Sparingly 
         Avoid Trite, Silly, or Dated Concepts 
         Know Your Audience and Culture 
         Avoid Awareness Materials Mishaps 
         Use Only Licensed Content and Images 
         Do Not Belittle Users (Even When They Are Not Present) 
         Consider Generational Differences in Risk Perception
    Maximizing Investment in Security Awareness
    Endnotes

    Information Security Policies and Procedures
    Foundational Elements of Cost-Effective and Efficient Information Security
    What Are Information Security Policies?
    Why Some Organizations Go "Naked" (without Policy)
    Why Does an Organization Need an Information Security Policy?
    Benefits of Information Security Policy 
         Policies Ensure Standard Ways of Doing and Measuring Security Activities 
         Creates a Foundation for the Rest of the Policy Hierarchy 
         Communicates to Stakeholders Proof of Commitment to Security 
         Demonstrates a Commitment to Security to Regulatory Bodies 
         Shows a Pattern of Due Diligence to Auditors in Business Operations 
         Provides Guidance for Acceptable Use of Assets 
         Provides Demonstrable Evidence of Executive Management 
         Limits Liability for Organization and Staff
    Information Security Policies are Expensive to Create and Maintain
    Initial Policy Development Costs
    Approaches to Creating an Information Security Policy 
         Use Prewritten Policy Templates 
         Develop a Custom Policy 
         Use the Information Security Policy of Another Organization and Making Adjustments 
         Outsource Policy Development and Maintenance
    Steps in Creation of the Information Security Policy 
         Identify the Information Security Policy Team 
         Collect Background Research Material 
         Prepare a Topic Coverage List 
         Design a Policy Standard Structure 
         Develop Policy Content 
         Perform Reviews and Revisions Involving Key Stakeholders 
         Obtain Ratification and Release the Policy 
         Have a Formal Exception Process in Place
         Develop a Policy Rollout Plan and Awareness Campaign
    Information Security Policy Faux Pas 2
         Policy Faux Pas 1: The Overly Long Policy
         Policy Faux Pas 2: Policy Cannot Be Monitored or Enforced
         Policy Faux Pas 3: Aspirational Policy
    Best and Cost-Efficient Practices in Information Security Policy 
         Strong Version Control
         Policy Review Committee 
         Regular Reviews 
         Determine Policy Ownership
    Determining When a New Policy Is Needed
    Policy Management Applications
         Simple File Hierarchy and Spreadsheets/General Database
         General Document Management/Version Control Software 
         Specialized Policy Management Solutions
    Going Naked (No Information Security Policies)
    Major Policy Renovations
    Emerging Policy Areas 
         River Called "Denial" 
         Toothless Policies 
         Technology without Written Policy 
         Combining Policy and Technology
    Policy Grandfathering
    Information Security Policy: Final Words with a Cost-Saving Checklist
    Endnotes

    "Is This Necessary?"
    Do We Need To Do Everything We Are Currently Doing?
    Why Some Security Processes Endure beyond Their Expiration Date 
         It Has Always Been Done This Way (Failure to Question Existing Controls) 
         "Invented Here" Syndrome (Proprietary Ownership of Controls) 
         "Zombie" Controls
    Team Stagnation and Lack of Control Innovation
    Avoiding Team Stagnation: Encourage and Support Questioning
    Red Flags for Potentially Ineffective Controls
    Evaluating the Current Value of Existing Security Controls
    Performing a Security Controls Inventory
    Finding the "Sweet Spot" for Controls
    Maximize the Value of IT Controls
    Special-Purpose Controls
    House of Logs
    Tips for Getting the Most Bang for the Buck from Logs
    What Type of Control Is the Most Cost Effective?
    Defense-in-Depth and Layered Security Controls
    Human Aspect of Controls 
         Controls Creating User Frustration and Dissatisfaction
    Controls Creating Misunderstanding Leading to Security Failures
    Humans Bypassing Security Controls
    Adding "People Literacy" to Security Controls
    Understanding the Total Cost of Ownership of Controls
    Developing a Bespoke Security Controls Strategy
    Using Maturity Level and Budgeting Availability to Develop a Security Control Strategy
    Using Open Source Security Controls
    When "Free" Controls Are Not Free
    Security Control Strategy: Homogenous versus Heterogeneous Controls
    Critical Key Success Factor in Managing Controls: The Need to Document 
         Why Is Documentation So Important and Often Overlooked? 
         What Should Security Control Documentation Include? 
         Checklists
    Tips for Implementing Cost-Effective and Efficient Security Controls

    Understand the Budgeting Cycle
    What Is the Budget and Why Is It Important?
    What Makes a Good Budget?
    What Is a Budget? (Traditional Approach)
    Zero-Based Budgeting
    Hybrid Budgeting
    Basic Principles of Budget Management
    Financial Selling: Getting More Budget 
         Understanding the Budget "Game"
    Putting On Your Budget "Game Face"
    What Is Financial Selling?
    Rebranding Return on Security Investment
    Getting to Know the Budget Gurus
    The Budget Cycle 
         Budget Planning, Preparation, and Submission Activities 
         Approval 
         Budget Execution 
         Audit and Evaluation 
         Budget Replanning
    Budgeting for Multiyear Projects
    Avoiding Requesting Additional Fundsm for Nonbudgeted Expenses
    Tips for Information Security Budgeting Success
    Endnotes

    Using the Goldilocks Principle
    Getting It Just Right
    You Can’t Go Home Again
    Do We Need to Be World Class or Best in Breed?
    Are Best Practices Really Always "Best"?
    Best Practices
    Keys to Success in Implementing Best Practices 
         Is It Feasible? 
         Make It Your Own 
         Great Real 
         Consider People, Process, and Technology
    Determining the Efficiency of Best Practices for an Organization
    Smart Operating Practices
    Thirty Nearly Universal Smart Practices for Information Security
    Endnotes

    The Hybrid (Frugal) CISO
    Traits for Evolving, Enabling, and Transforming Information Security Organizations
    Not Afraid Not to be the Smartest Person in the Room
    Open to the Ideas of Others
    Flexible and Proficient across a Variety of Domains
    Rolls with the Punches
    Problem Solver
    Lateral Thinker
    Business Acumen
    Comfortable with Finance and Budgeting
    Plays Nice with Others
    Realistic
    Outreach
    Proactive Agent of Change
    Strong Leader
    Accepts Shades of Gray
    Excellent Manager
    Bridge Builder
    Strong Ethical Core
    The Frugal CISO 2.0: Critical Success Factors
    Endnotes

    Frugality as a Continuing Strategy for Information Security Management
    Frugality and the Future
         Achieve Compliance with Emerging External or Internal Requirements 
         Support Controls for Emerging Threats in the Risk Landscape 
         Update, Extend, or Enhance Information Security to Grow with Business Plans (Alignment) 
         Invest in Training to Expand the Value of Staff
         Fund Initiatives Designed to Evolve the Overall Maturity Level of the Information Security Organization 
         Resolve Open Audit Issues
    Managing the Budget Merry-Go-Round
    Be Prepared for Every Budget Eventuality
    Endnotes

    Biography

    Kerry A. Anderson , CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE, CCSK, MBA, MSCIS, MSIA, is an information security and records management consultant with more than 15 years of experience in information security and IT across a variety of industries. She has worked in information security, application development, financial systems operations, network administration, IT audit, records management, business contingency planning, and graduate-program instruction.