In general, RSR discusses technology purely in the context of business issues. This is a big part of our value proposition. But periodically, Brian and I like to put on our ex-CIO hats. We, and others like us, have a wealth of experience that we’d like to share with our more recent counterparts. And so, we’re introducing this periodic series of articles, called the CIO Corner. Of course, Line of Business users are welcome to read these posts as well. But they are targeted specifically to the current or aspiring CIO.

In later editions, we’ll talk about topics like budgeting and forecasting, an introduction to accounting, and other things that IT Executives can use to help run their departments more effectively. But it seemed only pertinent to start with security. Tim Toews, former CIO for Office Depot, and current part-time CIO for hire and consultant has kindly agreed to share his perspective on the basics of IT Security. I can tell you that I learned a few things from reading this piece.

By the way, if you are a CIO or a recent CIO, and think you have something to share… let us know. We welcome unbiased, useful contributions. Brian and I will likely contribute some as well, but we are more than happy to share the wealth. Now let’s hear from Tim.

The 3Ps of IT Security: Priority, Process and Persistence

Target, Home Depot, JP Morgan… and who knows who’s next. These are stressful and difficult times for anyone accountable for enterprise security. Unfortunately, there is no software to buy, no consultant to pay and no service to rent that can guarantee bullet proof security. I do believe that there is a framework, however, that can be used to manage the problem of enterprise security. I call it the 3Ps of IT Security: Priority, Process and Persistence.

When I was CIO of a pretty large retailer for a number of years, we had over 1,000 stores, more than two dozen distribution centers, 50,000+ employees, 50 global web sites, thousands of PCs and laptops, hundreds of servers, a robust network and… you get the picture. Every year we built an IT Plan that described, among other things, our priorities for the year. Naturally we wanted to align with business goals and priorities, we wanted to spend money efficiently, we wanted a smart and engaged staff and we wanted to improve our processes and service levels.

We also always had a priority that was labeled ‚ÄòSecurity and Compliance’ – two different things but linked at least in my opinion. Compliance (e.g. SOX, PCI, HIPPA) is more about adherence to internally or externally mandated controls that describe how processes, data and transactions must be managed. I’ll save lots of insights on Compliance for another post but suffice it to say that failing, for example, a SOX or PCI audit is not a career-enhancing experience. I want to focus on Security today and talk about a framework that I believe works well in managing security risk in the enterprise.

Definition of Security

What is security? It is control of the Enterprise or Business space as depicted below. For CIOs or heads of IT groups it might mean Control of the Network and control is the notion that all transactions within this space are authorized. Obviously, we want to let Customers in to the business space so that we can sell stuff to them. We need vendors and other partners to support our organization’s mission. We don’t let competitors in and we definitely want to keep hackers out.

That is where Priority, Process and Persistence come in.

Security Priority

In my opinion, security is a business leadership problem, not an IT problem. Obviously, IT has a huge end-to-end role in security execution, but senior management is accountable for asserting it as a business priority. What does a priority look like in a business?

• We talk about it
• We meet about it
• We report on it
• We fund it
• We make someone accountable for it

Some questions on your organization’s view on security.

• Is security an articulated and distinct priority within your organization?
• If your company does strategic planning are there pages in the plan deck describing Security as a priority?
• When was the last time one of your senior leaders hosted a meeting devoted to your company’s security posture and status?
• Who do you point to at your company when a security issue, question or event occurs?
• Gartner once said that retailers should devote about 5% of IT spend on security technology, staff and processes. That number may well need to be bigger. Do you know how much you’re spending on security?

People in an organization respond to their leaders’ priorities and security needs to be one of them.

Security Processes

What kinds of processes support an organization’s security priority? First, let’s talk about external processes supporting security that have been imposed on certain organizations: PCI and SOX. I was a CIO when SOX became an external mandate. Then PCI followed a couple of years later and I always thought they were good things. They forced us to confront our fundamental controls and make them work and they brought the whole notion of compliance (and security) into the board room. They also gave us rigorous frameworks which helped us understand how to control and protect the enterprise via these well-defined processes. Your organization, however, may not be publicly traded and thus exempt from SOX or it may not process enough credit card transactions to trigger a rigorous PCI audit. There is still plenty you can do to help protect your business. Besides, neither PCI nor SOX however are comprehensive security regimes and even organizations that are SOX and PCI compliant need to go over and above SOX and PCI in their effortto resist the hackers.

I’m going to give examples of 10 processes that are foundational to any formal attempt to secure a business. They are not comprehensive. A well-managed security program will go well beyond these 10 processes. If you’re not doing all of the below, however, I’d schedule a review of your security posture immediately.

1. Encrypt any data that would cause your company issues if it were exposed (including data in transit!)
2. Segment your network.
3. Monitor security events and keep logs.
4. Put anti-virus software everywhere whether it is a PC, Mac, POS device, Linux server or whatever.
5. Keep current with patching all platforms, system software and applications. This cannot be negotiated. Your company must be current on patching.
6. Create a corporate security policy and standards: publicize it, train to it and hold accountable those who violate it.
7. Create a Security Incident Response Team (SIRT) and plan. The team should practice the plan quarterly.
8. Hack yourself: both IT and business infrastructure.
9. Measure and review security KPIs just like you do other relevant IT and business KPIs.

10. Include security KPIs as a bonus goal for relevant staff. Money talks and it also is a leading indicator that some activity is important.

For details on these ten processes, visit my original blog here.

Security Persistence

Hacking attempts will not stop and thus work to secure the business space cannot stop either. Security is a journey not a destination; or to be less trite review the line score of the baseball game below. 20 innings: that’s persistence! 2 errors: well everyone is vulnerable. The winning team had less hits than the losing team: it sounds like they did the right things at the right time. Persistence, which in this discussion means proceduralized leadership, is also required to keep out the hackers. You need the engagement of your company’s senior leadership, security as a business priority, fundamental security processes and accountability and persistent commitment to keeping your business secure.

As my colleague Paula Rosenblum said in her blog titled The Endless Data Security Saga Continues a few weeks ago, “No static standard can keep us safe in a rapidly changing world. While standards continue to evolve, criminals evolve more quickly”. Adopting the 3Ps, Priority, Process and Persistence might just get you one step ahead of the game.