Building a Security Organization
Third-Party Networks
Customers, business partners, and outsourcers are beginning to require companies to provide information concerning their security posture (security questionnaires) as a prerequisite before conducting business with them.

Much of this activity is driven by Sarbanes-Oxley legislation and SEC disclosures. As you build your security organization, you will be required to factor customers, business partners, and outsourcers into your security equation.

A company is only as secure as its weakest link, and when you extend your network to a third party, you have effectively increased your risk exposures exponentially. Companies planning to conduct business in the next five years will be required to certify to third parties that they are meeting all legal and regulatory requirements, such as Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley. If they are conducting business in Europe, they will have to meet stricter compliance with the European Data Protection Act (EDPA). Information security programs are at the forefront of these work efforts. Design your security model to reach for the highest bar so your organization will be in compliance with all critical laws and regulations.

Insider Notes: It is also important to note that metrics are meaningless without action. Identifying the number of viruses hitting the network, successfully deploying data files, and fighting the virus is fine, but the question is why hasn't that virus been caught at the gate?

Information Security as a Business Enabler
Your security program should find ways to leverage existing or new security solutions with other business units. It is essential that the information security team develops close working relationships with the business units to understand their goals and business problems.

For example, your security team is trying to develop an encryption standard across the global environment. While developing this encryption standard, the security team must take into consideration all business units if they are going to have an effective enterprise-wide solution. At first it doesn't seem like there is a satisfactory enterprise e-mail encryption solution available. Eventually a member of the team recommends a Public Key Infrastructure (PKI) solution.

During this process the information security team learns that HR is concerned about their staff sending and receiving sensitive employee information through e-mail. Additional research by the security team learns that the merger and acquisition group is also concerned about sending sensitive information through e-mail.

After surveying other business units the team also discovers that this issue is isolated to just HR and the M&A groups. Working with the business units to understand their business needs and making them feel part of the solution becomes essential. The last thing you want to do is purchase an enterprise-wide PKI solution to find out that it is not being used and your limited funding is wasted.

After a little work on your part, you find out that you have a small group of users who will require e-mail encryption. Your team can accomplish their mission by deploying PGP to the HR and M&A teams. They will require some education and training to use PGP, but your team has established credibility, because you listened to their requirements and found a viable solution. It's all about being part of the team and offering the business affordable solutions.

Another example: the information security team would like to purchase and implement a SIM solution. After meeting with various IT and business units to discuss this project, the security team finds out that they can leverage this technology to other groups and enhance their ROI. The infrastructure team would like to use the network utilities tools and dashboard that SIM offers. The services division would like to leverage the central logging capabilities that SIM offers (see Figure 2).

When a VP of sales or business development offers to partner with your information security team on new initiatives or customer offerings, you will know that information security has been successful. Differentiating your organization and security environment from other competitors will be critical, especially in a global economy.

Keep in mind that any time the information security team creates a security challenge for the business, it is essential that your team works with them until a solution is found, balancing good security practices with good business requirements. Ultimately, information security should not be viewed as the cybercop, but rather as a positive business enabler.

Insider Notes: When senior management sees the value you add to the organization (a return on investment), and that you are producing appropriate metrics, you become a viable business unit, not just a drain on the bottom line.

Security as a Market Differentiator
For many years before 9/11, senior management viewed security as a cost center that did not add to the bottom line. When companies had tight budgets, security was often one of the first line items to be cut. That thinking needs to change, and the CISO is on the front line of that effort.

Security departments need to be viewed as viable business units that make positive contributions to the business. As discussed, metrics are one of the key tools that will help you sell that story.

Information security is beginning to transform itself into a viable business unit and market differentiator. As third parties continue to require good security practices before doing business, CEOs will have to view information security as a central component of its core business plan. A company without good security practices that meets all legal and regulatory requirements will be a big loser in the emerging global marketplace. Sarbanes-Oxley has set a minimum security standard in the U.S., but there are other security benchmarks, such as the EDPA. When considering outsourced partners, a company should review their SAS 70 (financial audit for IT controls) for information security controls and compliance matters.

Companies that publicly advertise or certify that they have met generally accepted security standards will be able to use this as a market differentiator. In the long run, it will drive new revenue channels. Companies that have not developed or invested in good security practices will trail the pack.