Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

How to Staff Up for Security

It doesn't matter whether you find them within your company or beyond its walls. But you have to find them.
Page:

Reader ROI

  • Learn how to build a team to handle information security
  • Find out how to hire skilled security professionals
  • See how to use your IT organisation as a security staffing resource

Last year, David Saul, executive vice president and CIO of commercial insurer Zurich North America, pulled a dozen IT staffers away from their daily tasks to combat a virus that was attacking the company's firewalls. They did a good job limiting the damage, but it took two days - two days in which other work did not get done. Next time, Saul hopes to be ready to respond before a threat surfaces. "We want to be in a safety zone that doesn't require that kind of immediate mobilisation," he says.

That's why Saul increased his full-time information-security staff from 12 to 18 people, mostly by training, reorganising and reassigning IT people to security. "Good security equals prevention, detection and reaction," says Saul. "If you're not going to staff to make the process work, then your exposure to security breaches is higher."

That exposure is an increasingly widespread problem. In a 2001 survey of security practitioners conducted by the Computer Security Institute and the FBI, 85 per cent of respondents (primarily from large corporations and government agencies) had detected computer security breaches in the previous year, and 64 per cent of those respondents acknowledged suffering financial losses.

In fact, there's no limit to the damage evildoers can inflict. In this environment, many people believe that it's sheer madness to have an IT staff handling information security on an ad hoc basis. "It's a hard-and-fast rule, in my opinion," says John Hartmann, vice president of security and corporate services of Cardinal Health, a $US47 billion health-services provider. "If the two roles are shared, business priorities will drive security to a lower priority."

Tim Mitchell, CIO of Sarnoff, an electronic, biomedical and information technologies company, disputes that, saying that his IT staff handles security very well, thank you. But he does agree that people charged with security responsibility must be organised into a team - as his are - carrying out a coherent security program that sets out specific responsibilities and requires regular meetings.

A security team needs to set policies and procedures, assess vulnerability, detect intrusion, respond to incidents and manage security architecture. And perhaps most important of all, it needs a leader.

Finding skilled security professionals to carry out this mission can be tough, and the alternative - training in-house IT staffers who are security novices - can be costly and time-consuming. Outsourcing security is another option. But whichever route you choose, here are some ways to enhance your chances of success.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Bill, Billion, Cardinal Health, Cisco, Cisco Systems, CitiGroup, Computer Security Institute, Edge Technology, Exposure, FBI, Foote Partners, HIS Limited, Instinet, IT People, Meta Group, Motorola, Novell, Open Market, RSA, SANS Institute, Symantec, The SANS Institute

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Process-Driven Master Data Management for Dummies
    We wrote this book to introduce you to the subject of processdriven MDM. It’s a big topic, one that far outstrips the ability of a brief book to cover. However, our hope is that by reading this book you will gain a fundamental understanding of processdriven MDM, how it works, and what it takes to make it a success in your organisation.
    Learn more »
  • Developing an Information Strategy - Strategize, Align, Govern, Execute, and Optimize
    An information strategy defines how a company will use the data it collects to achieve a competitive advantage. It is a comprehensive, constantly evolving plan that encompasses five distinct actions. In this white paper we explore how these five vital actions, as well as the technologies that enable and support them, can help organizations develop an effective and broad-reaching information strategy that drives positive change.
    Learn more »
  • Risk management: ensuring the security of your hosted information
    Organisations of all sizes are becoming victims to cybercriminals, data breaches, information theft and security risks. But before you go out and spend a fortune on security software, solutions and consultants, the starting point is to identify and measure your business’s exposure to those risks. In this whitepaper, “Exploring, Identifying and Measuring” risk, we examine how to identify risk and share an approach for identifying and measuring risk in your organisation.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments