CW Security Think Tank: What should information security professionals do - and what should they avoid doing - to ensure the success of infosecurity projects?
Treat them as business projects
Jeffrey Wheatman, research director, Gartner
It is safe to say that a large proportion of IT security projects either fail outright or do not fulfill the expectations that were used to justify the project. There are a few reasons that are common across the board for these failures.
1. Failure to define expected outcomes or benefits
It is common for security investments to be made without anybody understanding the expected benefits. Security projects must have defined objectives that can be measured in some way. For example, if you need to implement technology XYZ, the objective might be as follows: technology XYZ will identify credit card numbers as they traverse the network and block access to credit cards based on business roles, and no credit card numbers will leave the network through unapproved channels or be accessible by unapproved users.
2. Not involving business stakeholders
Making decisions on behalf of your users without fully understanding what it is that is important to them leads to the wrong assets being protected in the wrong way. Gartner's experience provides numerous instances where security teams have protected the confidentiality of the data when in fact integrity was far more important. Leverage your governance process and consult with your business stakeholders - the individuals who own the assets - and make sure that you are addressing the right problems rather than what you assume are the right problems.
3. Looking to tool-based solutions
Historically, security professionals immediately asked themselves: "What tool can we buy?" Unfortunately, we have learned, quite painfully, that tools are not always the right answer. Often, a process will help solve the problem far more effectively and efficiently than buying YAST (yet another security tool). It is critical to understand that security is another business problem that must be solved. Security projects should be subject to the same justifications and accountability as any other business project.
Get buy-in, share benefits and challenge the culture
Ionut Ionescu, head of threat management, Betfair, and member of the (ISC)2 European Advisory Board
The top reasons for IT security project failure, in my view, are:
1. Lack of buy-in from the wider business (including having budget).
2. Lack of shared benefit between IT and security departments.
3. Deeply ingrained behaviours and practices that are not sufficiently challenged.
Conversely, the projects that tend to succeed are those where there has been a good degree of consultation with the business, where the senior management (not just technology management) offers active and vocal support, and where IT and security work together as a team, seeing it as a win-win opportunity rather than a "blame game".
Another important ingredient for IT security projects to succeed is a culture of accountability across the business.
In my career, I have been in almost surreal situations when security professionals had to explain at length to IT professionals why patching systems and network devices was a good thing to do. If security is not in everybody's job description, a concentrated effort to raise security awareness must precede any large-scale IT security projects.
I have also seen projects that founder because of passive resistance from the business or IT functions. Granted, security departments can and should communicate better, but I have seen many security improvements hampered or halted by answers along the lines of "that's how we always do things around here". There is a limit to how much security can explain things and try to tease out mutual benefits for these projects. The fact is that some security provisions may complicate things for some people and, also, that some things are non-negotiable and the business just has to adapt to them. An example here would be when firms have to comply with legal and regulatory requirements, such as the Data Protection Act, PCI DSS, etc.
In summary, projects that succeed are able to articulate a strong business benefit, are well communicated and enjoy a continuous commitment from senior management.
Cost properly, and take a holistic view of security and education
Phil Stewart, director of external communications, ISSA, UK chapter
One of the key underlying drivers today in information security projects is the necessity to reduce IT costs, which is not something that will be achieved using outdated methods of procurement. Taking a holistic view of security and education are the other keys to project success.
Many tender processes fail to ask potential suppliers about total project costs. They assume that the cost of software licensing or hardware and initial implementation will be roughly the total cost of the project. This procurement overoptimism fails to take into account the ongoing support for a solution post-implementation, and fails to ask the supplier to back up its claims with a detailed case study.
IT security projects should be clearly defined and scoped from the outset to guarantee success. A detailed project plan with proper costing and assignment of resources, and clearly defined responsibilities is the foundation of any successful project delivery. IT security - despite its niche image - is an extremely broad subject given the numerous threats that exist and their complex nature. Part of procurement's role is ensuring the correct subject matter expert is selected to deliver the project aims.
Many projects hit the headlines because the educational component was missing from the project. Too often, a breach occurs because employees are not fully aware of their responsibility to protect data in the first place. Security awareness is not something that just needs board buy-in and can then be forgotten: employees need to be educated that they have responsibilities too for keeping data secure. Education, education, education!
Many security breaches have occurred because a holistic view of the organisation was not taken in information security. It is unwise, for example, just to implement full disk encryption - then lose data via an unencrypted memory stick. A risk assessment should be done across the organisation to look at all threats, and then costed against the risk of implementing the control. If costs are an issue, it may be possible to negotiate a better price to save money in one procurement area to fund the implementation of another control.
There are multiple causes of failure
Wil Rockall, KPMG Common Assurance Maturity Model steering committee
There is rarely a single overriding cause of failure for an IT security project. More common is for a number of seemingly small setbacks or deviations to build up until successful delivery is no longer achievable. Lack of a clear mandate with clear expectations and definitions of success, failure to help people understand how the project is helping them, and poor day-to-day management of the project are common themes that undermine the chances of successful delivery.
Many IT security projects are in fact business change initiatives that radically alter day-to-day working practices. Yet, rather than seeking to convince and coerce people to change what they do, many projects begin with the assumption that everyone will be told to adopt the new way and will meekly accept the restrictions and inefficiencies introduced. In real life, many people react badly to this, paying lip service to the change for a short while before slipping back to their preferred routines,; some surveys report two-thirds of people regularly bypass security controls just to "get the job done".
Any big project can be a complicated undertaking requiring a blend of many factors for success. When dealing with something as complex and mystifying as IT security, these can be very difficult for senior executives to assemble as they are often hard pushed to relate project delivery to their bottom-line performance or achievement of their strategic business goals.
So are strong sponsorship and clear benefits all that are needed? Not quite. Project managers tend to fall into two camps. Either they are pure-play project managers with no real understanding of what is being delivered, or they are deep techies who have been thrust into a management role because they understand the why, if not the how, of organisational change. Either one of these approaches leads to imbalance.
Lack of good direction, management and communication then, are the main reasons for failure, and getting them right can make them the reason for their success.
Treat the project as a standard business scheme
Dani Briscoe, research services manager, The Corporate IT Forum
When polled, members of The Corporate IT Forum's Information Security Service were vocal about the differences between security and other projects - namely that there aren't any. All members agreed that a security project was no different to any other business or IT enterprise and, as one member said, "should be subject to the same governance and control as any other project".
The main reasons for project failure are changes to requirement or specification or scope. Making such alterations part-way through the project lifecycle will affect the costs and also ultimately delay delivery.
Successful assignments are those that have a consistent and repeatable process and lifecycle. Members directly attribute the success of projects to the skill and management of the project team rather than what is being undertaken.
Getting senior buy-in is key to driving a security project forward; ensuring that required security elements of "non-security" projects also have this buy-in is equally essential. One member said: "[Security] is the foundation of a business and must be an everyday subject, not brought in as an afterthought or bolt-on." Many projects fail to implement proper security as it is either totally omitted from the delivery lifecycle or considered far too late to be implemented as part of the project. Agile projects tend to be the worst offenders in this area. Members have found buy-in easier to obtain if the organisation is subject to some type of audit that highlights the security issues that the project will solve.
A breach, while costly to reputation and business, can ensure sufficient impetus to deliver the project on schedule.
Overall though, security projects tend to take a back seat to other IT projects - perhaps due to the difficulty in demonstrating the business benefit gained from implementation. It is nearly impossible to show return on investment (ROI) for a security undertaking, as most are about protecting data and/or systems. Maybe more organisations need to devise a way of measuring security project success against a metric clearly aligned with business risk - data protected, or reputation saved. A measure of what didn't go wrong?
Keep the ever evolving skillsets up to date
Raj Samani, Cloud Security Alliance
Technology has a remarkable habit of making previously essential skills redundant. Take map reading: modern smartphones are able to pinpoint your exact location and provide walking or driving directions to your destination. Think of the last time you used a map, or even asked someone for directions; more worryingly, how lost would you be without your phone or satnav?
The erosion of previously essential skills is also likely to be felt by technology professionals through the wide-scale adoption of cloud computing. Previously, nearly every organisation regardless of size was forced to install a computing facility of some description, whether it was in a dedicated room or on a desk. Equally, all organisations would allocate resource to be the "IT geek", or another insulting job title. Cloud computing is changing that.
Organisations can simply pay for their technical requirements through a service contract, much like they pay for electricity or toilet paper. It doesn't matter who they go to, as long as the cloud service provider (CSP) meets their requirements (including security), then the lowest price wins. So what does this mean for the security professional?
Well, technical skills are likely to be concentrated at CSP locations and organisations that need to maintain security teams with deep technical expertise. Skills for security professionals will have to adapt to manage the CSP contract and monitor compliance against established service level agreements (SLAs). Equally, skills for security professionals will have to adapt from deep technical expertise to a much broader technical competence. The need for strong communication skills and report writing will be of paramount importance.
As we migrate to this new world, many security professionals globally are beginning to adapt and develop these new skills. Equally, the introduction of new control frameworks such as the Common Assurance Maturity Model (CAMM), the CSA Cloud Controls Matrix v2, etc will empower security professionals to help their organisations implement cloud computing securely.
Communicate the benefits
The key to a successful IT security projects lies in understanding the reasons why such projects fail: unless care is taken to explain the emergent benefits of the project to the stakeholders who will be subject to it, they will see no benefit in it and resist any changes it brings that affect their productivity.
A project has to engage with stakeholders to understand what business units need to do their work. Ways should also be sought to manage risks from using technologies such as smartphones that would not be allowed in a traditional "block all" approach to security.
Similarly, taking the time to understand the risks to information, rather than deploying technology with an outdated security mindset, results in a situation where the business feels in control of the decisions to be undertaken. This situation occurs only when you realise that business value is generated by one of the three following scenarios:
• the business can do things it previously couldn't
• it can do existing things more efficiently
• it can stop duplication of effort and/or cease doing things that were causing productivity issues
To engage effectively with your stakeholders, you need to realise that they often bypass your controls because they want to do business rather than be insecure. It is therefore imperative that you not only engage with your stakeholders throughout an IT security project, but also realise that you have only commenced this dialogue once the project is over.
Maintaining dialogue with your stakeholders a year down the line is just as important to ensure they feel heard and supported; that way controls can evolve rather than just be bypassed. As we transition from a security mindset to that of managing risks to information, so we need to realise that a cyclical approach to controls must be adopted.
The project manager and the project team are the overriding factors
Adrian Davis, principal research analyst, ISF
There are many reasons why projects succeed or fail and, sometimes, luck is the main one. Rather than write a list of success factors (any half-decent book on project management or a search on Google will provide you with such a list) and discuss the hygiene factor of project management, I'm going to cover one key factor the ISF has identified when looking at a range of security projects: the project manager and the team.
Good project managers display a range of skills and behaviours - for example, leadership, negotiation, flexibility and uncompromising determination - in differing situations and at the same time. They constantly communicate to all interested (and uninterested) stakeholders, using the appropriate language. They are also excellent listeners. Every inch of the project is understood, as is how the individual parts create the whole. Good practice, such as ISF tools and ISO standards, is used to build in security at the start, where it has the greatest impact and benefit.
But it's more than just the manager - there is also a team. Despite the inevitable distractions, staff turnover, budget changes, scope gallop and shifting objectives, good project managers build and keep the team focused on the end goal.
Finally, good project managers and their teams network and build support across an organisation. A good example of this is getting HR to support an IAM project. HR knows who can get things done, where there are favours to be had and returned, and where the power really lies.
In summary, it's all about people. Adopting good project management disciplines is a start, not an end. Good project managers know this and focus on both the tangible and the intangible.
Four drivers of failure, five routes to success
Malcolm Marshall, sponsoring partner for the KPMG I-4 programme, and lead partner, KPMG UK information security business
With growing numbers of hacks and mass data loss dominating the headlines, infosecurity looks set to be the defining corporate issue of 2011. The cost of security failure has jumped exponentially, putting security firmly on the boardroom agenda.
Such failures have serious implications for the business - both in terms of reputation damage and IT project outlay - and for the CIO.
The fear of succumbing to the next Wikileaks scandal or anonymous hacking attack has sparked a rapid increase in new IT security projects. The scope and cost of these projects have also grown significantly.
CIOs are realising that the game has changed, and are more determined than ever that their IT security projects succeed. All too often, though, these programmes fail for the following reasons:
1. Technology blinkers
Projects are often driven by subject experts with almost no knowledge of broad business drivers and processes. This leads to project rationales and objectives not being properly communicated, resulting in a lack of wider business sponsorship.
2. Sell, don't tell
Many areas of the business are affected by a project. Not identifying and engaging with all stakeholders who may have "skin in the game" at an early stage usually leads to a lack of buy-in and resistance to change.
3. Missing objectives and ROI
In the scramble to get protected, objectives are often not defined or set in a business context. As a result there can be little understanding of the business case or intended results. Also, as projects are often protecting against a "black swan" event, ROI can be extremely difficult to justify.
4. Lack of leadership
Leaders with the wrong skill sets or no change management experience are common. Failure to account for the people and processes involved in IT security projects is a rapid route to failure.
Thankfully, organisations can take the following steps to improve their chances of success:
1. Clarify the business benefits early
Leaders must consider why they are undertaking a project. Without a clear set of business deliverables it is impossible to measure the benefits or justify the cost.
2. Manage efficiently
Security projects need a leader who understands the organisation, communicates effectively and can see the project through to the end. The rest of the team should have a cross-section of skills, not just IT or security.
3. Look at the long term
IT leaders must encourage long-term change with durable IT security projects that cross the annual budget cycle. This will help to engage the whole business and to ensure objectives are met.
4. Clarify delivery methods
Organisations should undertake rapid risk reduction and implement clear metrics to quantify this. The result is engagement, quick wins across divisions, and a baseline from which to measure improvements throughout the project.
5. Cut complexity
Leaders should split projects into manageable steps to reduce complexity. This can be achieved by standardising, embedding, automating and - where possible - eliminating processes.
Although there is no magic bullet for IT security success, the above factors will increase its likelihood significantly. IT leaders should take heed as the combined risks and costs of IT security continue to rise: failure is really no longer an option.
Security must be seen as a business driver rather than just a cost
Mike Westmacott, chair, BCS Young Professionals Information Security Group
IT security in general is still often not regarded as a business driver, being seen instead as a necessary cost in mitigating risk. However, the absence of board -level support for a security strategy creates a key reason for projects to fail. Without a clear strategy that will allow a project to be well defined and aligned with the overall business strategy, it is very difficult to accurately identify whether it will actually be of any benefit. This lack of appreciation will affect all levels of the organisation, and consequently projects of every scale, from the top down to the bottom. I have seen this in the past (prior to company-wide internet deployments) where different parts of a company would attempt to solve what was essentially the same virus problem, and with full awareness of each other's projects. One group chose to use a "sheep-dip" approach to allow users to scan floppy disks, while the other group installed network-based scanning (but only on their own network). The result was that users became confused and made assumptions about what was and wasn't risky. While improvements were made, the projects would have benefitted immensely from a top-down approach to security and co-ordination between different business functions.
The presence of a security strategy and policy does not mean that projects will be implemented in a satisfactory manner. Many security projects affect whole functions of the business, if not the entire business, and have a particular impact on personnel. A well-trained and experienced security practitioner may be able to develop an ideal solution for the business, and may succeed in getting costs approved, but may not be prepared for the level of organisational resistance that greets implementation. Where a security project means organisational change there are inherent difficulties, and these must be managed with a lot of care, with equal consideration of how to manage the change and the technical implementation.
One further type of failure that is worth mentioning is that of piecemeal implementations, often resulting from a spot requirement that may have originated from a regulatory domain such as PCI. A form of fire-fighting, the result is that single issues are addressed, and solutions developed that do not tie together, resulting in an incoherent and weak security posture.
So how do you make security projects succeed? Have a top-level strategy, implement policies, co-ordinate between business functions, manage change, track progress and continuously improve. There wasn't a single IT-only term in the previous sentence for one very good reason: the primary reason for IT security project failure is down to failures in the business and not in the IT.
The human factor underpins both success and failure
Rolf von Roessing, international vice president of ISACA
The top fails are as follows:
1. Over control and overregulation
Security gaps and findings are addressed by bringing in reactive rules and regulations. Soon enough, people don´t like all these rules and start making their own.
2. Disregard of human factors
Security as a cost item is subject to pressure, and organisations don´t engage their people (by training, proper awareness building, etc).
3. Lack of senior management support
This is becoming less important as audit findings have become more serious over the past few years. Senior management are now usually aware.
4. Lack of security ownership
We all think it´s the infosec manager´s job. Do we think it´s our own job? No.
The top successes are as follows:
1. Good models
Organisations with truly systemic thinking are several steps ahead, and they understand emerging trends, behaviours and cultural issues early in the game. Much of this is about human factors.
2. Good incentives
Some organisations have placed security high on the agenda by actively marketing it internally and externally. If it´s about bonus, people will listen and behave.
3. Smart rules and regulations
Successful policies and procedures remove bureaucracy by properly classifying their information, and then focus on the critical areas to be protected. They move away from blanket regulations and shift more responsibility to the users.
4. Good education
Nothing is as successful as a real hands-on training session where employees hack each other and see how it works. Some firms use "red cells" to challenge themselves all the time.