A couple of weeks ago during Security B-Sides Portland I attended a presentation by Logan Kleier, CISO for the City of Portland. His presentation explored the idea that it may not be necessary for information security professionals to achieve one hundred percent security (watch this short video interview before his talk).
I truly enjoyed his thoughts on this subject, because they relate to many conversations I’ve had in recent months with infosec professionals about where to focus security investments. During his presentation, Logan explained how the City of Portland utilizes the SANS Top 20 Critical Security Controls to prioritize its security investments and avoid the need to constantly level up its security. He focused a lot on balance: the need for better security and the increasing costs and complexities necessary to achieve higher levels of controls. At the end, something’s gotta give — you can’t maximize security with the allocated resources.
The fact is, that the business will never care enough about security — and perhaps never should. The security and risk management officers should care about the business and relate how security enables or hinders the goals of the business. As my friend Andy Ellis, Chief Security Officer at Akamai, once told me, “my job is to be the honest broker of risk for the business.” So how do information security officers like Logan prioritize their investments? Risk management is definitely the way to go, but how to communicate risk in terms that the business will care?
For a more comical way to avoid security budget cuts, watch this short video by Javvad Malik.
Check out our latest white paper: “Security-In-Depth Using Integrated Risk-Conscious Controls”