Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) specifically face multiple challenges in regards to the efficiency of their IT Security programs. IT Security organizations must find and maintain the appropriate balance between compliance and efficiency while managing expenditures for IT Security Engineering and IT Security Operations.

The common questions CIOs and CISOs ask when facing the challenges of IT security efficiency:

  • Are my IT Security resources working efficiently to address the real risks of the company?
  • How many employees are performing security functions within my organization? What are they spending their time on?
  • Why is our organization failing audits when we have so many skilled personnel?
  • Are these security processes really addressing risks or simply quashing productivity for no other reason than ‘this is the procedure we have always had in place”?
  • Do we require more consistent security processes and, if so, how do we go about defining, justifying and implementing them?

Protecting the organization against risk, while enabling it to continue to do business effectively and efficiently, is of the utmost importance. Recent high profile incidents of organized hacking activities against corporations such as Sony,, Epsilon or RSA have highlighted the importance of IT Security.

Tools are available to detect and manage all sorts of security vulnerabilities at the infrastructure or application level and many organizations have invested in these tools and their implementation. However, absent improvements in their underlying security-related processes, IT Security organizations soon learn that using a “wild card” risk perceptions approach for purchasing tools will succeed in driving up costs but will not yield a commensurate decrease in risk. Efficient Security processes complemented by appropriate tool selection and implementation are necessary to create cost-effective and lasting reductions in security risk.

While traditional cost benefit analysis is useful for optimizing resources, as important is the need for an IT Security group to consider additional risk-related parameters that transcend cost to create a lifecycle approach for efficient optimization of IT security. This point of view discusses three important aspects to establish an efficient IT security optimization lifecycle:

  1. Process Optimization: Optimize an IT Security organization to streamline processes that provide the highest value and allow for continuous security improvements for managing internal risks as well as external threats
  2. Key Performance Indicators: Develop key performance indicators for the IT Security organization and its effectiveness within the overall enterprise
  3. Key Risk Indicators: Establish key risk indicators to assess risk appetite for the IT Security organization

Kurt Salmon’s CIO Advisory practice draws from our global and independent perspective to assist CIOs in formulating, planning and executing their IT strategy and transforming programs to improve the responsiveness, adaptability and cost-effectiveness of CIOs organizations that drive overall business performance.