NEW ORGANIZATION PARADIGM

Virtual Team and Risk Management

Under this model, the basic assumption is that risk cannot be eliminated entirely. Rather, the best role for IPS is as the advocate for information protection and to recommend a combination of technical, procedural, organizational, and operational methods to reduce the risk to information assets to a level commensurate with management’s tolerance. Spending money and headcount for protection beyond this level diverts scarce corporate resources from more productive and higher returns on investment (ROI) options and may actually jeopardize the organization’s survival against more agile competitors. Too much of a “good thing”, even information security, can be a problem.

Core Assets

IPS managers must understand that they will have only a small but elite team of “permanent” or regular full-time assigned staff resources. These employees must be sufficient to meet the minimum responsibilities of the IPS department to the corporate organization. One of the key roles assigned to the regulars is to provide direction and command and control for a larger but more flexible ad hoc group of nonsecurity regular staff in other departments, complemented by consultants and experts external to the organization in the “Virtual IPS Team” hereafter called the Virtual Protection Team (VPT).

Matrix Assets

The VPT consists mainly of selected staff or other organizational assets that can assist the IPS organization “regulars” in fulfilling responsibilities to manage and reduce risks to critical information assets. A sample matrix is shown in Exhibit 1.

An obvious but often overlooked resource are the System Administrators typically assigned to either the business units or corporate MIS (depending on the organization’s overall management model). These employees have a vested interest in the secure operation of their designated systems, but often lack specific direction. This direction can be achieved through a combination of baseline security standards for specific environments, combined with regular information security reviews or audits. By “deputizing” the line staff with the full responsibility for safeguarding their environments, then monitoring them for compliance, the IPS organization can leverage limited “regular” headcounts and achieve a uniform level of protection. This can be achieved without the need to be directly responsible for account administration, password resets, audit trail reviews, etc. This allows the corporate IPS group to focus their efforts on high-value-added assignments, such as incident response and new system implementations.

Maintaining technical expertise in emerging technologies is difficult for any organization, since the dizzying pace of technical innovation has accelerated in recent years. IPS often lacks expertise in the features of cutting-edge technologies such as ATM, wireless RF networking, the latest data base, etc. The approach of acquiring a dedicated IPS technologist for each new area is doomed. A better approach is to hold to the basics of information security and team with whoever in the IS or technology organization has the responsibility for managing/evaluating and introducing new technology. They provide technical experts; IPS should provide common sense, security experience, and when necessary, external consultants. In this manner new technology can be introduced with proper consideration and use of available security measures.

External Assets

The IPS group should look to the use of carefully selected consultants and contractors to implement the VPT. Due to rapid change, diverse technologies, and rapid development cycles the VPT must have sufficient budget to allow timely interventions and response to line or MIS priorities. This can be achieved if an adequate budget is provided for consultants. The amount and management of the consulting budget will vary with the size of the organization to be supported and the nature of both its technology and operational environment. High technology organizations with rapid growth, expansion, or change will need more. However, even relatively static organizations with slow change rates will need a significant budget to implement the VPT concept. This is where the IPS manager argues for “selective outsourcing”. VPT will shift the expense from a fixed pool of regular staff that have high retention costs to an outsource pool that can be reconstructed quickly to address the current organization priorities. Establishing a relationship with a reputable external supplier of IPS services is critical to ensure a sufficient pool of talent is available to support the internal regular staff.