“Is This Necessary?”

Some security processes hang around for a variety of reasons and may outlast their original purpose. Most information security practitioners who have had the experience of uncovering severe risk issues around an application or business process can attest to how uncomfortable it can be to bring these issues to executive management. The critical success factor in avoiding team stagnation is a frugal chief information security officer (CISO). The frugal CISO needs to create a culture that encourages questioning. The frugal CISO might lead from the front by facilitating the initial series of meetings and creating a series of teams to review and recommend changes in the current security controls portfolio. Performing regular self-assessments of all existing security controls is an important means of discovering inappropriate or ineffective security controls and their related procedures. The security controls inventory may be performed by the security team or by contractors, depending on the staff availability or budget.