Infosec 2011: Charity sector shows the way to balance budget and security

Tackling security project by project is an effective way of securing data on a limited budget, says Matt Holland, head of information security at children's charity NSPCC.

Tackling security project by project is an effective way of securing data on a limited budget, says Matt Holland, head of information security at children's charity NSPCC.

"Cutting the budget while bolstering security is a challenge nowhere more common than in the charity sector," he said.

Holland, who believes that the project-by-project approach ensures security is fit for purpose, is to take part in a panel discussion to explore this dichotomy at Infosecurity Europe 2011 at Earls Court, London, from 19-21 April.

The discussion is to be led by Paul Simmonds of the Jericho Forum. The rest of the panel will be made up of information security heads from Network Rail, Electronic Arts and The Oval Group.

In Holland's experience, an effective way to get proper funding for security is to meet the cost of IT security within project budgets, even where a centralised IT security team continues to operate.

"This is a useful tool for ensuring that the depth and coverage of security is very tightly linked to the amount of change that your business is undergoing," he said.

Rather than a central team just following best practice, the project-based approach helps information security professionals focus on the changes they are making.

"We should not do any security that the projects themselves do not require, and if you can push the overhead into a project, you are not taking a central burden for security for no reason," said Holland.

For example, he says his operational capability just to the "keep the lights on" is absolutely marginal for an organisation of 3,000 people, a million user records and 25,000 volunteers.

For each project, however, other resources are brought in as and when they are needed after Holland has made an initial risk assessment and recommendations about what should happen from a security perspective.

"My project-based security workforce is therefore elastic, which means I do not have to maintain a residual team, cutting costs and boosting efficiency," he said.

However, he says in the charity sector there is not the same need for long-term forecasting as there is in the banking or retail sectors, for example, which work to longer cycles and like to have bigger residual security teams.

"As a charity, our need for forecasting is light and we are quite fleet of foot, tending to go from an idea through to project delivery fairly quickly," said Holland.

Therefore, he says this approach may not fit in the culture and politics of some sectors as well as it does in the third sector.

Approaches that work for all sectors, he says, include cutting back on external consultancies and outsourcing the more standard services such as penetration testing where requirements can be tightly defined and costs are fixed.

Holland says he is also involved in all third-party services contracted by the business to ensure that baseline security requirements are met, while creating as little overhead for the internal security function.

Overall, he says, it is important for information security professionals to get involved in all business activities to ensure that initiatives to cut costs such as for employees to bring their own IT kit to work, do not create unnecessary security costs.

Read more on IT risk management