Being accountable for information security (which may or may not include IT security) has many elements of mission impossible. A conference speaker with a sharp sense of humor, if not one of frustration, once said: “If nothing happens, you are not needed. If something bad happens, you are to blame.” How would you like your performance review to be approached this way?
3 things make the management of information security different and challenging:
- Information security events are not random. Attacks, regardless of whether they are internal or external are targeted and zero-day vulnerabilities are in the unknown-unknowns category.
- Information security metrics are largely immature and performance indicators are lagging metrics. As mentioned in the first point, they do not make good predictors about the future.
- Information security has not, in many cases, attracted the interest of senior and executive management and remains perceived as a purely technical matter.
In my recent Journal article, “Demonstrating Due Diligence in the Management of Information Security, ” we discuss 5 complementary approaches that an information security manager can use to demonstrate that appropriate measures have been taken and that they are managed to protect the organization’s information assets. How each is used should be determined by the nature of the organization’s activities and its managerial culture.
Of the 5, 3 can be, and in my opinion should be, part of the security manager’s responsibilities:
- Maintaining a set of security metrics that make business sense, with particular focus on leading indicators (key risk indicators [KRI] would be a good choice)
- Conducting vulnerability and risk self-assessments while trying to avoid undue optimism
- Determining the role of independent certifications as part of an information security strategy. Such certifications may be for compliance with processes (e.g., ISO 27001), regulatory requirements for information systems (e.g., Federal Information Security Management Act [FISMA]) or personal (e.g., CISM).
The remaining two are, to an extent, optional, and the nature and culture of the organization should define how and when these are performed and if their cost is justified, given that external resources need to be engaged:
- Performing independent information security audits of many different types, ranging from governance (e.g., COBIT 5 for Information Security), compliance and process maturity to in-depth technical audits (e.g., logs, reports, data analytics).
- Independent ethical hacking (IEH) or penetration testing (PT), again in many flavors ranging from white-box to black-box, and variants in between.
These five approaches should be considered as necessary but not sufficient to demonstrate due diligence, the final factor being the credibility and soft skills of information security managers and their team.
Read Ed Gelbstein’s recent Journal article:
"Demonstrating Due Diligence in the Management of Information Security," ISACA Journal, volume 6, 2012