Despite the advances in security technologies, information security officers are getting more pessimistic rather than optimistic about information security. Most training and literature have focused on the “science” part of information security, for example, on risk management, firewall and other technical aspects of security. Often times, people tend to concentrate too much on security itself and think less about the big picture: why security is required in the organization and the organizational interactions necessary for achieving the security goal. The “soft” side of information security has been virtually absent.
This article focuses on the soft side of information security—the strategies and influence in information security.
Strategy is a relatively mature field in economics and business management. It deals with how to use limited resources to compete in the business world. For information security, there are many concepts that could be borrowed from competitive strategy to formulate security strategies.
What Is Strategy?
According to Michael Porter, the Harvard University (USA) strategy guru, “Strategy is the creation of a unique and valuable position, involving a different set of activities.” Strategy is the formulation and implementation of a firm’s key market decisions. It defines the organization’s goals and methods: what activities an organization should do, what it should not do and how it should engage in these activities. Strategic decisions extend across functional boundaries and are typically made by senior management.
Specifically, there are a few key points about strategy:
- Operational effectiveness is necessary but is not strategy.
- Strategy rests on unique activities.
- A sustainable strategic positioning requires trade-offs.
- Fit between positioning and activities drives competitive advantage and sustainability.
An example is the US-based Southwest Airlines. Southwest offers low-cost, low frills, direct point-to-point service as compared to other airlines that use the full-service, hub-spoke model. To fit this positioning, it makes the necessary trade-off and tailors all its activities to fit the positioning: no preassigned seating, no free meals/drinks on board and quick turnaround time in the airport. A full-service airline is not able to copy these activities. Because of its unique positioning and fit with activities, Southwest has been able to stay consistently profitable over the past 20 years, despite being in a highly competitive market that has witnessed many airlines come and go.
What can information security people learn from corporate strategy? The key points about strategy are first about positioning and then about how the positioning fits with the company’s culture and resources. Positioning requires a company to make trade-offs on what activities to do and what activities to avoid. The fit matches an organization’s uniqueness (e.g., resources, cultures) with its chosen activities, so it is difficult for others to copy.
What Is Security Strategy?
Security strategy means establishing a security positioning that fits with the company’s resources and business direction. Security strategy is organizationally unique. One organization’s security strategy may not make sense to another organization, due to different resources and business objectives. Different organizations have different business requirements, resulting in different security positioning. For example, a bank’s requirement for security is very different from a retailer’s requirement for security. Different organizations also have different regulatory requirements. Even in the same industry, different organizations may have different security postures, due to their business strategy. For example, a manufacturing firm with a business strategy based on continuous innovations will have a different security posture from a manufacturing firm with a strategy based on low cost. The one depending on innovation will have higher security requirements to protect its intellectual property rights.
Security strategy is also a long-term commitment. Once committed, it is difficult to change in a short time frame. This is because the security strategy is reflected in the company’s security policies. While minor changes to policies can be accommodated quickly, a change of direction in security strategy requires much more effort and has a wide impact on the business. In addition, once a security strategy is implemented, it also builds a culture and image that matches that strategy in an organization. It takes a long time to change any organization’s culture.
Security strategy also must be sustainable. As with corporate strategy, a sustainable security strategy requires trade-offs in what is done and what is not done. There is little hope for a security strategy that either cannot be implemented or cannot be sustained over a long period. There is no point to having a lofty goal but no resources to implement it; likewise, there is little sense in having a security strategy that is contradictory to an organization’s business strategy. For example, if an organization’s business strategy is to expand online, the security strategy must support this direction rather than obstruct it due to perceived security risks.
Security positioning is the most important part of security strategy. It is unique to an organization and has to fit with an organization’s culture and resources. The security positioning must be consistent with an organization’s business strategy. It determines how an organization manages security and its risk appetite within the boundaries of legal and regulatory requirements.
Dynamic Forces Affecting Security
Just like a company competing in the market, there are many dynamic forces that affect security within an organization. These dynamic forces interact with each other and have significant impacts on security. Only when these forces and the power dynamics of each force are clearly understood is it possible to make right strategies and decisions for information security success. Figure 1 provides a framework (based on Porter’s five-force analysis in strategy) for analyzing the key forces.
These dynamic forces include:
- Internal rivalry in information security—The internal rivalry concerns the conflicts among different departments within an organization. The conflicts could be between the information security department and other business units. That is, since security costs money, effort and time, security tends to be one of the items cut during a budget squeeze when the company is not doing well. This also leads to the issue of resource conflicts. The resource conflict exists not only among different departments, but also within the security department, in different geographical areas or different vertical functions (e.g., security operations, security policies, risk assessment). To have a successful information security program, the internal rivalries must be managed carefully.
- Supplier power—The supplier is a key element in information security strategy. Suppliers are depended on to complete a mission. Without them, security falls apart. There are three categories of suppliers who provide information security services: internal information security employees, external consultants and product vendors. A quick analysis of each one’s power follows:
- Information security employees—During skill shortages, these employees have a lot of power, as they can easily find another job, possibly with higher remuneration. Even in the last three years of cost cutting, information security professionals with the right skills are still in great demand. It is important to a security strategy to consider how to attract and retain these staff members.
- External consultants and outsourcers—During the boom time, external consultants have power, as they have a lot of job choices. Their fees are higher at that time. However, in the last few years, many major consultancy firms have been fighting for jobs. The supply exceeds the demand, thus, external consultants have lost some power.
- Vendors—So far, the buying of security products is based on best of breed. No single vendor has been able to provide complete, integrated solutions on security. Thus, most security companies are not big firms and have less power. The exceptions are those large companies, such as IBM and Cisco, that can bundle security products together with other major products. For example, if a company has a global agreement to use Cisco as a strategic vendor in networking, it may be forced to use Cisco’s PIX firewall and IDS products as well. In this case, these vendors have more power as the negotiation and decision to engage the vendors may be at another senior level that may not involve security (security products may be just a small part of the overall products agreements).
- Complements—In terms of business strategy, complements are services and goods that increase the demand of the particular goods. In terms of information security, complements are the internal audit department, the compliance department and external regulatory bodies. These complement units help the business focus more on information security. For example, central banks in many countries have set strict guidelines on security requirements for Internet banking. All banks have to follow them if they provide an Internet banking facility in that country. The recent US Sarbanes-Oxley Act compliance requirements have also raised the importance of information security in US companies. The internal audit and compliance departments are really the friends of the information security department. If significant information security risks are found and the business units are not cooperating, internal audit always has the teeth to help get things done.
- Customer power—The customers of information security in the organizations are mainly senior management and business functions that deal with IT and information. From a competitive strategy, the customer has more power if:
In applying this to information security, the inputs (suppliers) are not standardized, and there are not many substitutes. The switching cost for the organization to replace information security is high. Management controls budget and review of information security, and thus has power. For the business units, the power balance is more fluid. When the security process is well established and integrated in the business process, information security typically has more power. Otherwise, if an organization does not treat security seriously, information security may not have big influence in business units. In balance, customers of information security have some power but are not dominant.
- Input is relatively standardized—many substitutes.
- Switching costs for customers are low.
- Customers are large and few in number.
- Threats of entry—In a competitive strategy, threat of entry deals with the likelihood and ease of a new player entering the market. In applying this to information security, one looks more at substitutes to the information security services. For example, through outsourcing, an organization may be able to achieve the same security objectives without a strong internal information security function. Sometimes, another department, such as risk management, may be able to perform the same functions. How real the threat is depends on the organization’s situations.
Form a Successful Security Strategy
After analyzing the dynamic forces that affect security, the next step is to look at how to form a successful security strategy that is sustainable and fits with the organization. Any security strategy must fit with the company’s overall direction and strategy. Otherwise, the security strategy and information security function will hamper an organization’s growth. It is equally important to ensure that any security strategy implemented is sustainable over the long run, as strategy is a long-term commitment. It is costly and difficult to change strategy once implemented.
First, positioning, corporate culture, marketing and selling, and organization need to be discussed.
As stated earlier, positioning is key to security strategy. It determines all the other issues, such as policy, and influences the culture of an organization. (Actually, the culture of an organization helps determine its positioning, and the positioning in the long run shapes the culture in terms of security.)
The positioning must be aligned with the organization’s objectives and overall strategy. At the same time, the positioning must fit with the organization’s resources (strategic fit). In business strategy, it is essential to ensure that strategy fits with the company’s activities and resources. Only when there is a fit is the company able to create and capture values. This fit requires trade-offs. This is the same for the information security positioning. That is the reason why, in the commercial world, the security risk-based approach (trade-off) has been more widely adopted than the best practice approach, which requires the implementation of all security measures. The essence of a risk-based approach is to ensure that the organization’s risk profile fits with its strategy and resources. Risk assessment identifies security risks the organization is facing. Based on the organization’s objectives and resources, the organization can make trade-off decisions (e.g., whether to add controls to reduce the risks or to accept the risk). The positioning determines the organization’s risk appetite, meaning how much security the organization wants or should have (does the organization lean towards compliance or risk acceptance by business?). In addition, security positioning also considers general practices in the particular industry (for due diligence and customer acceptance) and is bound by legal and regulatory requirements. The following areas should be considered in positioning (trade-off between best in class or fit for purpose): resource, policy framework, security operations, architecture, security metrics, security compliance, infrastructure security controls, process (development and operation) and maturity (e.g., BS7799).
In summary, security positioning is reflected in the organization’s policy and risk management. It is also manifested in its culture. Establishing security positioning first involves the setup of security policies that meet an organization’s objective and risk appetite. Security policies are a relatively long-term general commitment. At the same time, the organization should establish a security risk management process to handle ad hoc security issues to be compliant with security positioning.
Corporate Culture and Influence
Corporate culture influences security strategy. At the same time, security strategy, in the long run, shapes the organization’s culture towards security. Management and staff’s attitudes toward security demonstrate the corporate security culture. Specifically, some measurements are the amount of power wielded by information security and the level of overall security awareness. In terms of security awareness, the following areas should be considered:
- Induction—It is essential to integrate general security awareness training in the induction program, so new employees and contractors are aware of security policies and practices.
- General periodic training—This ensures that the staff is updated with the latest security policies and practices. It serves as a refresher and reminder to staff about security.
- Specialized training—This is required for specific functions that have more in-depth training requirements. It includes training of project managers on security processes, training of development on secure coding and development processes, and training of engineering/operations on security monitoring, implementation and incident management.
Psychologically, there are two means for influencing people. One is transactional influence, which aims to change people’s behavior based on incentives (rewards) and punishments. The other is transformational influence, where the emphasis is on transforming people’s thinking for behavior conformance. In transactional influence, the motivation is on rewards from the outside world, either material (e.g., money) or social (e.g., relations). In transformational influence, the motivation is intrinsic—the reward one gives to oneself, e.g., a sense of achievement.
Currently, most of an organization’s security is based on transactional influence, e.g., disciplining employees for nonconformance. While it would be more effective to build information security compliance into the company culture with transformational influence, this requires extensive security awareness training to create “secure company” and “secure employee” identities to gain commitment to security. When more employees are willing to comply with information security, it encourages others to comply due to the psychological principle of social proof.
Marketing and Selling
Why talk about marketing and selling in information security? Actually, one of the key roles of the information security executive, such as the chief information security officer (CISO), is to bridge the gap among IT, security, business unit and senior management. There are already gaps between IT and business units as well as IT and senior management. Furthermore, information security often sounds alien to IT, business units and senior management. It is essential for the CISO to bridge these gaps, so all can understand each other and work toward the same goals of the organization:
- Senior management—Part of the CISO’s job is to find senior management to champion security. Many organizations are top-down; thus, it is essential for senior management to support and endorse security.
- Value of information security—The CISO must understand the value proposition of information security and communicate this value, to the management and staff.
- Executive relationships—CISOs and security managers must build strong relationships with key executives in the organization. Many of these relationships can be built through informal occasions, such as lunch or dinner. These relationships can be very helpful in building a support network for information security in the company.
- Management as stakeholder—It is essential to transform both senior company management and business unit management into stakeholders for the information security initiative, so they view information security as their own initiative. This is an important psychological point of commitment. Again, the key is to integrate security into normal business functions and processes, so business units view it as their own. For example, a company has recently started a program to get its largest Asian data center certified for the BS7799 standard. Instead of pitching it as a security initiative, the organization started by selling the idea to the Asian data center managers, and they have built it into their yearly targets. This greatly smoothes the certification effort and ensures enough resources and priorities for the project.
- Communication—It is also important to communicate to staff and management the value of information security to the entire organization. During any budget crunch, those business units or initiatives that people cannot understand will be the prime targets for budget cuts. Typically, information security is good at talking about security risks but not at promoting itself and its value to the organization. In fact, there are many aspects of business that benefit from information security.
The information security function can provide competitive advantage against an organization’s competitors, especially in a security-conscious industry, such as finance and banking. It helps deal with customer information security concerns and increase sales. In addition, it is important to listen to customer feedback on security requirements to bridge the gap between the organization and its customers.
Part of the information security strategy is the organization of the information security department itself, including to whom the department should report. Traditionally, information security is part of IT, reporting to the CIO or senior manager in charge of technology. The advantage is its integration with IT, so the CIO views information security as his/her own responsibility. Most IT projects affect information security. The downside is that information security is always viewed as an IT issue rather than an overall business issue. Recently, many organizations’ information security departments began to report to the risk management or governance functions. This can potentially raise the profile of information security, making it easier to integrate into normal business.
The internal structure of the information security organization is also important in determining its effectiveness. Most organizations have organized it as a central function, with geographic information security units to support local business in three time zones. The central information security office determines security policy, process, infrastructure protection and overall objectives. The geographic information security units are responsible for implementation of central information security initiatives in local countries. The disadvantage of this is that the central function may grow too big and, most dangerously, develop an ivory tower syndrome—detached from the ground and making many impractical decisions.
One multinational company uses a radical organizational structure, dividing the central functions and forming CISOs in three time zones, responsible for security as a team. In this model, there is no more global CISO. Vertical security functions, such as the security policy, are distributed to the regions. The advantage is to break the bureaucracy and motivate information security people on the ground. The challenge is to ensure that the regional CISOs work together on the common goal.
Another important aspect of the organization is the interface of information security with other departments. To be effective, the information security department must clearly define how it interfaces with other departments. Part of the interface could be a scheme to build local security representatives. They are staff who report into local business units and are not full-time security staff. But, they are trained by information security to be ears and eyes for security. Part of their time is spent on improving security for local business units. For this scheme to be effective, the staff must be provided with incentives. The business units must also see value in allowing its staff to do this. If implemented properly, it provides a great help for an information security organization without increasing its headcount.
Lessons From the Strategy World
In addition to strategic positioning and activities fit, there are many lessons to be learned from the strategy world, especially in the area of dynamic interactions, that can be applied to information security. The following are some examples:
- Induced cooperation—In game theory, tit-for-tat is regarded as the most effective measure in solving a dilemma when two persons must cooperate to gain the most benefits for themselves. In business, tit-for-tat is used in signaling to competitors for cooperation. The advantages of tit-for-tat are clarity, courtesy (“I will be nice to you if you are nice to me”), forgiveness (past aggressions can be forgiven as long as you cooperate) and provocability (“If you start the war, I will surely retaliate”). It works best for repeated encounters. In information security, the same technique of tit-for-tat can be used to induce cooperation among business units, with all the advantages mentioned previously. If a business unit violates security, then tit-for-tat could be used to induce cooperation.
- Commitment—In business strategy, commitment is used to convince a rival that one will not back off and is also used to induce the rival to exit a market. Commitment involves the use of irrevocable sunk cost, reputation and contracts. In information security, an intruder could be viewed as a rival. If an organization committed sunk cost in protecting its organization and made known its reputation of prosecuting hackers, potential intruders (both internal and external) would think twice before attacking the organization.
- Network externality—This is about building positive loopback to enhance information security. When more business units have a positive experience with security, they will induce more to engage security, forming a positive, enhancing loopback.
This article looks at security strategy from a different angle from the traditional view. It borrows concepts from business strategy and applies them to information security. The aim is to provide readers with a new perspective on forming information security strategy and influence for security compliance.
George Wang, CISA, CISM, CISSP has more than 13 years of experience in information security ranging from research and development to management. He has published papers, spoken at conferences, and lectured about the Internet, network security and electronic commerce in Singapore and overseas. Government officials from more than 15 countries in Asia, Latin America, South America, the Pacific and Africa have attended his professional courses. Currently, he is the Asia chief information security officer (CISO) for Reuters, managing information security for the Asia-Pacific region. He is also responsible for global security policy and process. He established the Asia-Pacific information security group for Reuters in 1996 and is a member of the company’s Asia operations management group. He may be contacted at email@example.com.
Disclaimer: The opinions expressed here are the author’s own and do not reflect those of the author’s employers.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2005