Over the past several years, significant progress has been made in heightening the reporting level and visibility of information security leadership in organizations. This success, which has crossed industry lines and organization size, can in many respects be attributed to new laws and regulations, but the underlying credit must go to executive management who are more aware of information security risks and are taking action to address related issues. That said, executive awareness is generally achieved through effective interaction with those who understand information security issues. A key factor in this interaction is the information security manager's ability to focus on, and communicate effectively, those things critical to the company's bottom line—the critical elements.

What are these critical elements? The answers are revealed in a recent survey, analysis and report sponsored by ISACA. Through facilitating the identification of "critical elements of information security program success," also the title of the resulting report, ISACA has provided a starting point for organization executives and security leadership to continue a dialog about the importance of security within the organization and what needs to be done to make the link between business and security more effective.

While other studies have also looked at information security, this project took a different approach. Instead of identifying risks, security resources, program components, or other elements of security design and implementation, this project focused on identifying what information managers and executives involved in developing and managing security programs felt were the areas that deserved the most critical attention for information security programs to become more effective in meeting business needs.

Project Overview

The project began with the selection of a 10-person focus group representing eight countries: Canada, France, Germany, Israel, Italy, Japan, the United States and Venezuela. The first goal was to identify a broad list of information security program critical elements. The associated brainstorming session resulted in the identification of more than 70 critical elements, which were then categorized and prioritized. This prioritization resulted in the identification of 35 critical elements from which the focus group selected the top 10 items considered the most critical for information security program success. The 35 critical elements were also submitted to a survey group representing the global community of those holding the Certified Information Security Manager (CISM) designation. A total of 745 CISMs randomly selected from an international pool of security managers, executives and information security consultants were invited to take the survey. Of those, 166 surveys were completed, for a response rate of 22 percent. Survey participants were asked to evaluate the 35 elements developed by the focus group and rate them according to their importance for security management in general, and to the extent they impact security within their organizations.

Survey Demographics

The position titles of survey respondents are presented in Figure 1. Information security consultants represented the largest number of responses (36 percent). Executive-level respondents accounted for 33 percent of the responses, and information security management and staff accounted for 23 percent of the survey takers.

The survey group was international in reach, with 42 percent of the responses coming from outside of North America, as shown in Figure 2. Responses from information security managers and consultants in Europe represented 26 percent of the responses. Other areas generated 16 percent of survey responses.

A Preview of the Results

The results of this project were compelling. The focus survey group independently identified "senior management commitment to information security initiatives" as the number one critical element impacting information security program success. In addition, the two groups also consistently identified five other critical elements resulting in the following list of six priority critical elements impacting information security program success:

1. Senior management commitment to information security initiatives
2. Management understanding of information security issues
3. Information security planning prior to implementation of new technologies
4. Integration between business and information security
5. Alignment of information security with the organization’s objectives
6. Executive and line management ownership and accountability for implementing, monitoring and reporting on information security

While there was significant convergence in the top six critical elements between the focus group and survey group members, there was a divergence between these independent groups when it came to the remaining issues in the top 10. Four elements from each group were different. To provide a more comprehensive list of critical elements, the remaining four items identified by the focus and survey group participants were added to the list of critical elements, making a total list of 14 critical elements for information security program success. These additional elements are:

1. Appropriate employee education and awareness on information asset protection
2. Consistent enforcement of information security policies and standards
3. Placement of information security within the organization hierarchy
4. Budget for information security strategy and tactical plan
5. Consistent board/executive management message with regard to information security priorities
6. Focus on short-term goals resulting in long-term control weaknesses
7. Ability to cost-justify information security
8. Generally accepted information security best practices/metrics

Key Findings

In addition to identifying and prioritizing the critical group members discussed at some length the these critical issues and offered potential conclusion of focus group members was senior management and information need to forge relationships that enable a with regard to the priority the organization valuable information and intellectual through the information security program. The to the strong need for messages to be visible and consistent action. That action, results, is the establishment and consistent company policies and standards. results indicate that without executive and visibly monitoring the status of the program, inconsistent compliance will information security progress and give false asset protection. Both groups also indicate that day-to-day priority conflicts continue to put information security on the "back burner." To ensure that information security is taken seriously by every employee and agent of the organization, executive and senior management must become visibly interested and vested in their organization's information security program success. However, there are fundamental barriers that must be addressed to achieve this level of support and visible program monitoring, including:

• Need for broader education for information security managers
• Partnering with line-of-business management to sell the information security program
• Need for best practices and reliable, unbiased security metrics skills in business

Interacting at the executive level requires practices particular to the organization, finance, business risk analysis and business case development. Information security professionals can no longer simply rely upon technical skills and knowledge of information security products and practices; information security is not self-funding, and related expenditures must be justified in business terms, with solid justification of business risk and with depth in the cost-benefit analysis. Information security managers who strive to be leaders in their organizations must look beyond technical continuing professional education credits and seek the appropriate industry and business skills necessary to participate as members of the leadership team. Such training requirements provide great opportunity for ISACA to serve the CISMs and the information security management community, but they also require that information security managers be assertive in establishing a career development plan and, if possible, seek out a mentor outside of IT or security who will support and encourage career development success.

The broader skills required of the information security manager also include establishing cooperative relationships with line-of-business and corporate administration leadership. Information security programs cannot be successful without broad support from key business leaders. The information security program simply will not succeed if the information security manager is the only flag bearer. Developing collaborative relationships requires more than a basic understanding of industry issues and passion for information security initiatives; it requires listening and facilitating the ideas of others to achieve common goals and solutions. Developing the building block skills requires the information security manager to seek support for industry training and a dose of humility to solicit assistance in developing the collaboration skills needed to engage others to develop and share ownership of the information security program.

Best practices and reliable metrics are highly beneficial in charting a path to success. Unfortunately, information security best practices are not readily available due to the sensitivity associated with revealing such information. Equally difficult to find are metrics that are independent of vendor influence. Perhaps the greatest challenge, however, is finding best practices and metrics that support the information security manager in addressing the nontechnical issues, such as the aforementioned skills. An independent organization with the ability to gather information confidentially, develop and deliver quality training, and stay focused on the information security manager’s needs could certainly serve the information security community well in undertaking this cause.

Information Security: An Issue of Governance

Within the larger context of organization and security integration, it is evident that information security needs to be a consistent and visible part of organizational governance. If an appropriate governance structure is in place, issues such as commitment, understanding, integration, common objectives and accountability would not be identified as common elements impacting information security management. An effective linking among organizational governance, IT governance and information security governance should result in a common strategy and consistent support, better risk management, improved utilization of resources, and increased value delivery to the organization.

To support the development of a common governance structure, executive, IT and information security management should have a common framework reference to provide consistency in planning, implementing and delivering security within the organization and aligning information security with organizational goals and strategies. Of equal importance is the development of metrics based on common goals and expectations with aligned performance indicators. The IT Governance Institute’s (ITGI’s) Control Objectives for Information and related Technology (COBIT) provides this framework and is increasingly being adopted by organizations. A companion document developed for information security managers and information users is COBIT Security Baseline, which contains survival kits specifically developed for executives, managers and users. Other excellent resources from ITGI that will foster improved communications and understanding between executive management and information security officers includes Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, and the soon-to-be-released Information Security Governance: Implementation Guide, expected in the third quarter of 2006.

Summary

The information contained in the report reflects a growing recognition that information security is not just an IT problem; it is a business problem that can be defined and addressed only through cooperative participation from representatives across the organization. The information security manager must step up to initiate the necessary relationships and develop skills necessary to facilitate the cooperation and analysis of bottomline risk to the organization. It is no longer acceptable to propose information security investment as a “cost of doing business”; assets have value that must be quantified and assessed with necessary risk mitigation efforts proven through appropriate cost-benefit analysis.

Another key finding of the report is that information security professionals recognize the need to develop a solid understanding of the business and utilize relationships to win support from leaders across the organization—the information security manager cannot be successful acting alone. Most important, however, is the need for executive and senior management to not only provide for the appropriate resources, but also to consistently support the tough decisions with regard to protecting assets and enforcing related company policies and standards. With broad ownership of the information security program such consistency becomes an achievable goal.

Sharon K. O'Bryan, CISA, CISSP
continues to be a pioneer in information security, business and technology continuity planning, and IT audit. She is also a contributor in various areas of technology law. She has been an active participant in executive strategy and risk management oversight, and corporate policy and governance committees. She has held positions as chief information security officer and chief privacy officer. She is currently an adjunct faculty member at ITT Chicago-Kent School of Law and ITT Stuart Graduate School of Business, as well as an author and subject matter expert. She also runs a small executive consulting practice.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.