Corporate information in all its forms is a business asset and needs to be recognised as such. This implies that the ultimate responsibility for security must be accepted by the business and not merely delegated to a chief information security officer (CISO) or an equivalent role. The CISO may have delegated responsibility for establishing and managing many of the technical solutions that contribute to information security, but overall governance and assurance of the security’s effectiveness must reside with business management. It is with the chief executive officer (CEO) and the board that the buck stops and, in today’s IT-enabled and ITdependent world, ignorance and denial are no longer options.
This article explores the different roles and responsibilities that contribute to effective information security. It acknowledges that there are many different forms of information that need to be protected, ranging from bits and bytes on digital media to verbal conversations. All such information, if compromised in any way, can lead to corporate embarrassment, regulatory failure or financial loss.
The Move to Integration
Amongst security professionals there is a consensus that the traditional, IT-led security function is no longer appropriate. There is an increased need to integrate different functions previously responsible for specific aspects of security into one holistic entity capable of recognising, preventing and reacting to any threats to corporate information or assets, wherever or however they may arise within the organisation.
This trend is exemplified by the move announced by BP in June 2007 to bring together more than 530 employees in the next two years from its IT, corporate and physical security divisions worldwide, to devise plans to protect the business globally. According to reports, the company aims to roll out best practices linking physical security to IT security across the company, checking, for example, if people are logged on to their workstations against whether they are physically in the building.
This is just one example of the way the information security world is changing in response to 21st century pressures, including increased regulation, greater consumer choice, enhanced globalisation and terrorism in all its forms. This trend is also supported by a Gartner prediction that, by 2008, 35 percent of Global 2000 enterprises will have a risk management function integrating information security and business continuity activities into the companywide profile of strategic, financial and operational risks.
Professional associations are also recognising this with, for example, the founding of the Alliance for Enterprise Security Risk Management™ (AESRM™).1 This new alliance has been established to help provide a holistic view of how enterprises are facing the risks that arise when physical and IT security risks need to be considered collectively.
Responsibilities at All Levels
Taking into account interdependent supply chains and outsourcing partners, there are now myriad people at different levels within and outside of an organisation who have a responsibility for information security. Everyone has a security responsibility. Office workers may be inadvertently shouldersurfed whilst reading confidential or otherwise sensitive documents on a train, for example, and they must be constantly aware of this risk. The CEO is responsible for ensuring that the organisation’s information security risk is properly understood and appropriately mitigated.
At the centre of this essential mitigation are the security and risk management specialists who have responsibility for designing, implementing and managing the specific security measures that any entity requires. These range from the articulation of policy to the establishment of staff security awareness programmes.
Those with responsibility for information security, therefore, hold many diverse roles, including the chair and CEO, other board members, line-of-business (LoB) management, the chief information officer (CIO) and his/her team, risk managers, audit committee members, security committee members, auditors, and compliance officers. The larger and more information-intensive an organisation is, the more roles it will have with a direct involvement in security.
Ultimately, it is the responsibility of each and every employee to help ensure information security. For example, as companies enable more of their employees to access data remotely from home, airports and Wi-Fi spots using mobile devices, continued vigilance becomes increasingly required at all levels.
The Security Imperative
It is a given that information security is of paramount importance to global commerce. Consumers’ trust in the protection of their sensitive information is essential in the building of long-term customer relationships in all areas of business, with particular emphasis within, for example, healthcare and financial services. Therefore, it is puzzling that the Gartner EXP CIO survey of 2007 indicated that security has dropped out of the top 10 business priorities for the first time in many years, and has dropped from number two to number six in the top 10 technology investments.2 Is this because CIOs believe that it is now finally under control and that sufficient investments have already been made?
There is no denying that many organisations have invested significantly in security in recent years, particularly in response to legislation and regulatory requirements such as Sarbanes-Oxley and Basel II. However, should this mean that security now becomes a lesser priority than it has been in the past?
Enlightened boards understand that security is not something that can be a major focus at one point in time and then placed on the back burner until the next piece of legislation or crisis comes along. Such boards realise that security is a continuing process and, although the level of investment may change from year to year, the level of focus and commitment must remain a high priority at all times. This is why it is essential for roles and responsibilities to be defined, and organisational structures to be designed and implemented, to ensure that security does indeed remain centre stage.
Organisational Structures for Security
The optimum organisational structure for security varies from entity to entity depending upon, amongst other things, organisation size, industry and culture. Figure 1 illustrates in a very simplistic form how a typical structure might be established in a larger, multinational, risk-aware organisation.
Whilst the structure and reporting lines may differ from one entity to another, there are some features that should be generally applicable. For example an emphasis on overall corporate information security recognises that the IT-related aspects are a part of a far larger picture, and that essential elements of security, such as the development of policy and incident response, have implications far beyond IT and the CIO. Similarly, it is essential to recognise that different lines of business or geographically dispersed business units may have specific needs, albeit within the centrally established parameters.
This typical structure recognises the existence of a centralised corporate risk function, which is an increasingly common feature of many regulated and highly informationdependent businesses. Most important, however, is the need for governance that will be essential to:
- Establish clear responsibilities and decision rights
- Provide an assurance framework to enable transparency of activity together with appropriate metrics
- Ensure that regulatory requirements are met
- Provide assurance that that the business requirements for security are being met
- Ensure that resources are used appropriately and prudently and that value for money is being obtained
In many ways the governance element is the ‘glue’ that binds together all other elements of security and ensures appropriate interaction among them. Through its publication Information Security Governance—Guidance for Boards of Directors and Executive Management, 2nd Edition, the IT Governance Institute (ITGI) is able to provide a comprehensive primer on the governance of security for those with a responsibility for it.3 This publication is available for download at no cost from www.itgi.org.
The Audit Committee
Central to the effectiveness of governance (both corporate and IT) in an increasing number of organisations is the audit committee. Whilst most large organisations in the private and public sectors have had audit committees for many years, Sarbanes-Oxley established this as a statutory requirement within organisations affected by the legislation.
Traditionally the audit committee has been a subcommittee of the board. Usually chaired by a non-executive director, the audit committee is responsible for working with the external and internal auditors to help ensure the integrity of financial reporting. It must also ensure that an internal control structure has been established and is working effectively.
These responsibilities have been extended through recent legislative and regulatory moves to embrace other nonfinancial aspects of the business. Whilst information security within many organisations has been long regarded as a key aspect of internal control, new audit committee responsibilities make it difficult to argue that it should be excluded from their realm of responsibility. Therefore, an increasingly broader group of members of risk management (and often the CISO specifically) also have formal reporting lines to the audit committee.
Concerns remain about an audit committee’s ability to fully understand this broader spectrum of responsibility. Nevertheless, there is little doubt that these committees are becoming better able to ask the right questions and properly challenge the answers. These competencies are largely due to better-focused committee members and an increased reliance on external advisors, such as independent risk management consultants and auditors. A constructive relationship among the CISO, the chair of the audit committee and other risk management professionals is seen as an essential requirement for the future.
The Role of the CISO
The CISO’s domain has traditionally been the IT function, usually reporting to the CIO or another senior IT manager. The broadened focus on information security has begun to alter this reporting line. The CISO now often reports to a business function such as the chief financial officer or chief operating officer, or occasionally directly to the CEO. Another increasingly common line of reporting is to the chief risk officer. So will the CISO role diminish?
IT-related information security will remain a prime requirement. After all, most corporate information now resides within the digital domain, so protection of this information will remain a critical requirement.
As technology changes, becoming perhaps more complex, and corporate information (and the forms within which it is held) becomes more diverse, the need for strong technical security skills will grow. However, the new emphasis will be on an understanding of the broader business risks and the context within which IT-related security has to co-exist.
What, for example, are the security implications for the digital economy and its new business models, based upon openness, collaboration and integration? These models and the Web 2.0 phenomenon associated with some of them may have a profound impact on the way information security operates in the future.
Whilst many of these new ideas may never take root, the ambitious and visionary CISO would be well advised to keep on top of these developments, so that he/she can support any operational, technical or cultural changes that will be required. Working with business leaders and gaining commitment from the board will be an essential part of the security professional’s role. Signing up for business courses, reading business publications, training in financial metrics and spending time working within the business are all suggestions that security specialists would be wise to consider if they want more than a purely technically focused career.
As already stated, the responsibility for recognising and mitigating all business risk rests with the CEO and the board. A basic tenet of corporate governance is the need for the board to protect the interests of all stakeholders within the business. Therefore, although no individual board member is likely to have all of the skills needed to ensure that this happens, it is essential that they do so collectively. These skills need not be deeply technical, but board members must know what questions to ask and how to challenge those tasked with risk management.
The board has to gain explicit assurance that the risks have been managed and continue to be managed. This will not happen by accident. Formal and regular reporting from relevant functions, including the audit committee, internal audit, external audit and the information security function, is likely to form part of this assurance process—supported by appropriate metrics.
The following sections describe information security roles and their responsibilities.
The CEO leads the management team. He/she will have a direct influence on the control culture within the entity and is likely to set the agenda for the level of risk that is acceptable to the business. Every CEO must balance the need for individual empowerment and entrepreneurship against the need for checks and balances in all their forms, including security. However, the enlightened CEO should recognise the reputational and fiduciary importance of security and should ensure that appropriate resources are dedicated to security initiatives.
The CIO may or may not have a direct seat on the main board, but he/she should have an effective reporting line into the boardroom. The CIO has a direct responsibility for information security insofar as it can be managed from within IT. Although this is changing, for now the probability is still that the CISO will report directly to the CIO. The CIO is also responsible for ensuring that the board members and other senior business managers understand IT enough to discharge their IT governance responsibilities, including those for security.
Other Line-of-business Directors
Other business managers must be responsible for the security of business information, albeit with the support and active involvement of security specialists. Only the business managers know what information is sensitive or confidential. Consequently, to avoid excess cost and to balance security with appropriate access, it is essential for business managers to be directly involved in the security governance process. To ensure that this happens, the right level of business training is needed for the technical specialists, along with IT training for the business managers.
Security problems are largely caused by people and not by the technical infrastructure. Therefore, it is helpful for the human resources (HR) function to be fully conversant with the need for security. The HR function can help ensure that appropriate personnel policies are established and maintained. For example, induction training for new staff members should include information security.
Non-executive directors have a key role to play in all aspects of the governance of IT, including security. They can be appointed to boards to fill knowledge gaps amongst executive board members. However, the 2006 Ernst & Young survey of non-executive directors highlighted that, specifically in relation to information security, ‘this is an area where few, if any, of our sample would have personal expertise to bring to bear’.4 This has to be of concern to corporate governance generally and is undoubtedly a weakness in current board structures.
The Risk Director/Manager
This relatively new role is a response to the need for a holistic review of risk. It is a key role in ensuring that all corporate risks are properly recognised and managed. The key concern with this perceived centralisation of responsibility is that it could diminish the responsibilities that individual business managers have for managing risk within their own domains. Therefore, whilst the risk management function can provide a skill base for dealing with risk, business managers need to understand that the buck still stops with them.
Threats to corporate information are changing at a time when businesses are relying more heavily upon information technology. The CISO can no longer expect to bear the sole responsibility for information security. Instead, many individuals and many roles within an organisation must share this responsibility. Success comes to organisations that recognise these roles, establish clear accountability and provide the appropriate governance structure. This structure not only enables other employees to be more responsible for security, but also ensures that security is not being compromised and that information assets continue to be properly protected.
Tapscott, Dan; Anthony D. Williams; Wikinomics, Portfolio Press, 2007
1 ISACA (which supports and provides certifications for information security professionals) supports and is a founding member of AESRM.
2 Gartner Group, EXP CIO Survey 2007, 2007
3 IT Governance Institute, Information Security Governance— Guidance for Boards of Directors and Executive Management, 2nd Edition, USA, 2006
4 Ernst & Young, Non-Executive Director Survey, 2006
Paul Williams, FCA, MBCS
is a past international president of ISACA and ITGI. He chairs the ISACA Strategic Advisory Council and consults to organisations such as SeaQuation and Protiviti (UK).
This article was originally published in Network Security, volume 2007, issue 8, August 2007, p. 11-14, www.networksecuritynewsletter.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.