In today’s inter-networked environment, organizations depend heavily on information technology. It is imperative to succeed in information security (as part of information technology in many organizations) to achieve the strategic goals of an organization. Even though most organizations pursue information security as a key business initiative, there are not many that achieve great and continuing success. This article looks at the various considerations that can help in achieving continued success in information security. By analyzing the characteristics of a successful information security program, the authors provide an integrated approach toward realizing continued success.
What Is Success in Information Security?
Success is “the achievement of something desired, planned, or attempted; attaining the results expected.”1
Continued success has become a business priority. An organization greatly successful in information security (in the context of this article) is, therefore, an organization that has a record of successes in information security and succeeds in information security on a continual basis.
Success Comes From a Compelling Vision and an Outstanding System
A distinct characteristic of successful organizations is that they have a compelling vision and an outstanding system to power their strategy. Through their outstanding systems, they connect their performance with their goals and plans and thereby to their vision/dreams, quickly carry out course corrections, continuously realize better results, and perfect these to a level of continuing excellence.2
These organizations have information security as part of their business strategic vision. They also use a powerful structure and approach to achieve their goals by linking their performance on information security with their organizational goals and plans.
Principles for Succeeding in Information Security
Research in the information security field has revealed some inherent truths about information security. This article categorizes them as principles of information security much like the principles required for success as explained in the ThinkTQ approach.3 They are:
- Security is a process, not a product.4
- People, process and technology are the key elements to a complete and holistic security program; however, people are by far the most critical element.5
- Information security is not a destination, it is a journey.6 It is a continuous practice. To achieve a continued success in information security, an organization needs to focus continuously on improving its information security practices as the technology environment keeps changing and new threats arise.
- It is infeasible to provide 100 percent information protection to 100 percent of information assets at all times. The right approach is to identify the key information assets that need to be protected (including data) and the extent of protection required in line with the risk appetite of the organization.
- Security is an ecosystem, not a product.7
These principles have been proven time and again and, therefore, it is prudent to develop the information security program in line with these principles, for maximum success.
A Sound Information Security Program Is the Foundation
An information security program can be defined as:
The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis.8
Essential to succeeding in information security is a sound information security program that will drive an organization to realize its vision.
Characteristics of a Successful Information Security Program
A successful information security program exhibits the following qualitative characteristics in an increasingly balanced and intense manner:
- Energy—The information security program should be energized thoroughly by appropriate funding, key stakeholder involvement and top management support, and should be well coordinated.
- Mission—The mission of an information security program should be to provide appropriate confidentiality, integrity and availability of information under all circumstances. This mission should be integrated into the overall IT strategy and should be directed toward achieving the organization’s mission.
- Attitude—Positive attitude is the key for the execution of an information security program. Implementation of the program should not result in an attitude of penalizing for information security failures as a regular practice. On the other hand, the program should, in general, create a positive attitude in the organization toward security and create the necessity for being secure.
- Set goals—The information security program should be directed toward achieving clearly stated organizational goals derived from the mission statement. These goals should be specific, measurable, achievable, realistic and timely (SMART).
- Plan—Planning for achieving the information security goals is one of the key characteristics of a successful information security program. The security program should demonstrate the ability of the organization to plan (annually, quarterly, monthly, weekly and daily, as appropriate) and update the program on a regular basis.
- Prioritize—Implementation of the information security program should result in identification of a number of actions to be performed to comply with the information security program. As stated earlier, it is infeasible to provide 100 percent protection to 100 percent of assets at all times. Therefore, prioritization of action items becomes important. Integration with the technology risk function should happen well, and this should assist in prioritizing action items to secure key information assets in an appropriate manner.
- Synergize—The organization actively synergizes involvement of internal and external stakeholders and enables them to commit to achieving the organization’s information security goals.
- Organize—Actions are performed in an organized manner. Actions are generally prioritized, scheduled, implemented and reexamined for appropriate completion. Lack of appropriate organizational skills results in suboptimal achievement of information security goals.
- Optimize—Mature information security programs exhibit optimization where actions are leveraged off, cost and performance efficiencies are achieved, and results are delivered in a predictable and acceptable manner. It should be noted that optimization generally occurs in a very mature environment.
- Act now—This is one of the important characteristic of a successful information security program. If challenges/risks/ threats are not acted upon, the information security program may not deliver its objectives. An “act now” philosophy guides the actions and enables the organization to plan and act instantly.
These 10 characteristics are described as the 10 colors of a winner and they need to be in proper balance and bright enough for one to continue to succeed (as elaborated by ThinkTQ approach).9 This applies to the successful information security program as well. Figure 1 shows the characteristics and the results when they are intense and when they are weak.
To be successful, it is essential to have all of these characteristics in place and balanced. It is also necessary to continue to improve, thereby resulting in improved performance and continued success. All of this happens through a sound information security program.
Also, if any of these characteristics are weak, the actions are to be in place and arising out of the information security program to rectify the deficiencies.
Successful Organizations Follow a Powerful Methodology
The principles provide the truths that need to be followed by organizations. The vision and dreams power the actions. The information security program helps the organization realize the goals and enhance the 10 characteristics to succeed. A powerful methodology enables the setting up of an effective program.
One such methodology follows:10
- Base the information security program on an appropriate framework. A framework provides a number of advantages. Some of them are:
– A structured approach to the program
– Help in identifying the commonalities and picking controls that are in line with best practices and can guide in a balanced approach and in comprehensive protection
Some of the most popular frameworks are:
– ISO 27002
– IT Infrastructure Library (ITIL)
The selection of the methodology is to be done based on the organization’s business priorities. It is also possible to set up a custom framework for an organization, deriving controls from the various frameworks.
- Use a sound risk management methodology. A key objective of an information security program is to provide effective controls to bring the risks within acceptable levels. It is, therefore, essential that the organization adopt sound risk management methodology that enables this process.
- Make information security strategy an integral part of the regular business strategy and annual plans. The information security strategy needs to be integrated as part of the regular business strategy. Information security plans are to be part of the routine planning of the organization, with suitable changes made depending on the organizational changes.
- Integrate the information security program with the organization’s governance framework. Information security governance is essentially the responsibility of top management. Ensuring that the information security program has evolved out of the overall governance framework of the organization enables the development of the right management structure and organization and the appropriate reporting processes, which are necessary for the success of information security.
- Establish an appropriate metrics program to support the initiative. “What gets measured gets done” is true of information security as well. Organizations would, therefore, do well to establish measurements and derive actionable metrics at the various levels in the organization. A select set of metrics can be identified, tracked and reported on consistently to help determine answers for the following questions:11
– Are we doing what we should be doing?
– Are we doing what we say we should be doing?
- Engage the process owners and make the program as selfgoverning as possible. Establishing processes in which the process owners are engaged in the overall process makes it more successful. A self-assessment process is one effort that can help in this. It should be a systematic and ongoing process that will enable the process to be self-governing.
- People make the difference. While people, process and technology all make the information security management process, the people component is the most crucial among these. Engaging the people with appropriate awareness and training programs right from the beginning is among the crucial steps to success. This results in an appropriate culture of accountability and responsibility throughout the organization
- Ensure effective continuous improvement. Continuous improvement is the hallmark of a successful information security program. Information security is a journey, and the information security program needs to be constantly improving and in line with the business priorities. These improvements have to be in all areas.
Assessing the Ov erall Success and Value-add from the Program
While the metrics program gives a comprehensive method of tracking the performance at various levels, a balanced scorecard (which can be set up in line with the metrics program) can provide an excellent method of assessing the overall success of an information security program and the value from the program.
According to the Balanced Scorecard Institute:12
The balanced scorecard is a management system (not only a measurement system) that enables organizations to clarify their vision and strategy, and translate them into action. It provides feedback around both the internal business processes and external outcomes in order to continuously improve strategic performance and results. When fully deployed, the balanced scorecard transforms strategic planning from an academic exercise into the nerve center of an enterprise.13
Figure 2 elaborates on the application of the balanced scorecard for information security.14
A typical balanced scorecard report for an organization is shown in figure 3.
The organization can have a target overall score for a year, work to realize that and use it as the basis for rating success.
Tracking the Progress of the Program
While the balanced scorecard provides a measure of the overall success of the organization’s information security at a point in time, the performance and the related factors are to be tracked on a regular basis and suitable actions taken. A scorecard summarizes all the aspects and is a means to track the program. This includes the results from the balanced scorecard as well as assessment of the 10 characteristics of the program. Figure 4 is an example of such a scorecard.
This scorecard can be used to integrate all the perspectives, to track the progress and for corrective actions. This scorecard can be quite useful to drive the timeliness of actions and as a top-level report.
In summary, to succeed in information security, organizations need to ensure a holistic perspective consisting of:
- A compelling business vision and an integrated information security vision
- A powerful information security program to enable realization of the strategy
- Assessment of the 10 characteristics of the program, resolving to eliminate the weaknesses and to enhance the strengths on a continual basis
- The right implementation approach, along with measurement such as that shown in figures 3 and 4
- Use of the measurement and taking actions that reflect on the characteristics positively
- Reporting the performance of the balanced scorecard to top management and engaging the organization in the value addition to the organization
Overall, it is the establishment of a sound information security program that is derived from effective information security governance and an appropriate risk management methodology, along with its brilliant execution and ever-improving excellence in operations, that enables an organization to succeed in information security on a continual basis.
1 Dictionary.com, The American Heritage Dictionary of the English Language, 4th Edition, Retrieved 14 April 2008, http://dictionary.reference.com/browse/success
2 ThinkTQ.com Inc., The Power of TQ, www.thinktq.com/products/books/tqs_ptq.cfm
3 ThinkTQ.com Inc., Commentary, 15 September 2008. www.thinktq.com/training/commentary/tqs_current_commentary.cfm?id=BDD5C589D9BCC67B7EB9EC449378970E
4 Schneier, Bruce; Crypto-Gram Newsletter, 15 May 2000, www.schneier.com/crypto-gram-0005.html
5 Ransome, Jim; “Security and Mobility Best Practices: People, Process and Technology,” www.securegovcouncil.org/
6 Schneier, Bruce; Crypto-Gram Newsletter, 15 June 2000, www.schneier.com/crypto-gram-0006.html
7 Parrin, Chad; “Security Is An Ecosystem, Not A Product,” ZDNet Asia, 11 March 2008, www.zdnetasia.com/techguide/security/0,39044901,62038696,00.htm
8 ISACA, CISM® Review Manual 2008, USA, 2007, p. 34
9 Op cit, ThinkTQ.com Inc., The Power of TQ
10 Sethuraman, Sekar; “Turning Security Compliance into a Competitive Business Advantage,” Information Systems Control Journal, September 2007, www.isaca.org/jonline
11 Opacki, Dennis; “Building Business Unit Scorecards,” www.adotout.com/BU_Scorecards.pdf, December 2005
12 Balanced Scorecard Institute, www.balancedscorecard.org
13 Op cit, ISACA, 2007, p. 33
14 Sethuraman, Sekar; “Use Balanced Scorecard to Enhance Information Security Health,” eIssa Times, April 2005, www.eissa.org/april2005.htm#12
Sekar Sethuraman, CISA, CISM, CGEIT, CIA, CISP, PMP, CSQA, CVA
is the head of IT security (Greater Asia) at LexisNexis. He is also the director of research of the ISACA Chennai Chapter. He has more than 25 years of experience and has helped a number of organizations with their information technology and information security. His areas of expertise include measuring and managing the performance of information security, managing security in outsourcing, incident response, ISMS, ISO 27001, and CobiT. He can be reached at firstname.lastname@example.org.
Alagammai Adaikkappan, CISA, CISM, ACA, LCS
is the principal (technology audit) at the National Australia Bank, Melbourne, Australia. She specializes in IT risk management, security management and IT governance. In her current role, she specializes in IT audits in corporate and institutional banking. Her other areas of expertise include data management, business continuity planning/ disaster recovery, application development and project management. She can be reached at email@example.com.
ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.