Let me introduce you to Jen Hajigeorgiou.
She has been editing this column for many years. When I recently submitted an article that did not deal with Information Security1 (functional) but rather with information security (conceptual), she asked me how I defined the topics I would write about under the heading of IS Security Matters.2 What exactly is Information Security?
If you will indulge me for a few pages, I would like to answer Jen and then ask for your assistance. I think that the answer provides a useful perspective on how information security professionals address their responsibilities today, how that perspective has evolved and where it might lead in the future.
When I first became involved in Data Security (as it was then known), mainframes roamed the earth and the role of information systems was primarily for recording and reporting on transactions that had taken place externally from the systems, but not for the active execution of transactions themselves. The focus of security was clearly on fraud and its prevention. If records could be manipulated, it was possible for someone (in almost all cases an insider) to take money and cover his/her tracks. Most security, such as it was, was performed within applications. After-the-fact assessment and rather rudimentary control of passwords and accounts were the substance of the quotidian practice of data security.
The focus was subsequently enlarged to the prevention of misuse of data resources, which comprises fraud but also includes a variety of other objectives such as the confidentiality, integrity and availability of the information itself. Indeed, CIA became a shorthand definition of data security itself. Encryption, access control and disaster recovery were the daily tasks of information security professionals.
This perspective of information security rapidly evolved to include the missing element, i.e., the business functions that owned the information represented on computer systems as data. The term “Information Security” overtook the term “Data Security” and the focus moved to preserving the value of the information resources, which were increasingly being recognized, even by accountants, as assets of the organization. Concern for confidentiality embraced privacy; protection of integrity expanded beyond access control to include intrusion detection; and disaster recovery in the data center was enlarged to encompass continuity of the business itself.
Around that time, I began writing this column.
The Current Perspective
Sadly, in my opinion, one of the parallel trends as information security expanded was the fractionalization of the field. As the lead manager of Information Security adopted the title chief information security officer (CISO), there came to be chief privacy officers, compliance managers and business continuity leaders. This silo-ing of responsibilities reflected diffusion in the definition of information security itself—one that I have decried over the years, especially in articles in this space.3 There was a need for a clear definition, a universally accepted point of reference for information security. Into that gap stepped first the British Standards Institute and then the International Organization for Standardization (ISO), developing what is now ISO 27001/2.4 While it is not the only, or even the first, standard on information security, ISO 27001/2 does provide the most widely accepted definition of what practitioners actually do, if not what security of information means within the context of the many public and private organizations that have information worth protecting.
Thus, my simple answer to Ms. Hajigeorgiou’s question is that I define information security the way that ISO does. To paraphrase—rather badly, alas—from the Latin, “I am an information security professional; nothing security-related is alien to me.”5
Today, I believe the global perspective on information security has shifted once again, with the focus now being on risk. Indeed, in 2008 ISO expanded the 27000 series;6 the first new standard dealt with risk management as it relates to information security.7 I do not believe that ISO sets the tone for actual practice. This organization waits until the best practices (or at least widely accepted practices) are widely understood, and then documents that understanding in as broad a manner as possible. Hence, the ISO information security standards can be quite vague when there is no consensus. The most glaring example of this is in the area of privacy, which ISO 27002 recognizes as an aspect of information security, but which it cannot find much to say about except that something must be done about it.8 All the same, the standard encompasses privacy in information security, along with business continuity management, physical security and human resources, et al. So by using the ISO 27000 series as my boundary, I feel that I can be quite justified in writing about almost anything in this space.
Having traced the historical arc of information security from prevention of fraud and misuse to preservation of value to risk management, I do not think that the evolution is complete by any means. I believe that the next great shift in the global perspective on information security will be to see it as strategic to the success of the organizations of which it is a part. This means that the CISOs of the world will be a part of the decision-making processes of companies and government agencies at the highest level. It can already be seen, faintly to be sure, in US President Barack Obama’s declaration that he would appoint a cybersecurity “czar” and that “We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.”9 Spoken very much like a CISO and indicative that information security is penetrating the halls of power. Similar trends can be found in the European Union and in several Asian countries.
Is there an even broader perspective on information security than a strategic one? It is hard to tell through the mists of the future, but words such as systemic and societal come to my mind. It is apparent to me that wherever information security takes us, the future will be beyond the scope of standards. We will enter (in fact we are already entering) into realms in which economic, cultural, social and historical differences will assert themselves in information security. I believe that we will simply have to live in a world in which my idea of security may be much more (or less) stringent than yours. It is precisely those areas of debate that I hope to address in this column, as long as ISACA will have me.
Which brings me to my request of you, the reader. With all the foregoing, should Ms. Hajigeorgiou keep the title of this column the way it is, IS Security Matters, or should she/ we come up with something else? If we should, what are your suggestions? Drop me an e-mail and let me know what you think. Whether the name changes or not, I promise to pass along some of the better ideas in a future column.
1 Throughout this article, I have capitalized “Information Security” when referring to the functional aspects and use the lowercase “information security” when describing the conceptual aspects.
2 I do not get credit for the column’s title. I believe it goes to Michael Cangemi, the long-time editor in chief of the Journal. I have never been sure whether the title refers to matters of security or if it means that Information Security really matters.
3 See, for example, “Is Information Security a Threat to Resilience?” vol. 1, 2005 or “Converging Need, Diverging Response,” vol. 2, 2006.
4 International Organization for Standardization, ISO 27001/2, “Information technology—Security techniques—Information security management systems— Requirements and Code of Practice,” 2005. I have railed at these standards many times over the years, but ultimately concluded that they are the necessary boundary definitions of information security.
5 The Roman playwright Terence said “I am a man; I hold that nothing human is alien to me.” Actually, he said “Homo sum; humani nil a me alienum puto.”
6 ISO has planned future standards to deal with a wide variety of subjects, including measurement and auditing of information security.
7 International Organization for Standardization, ISO 27005:2008, “Information technology—Security techniques—Information security risk management,” 2008
8 This complex topic is reduced to a mere 212 words of guidance. The control statement reads, “Data protection and privacy should be ensured as required in relevant legislation, regulations and, if applicable, contractual clauses.” I natter about this every now and again; the last time in this column was “Content and Context,” vol. 1, 2006.
9 See www.whitehouse.gov/video/President-Obama-on-Cybersecurity or www.nytimes.com/2009/05/29/us/politics/29obama.text.html?pagewanted=1&ref=politics for the full text of the announcement.
Steven J. Ross, CISA, MBCP, CISSP
a retired director from Deloitte, is the founder of Risk Masters Inc. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.