HelpSource Q&A 

Download Article

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q I recently read a wonderful book, 8 Things We Hate About IT: How to Move Beyond the Frustrations to Form a New Partnership with IT. It made for an interesting read, listing out disconnects between the business and the IT function. The author gave a good deal of practical examples. The charm of the book was that the author, Susan Cramm, gave clear solutions to the illustrated problems.

I was wondering whether you can list out, in a similar manner, the ‘things we hate’ about IT security or information security. Please list them from your point of view (no compulsion to list eight). You may also wish to add what IT security must do in terms of making amends.

A Very interesting question. I made it a point to buy that book (published by Harvard Business School Press) after reading your question and became an instant fan of it. It is extremely well written with a lot of practical examples and not just bookish theory, frightening the reader with jargon.

I do not have the luxury of writing a book on the subject and have the constraint of limiting my thoughts to this column, though your question is a good idea for a theme that could be developed into a book.

Let me try to extrapolate the same concept from an IT security point of view. I will tell you the other side of the story as well.

  • Whilst the business aims to achieve its objectives, IT security throws a spanner in the wheel by imposing restrictions in the name of security policies that add little value to the overall business operations. IT security policies cannot be written for the sake of the survival and thriving of chief security officers and their cronies, but must be clearly aimed to minimise the real risks, not some illusionary risks. It must take into account the risks surrounding the business and work towards mitigating them.
  • Business wants IT security to focus on strategic business issues and align its goals towards the strategic issues, whereas the IT security function ends up spending its efforts on operational issues with limited consideration of the bigger picture and long-term goals. Patching desktops that host no sensitive information, and sitting behind multiple layers of security, such as firewalls, intrusion detection systems or intrusion prevention systems, must be the least priority for IT security.
  • Allocated funding gets spent on bringing in unwanted technology solutions for geeks to play with, rather than focusing on creating awareness amongst people who are the biggest purveyors and creators of risks. It is like buying an aircraft when all you need is a bicycle. The story is very old and well known: security viewed as a technology issue, rather than a people issue.
  • Security auditor, the devil within, is someone who wants everything to be audited for the sake of running a compliance and certification regime. Not ferreting out the right issues, the audit may focus on trivial matters. Such audits may mislead the leadership on the state of affairs because the real issues that remain on the ground do not get identified and reported. The focus areas of the audits may remain wrong.
Let us look at the other side of the story:
  • Business wants to control IT security and its activities, thereby stifling the real voice that can speak out certain ‘moments of truth’. IT security may lack independence of operations; perhaps due to undue influence, the business is able to influence in terms of reporting relationships. Doing this will lead to a scenario in which IT security is not able to voice its independent opinion on risks and controls and, thereby, is not able to choose its priorities to allocate resources appropriately.
  • Business focuses on collecting badges in the form of certifications and using IT security or information security as a vehicle to reach that destination, not realising that achieving security excellence is nothing but a continuous journey and never a destination. Instead of using IT security to focus on key risks and controls, it gets used as a jewel in the showcase with an aim to earn undeserved laurels.
  • Business may want security incidents to go unreported or underreported. Fearing loss of reputation or potential regulatory issues, businesses may choose to underplay security incidents. Equally, some business leads that may end up controlling IT security due to organisational structure may choose to get unwanted and irrelevant incidents reported and justify the funding allocations using the traditional concept of ‘fear, uncertainty and doubt’.
  • On the audit front, the business may hide issues, pulling them under the carpet, and try to showcase an ‘all is well’ scenario, while knowing well that the hidden issues are endless. Unless a major incident hits, the business does not feel the pain. A multitude of incidents may happen, but something non-catastrophic may help the business to fob off auditors on actual incidents.

All said, what is required to bridge the gap, because in both scenarios the sufferers are the key stakeholders in the business—be it customers or shareholders? My illustrative list—as always non-exhaustive—is as follows:

  • Business and IT security must work in complete partnership. This does not mean that IT security’s independence of operations must be compromised. The functions must define the boundaries and set the rules for co-existence.
  • IT security must help business identify the real security risks that may impede it from achieving its objectives.
  • Businesses should not live under any illusionary joy of a ‘no audit observations’ regime, which would really harm it in the long run. It must learn to recognise that audit observations are positive because they create opportunities for improvement.
  • The ultimate decision to accept any risk must be that of the business. The ideal scenario would be for the IT security group to identify the right risks and to reasonably quantify or qualify the potential impacts should they materialise and for the business to make the right decision regarding accepting, mitigating or transferring the risk. In this ‘ideal’ scenario, both partners are working towards not just preserving, but increasing shareholders’ value in any business operation.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big 4 professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.