Steven J. Ross, CISA, CISSP, MBCP
If information security were a movie, it would be a Western. The chief information security officer (CISO) would be the sheriff, hired to clean up the dusty frontier town—rounding up varmints, corralling rustled strays and protecting the good townspeople from the Dalton Gang1 (always the Dalton Gang). He would be beloved by the schoolmarm, and he would get along well with the saloonkeeper, too.
This would be a good, interesting movie, especially the climax in which he would singlehandedly shoot down the entire Dalton Gang. There is another story, though, but it is a boring one. It is the tale of the mayor who brought the sheriff to the town. He is really pleased to see crime in check, but he has other worries as well, such as air pollution, unemployment and the building of a sewer system. He has lots of problems to deal with, and on any given day, crime fighting may not be his top priority.
The mayor gets along well with the sheriff and is pleased with the progress he has made, but he does wish the sheriff would stop instigating brawls every night in the saloon and having all his gunfights on the main street.
If the sheriff is the CISO, the mayor is the risk manager.
Historically, information security and risk management have been tightly aligned in most organizations. The lack of adequate protection of information resources has rightly been seen as one of the premier threats to any organization that relies on information systems for its business operations, which, today, means virtually every company and government agency. In recent years, two key factors have put strain on that alliance.
The first, paradoxically, has been the success of information security. When management first comprehended the risks inherent in information technology (often with the prompting of risk management), the result was the appointment of a head of information security, nowadays the CISO, and the allocation of budget to close loopholes, prevent internal misuse of information and protect the organization from the Dalton Gang—er, hackers. There was a perpetual battle for budget, as risks became more evident and effective countermeasures reached the market. So, firewalls, intrusion detection systems, antivirus filters and encryption were introduced, and because they worked, the security of information resources became less risky. Thus, risk managers’ attention could be focused elsewhere and CISOs could no longer blithely assume that risk managers would support each of their initiatives and purchases.
In some cases, CISOs’ zeal for security exceeds their political skill and the risk manager is an ally in getting senior executives to see things the way the CISO does. The occasional run-ins with management are the equivalent to the Western movie’s fistfights in the bar.
The second factor is the emergence of automated information tools in every aspect of business and personal life. The Internet has been around for a while now, but it has never been so pervasive. Significant information processing capability fits in a pocket now, where once it required a briefcase. Many people in many organizations see these devices as tremendous productivity and business growth tools. Many CISOs feel as though they have been through this battle before, when laptop computers became prevalent, and they see the need for improved protective measures. Without arguing the rights or wrongs of each decision, cumulatively these decisions put CISOs on the defensive all the time. They are seen to be against smartphones, against social networking, against flash drives—against, against, against.
Many risk managers take a more measured view of these technical innovations. They can see the potential for both benefit and harm. For the first time in a long while, the CISO and the risk manager are finding themselves on different sides of issues, and both are uneasy with this development.
At the heart of the divergence is the fact that many CISOs are temperamentally inclined and incented to eliminate risk, while risk managers are prepared to accept a greater degree of risk for larger rewards, and so they manage it. This is more than risk acceptance, which in some places has been code for ignoring risk and hoping that the negative consequences of it never occur (or at least never during the time that the risk acceptor is with the organization).
Even when the risk manager and the CISO agree, there are often differences of emphasis and degree. With a finite budget for security, choices must be made for investment in risk containment. Unfortunately, much of that budget is constrained by the fact that many organizations purchased security products in the past without considering the total cost of ownership (TCO) of those tools. The TCO includes not only annual maintenance fees, but also the continuing labor cost for monitoring and using the safeguards. There is much less to spend in an information security budget than it would seem at first glance. Thus, incremental monies must be spent where the risk is greatest.
Many CISOs are justifiably proud of what they have accomplished to combat misuse of information resources, but are acutely aware that some misuse, some penetration, some data loss may still occur. They are so focused on those continuing battles that they may give less credence than warranted to other risks, such as business interruptions, privacy breaches or system failures, that are caused by errors and omissions, not malicious attacks. It is not so much that they continue to fight the ragged remnants of the Dalton Gang, to continue the metaphor, as it is hard for them to realize that the Daltons do not pose the threat that they used to and that other bad guys have taken over the Dalton Gang’s territory. Or, perhaps the town has been pacified enough that some funds can be reasonably released from crime-stopping to pay for some sewers.
All of this is not to minimize the importance of keeping information misuse at bay. There are some organizations, such as banks or the military, in which it is not paranoia to think that there are people in the world out to get them. But, risk can be described as a curve, approaching zero asymptotically though never reaching it. The question that CISOs increasingly must face is whether the curve has inflected to the point at which added investment brings precious little additional security. It is at this point that the mayor’s objectives may not be the same as the sheriff’s. And, it is at this point that the risks and rewards of the organization need to be considered as a whole, in context.2
This does not mean that in all cases the perspective of the risk manager is superior to that of the CISO, but they may be different. And where there are disputes within an organization as to the proper amount or degree of risk that it should accept, risk managers are better positioned to see the issues from all sides. They may, in many cases, but not all, side with the position that more security is needed. If the decision is to accept risk, the CISO has every reason to accept this decision as praise for work well done in the past. This is not a reason to saddle up the noble silver steed and ride off into the sunset.
1 In every good Western, there was always a group of outlaws. There actually was a Dalton Gang that robbed banks in the American West in the 1890s. It seems to me that the Dalton Gang was always the bad guy in the Westerns of my youth.2 It is instructive that ISO 27001, Information technology— Security techniques—Information security management systems—Requirements, calls for “implementing and operating controls to manage an organization’s information security risks in the context of the organization’s overall business risks” (emphasis added).
Steven J. Ross, CISA, CISSP, MBCPis executive principal of Risk Masters Inc. He can be reached at email@example.com.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.