Unfortunately, information security terminology is sometimes ambiguous and information security leaders should always insist on clarity of terminology. For example, the terms “security maturity” and “security capability” are sometimes used to designate a variety of related concepts. COBIT defines capability and maturity as measures of process quality, but the terms have no broadly accepted meaning in the security space. Information security leaders must insist that all concepts and terminology are well defined and clear before using them.
Since Operation Aurora was publicly disclosed in early 2010,1 information security and, more specifically, cybersecurity (i.e., the protection of information assets against threats from cyberspace) have become top priorities in many organizations. Executive management generally understands the importance of the topic and follows accepted good practice by setting “the tone at the top.”2, 3 A common problem is that in large organizations with multiple divisions, global operations and layers of management, tone frequently disperses and fails to move the organization toward a stronger cybersecurity stance. What is needed is information security leadership.
This article presents a framework that can help information security leaders build a sustainable information security program that avoids security gaps and blind spots. Specifically, the framework:
The objective is not to define a detailed framework—volumes have been written on that4, 5, 6, 7—but rather to offer a pragmatic and actionable map that executive managers can use to shape their organizations’ information security in a more direct and tangible manner.
Information security is difficult to attain because it is a systemic property that requires vigilance along three dimensions (figure 1):
Failure to properly manage any of these dimensions increases the risk of security incidents. If key security controls are missing, risk increases substantially. If security controls are not deployed systematically across the organization, critical information assets are left unprotected. If security controls fail to cover all critical technologies (e.g., wireless, BYOD, cloud, Wintel, mainframe), the information assets processed by these technologies are exposed and vulnerable. It is the job of information security leaders to prevent such gaps and to oversee the deployment of security controls across all technologies, divisions, regions, management layers and processes.
Figure 1 also shows that security controls follow from policies and standards. A policy is a high-level and generic statement regarding security principles and requirements. A standard refines and operationalizes policies by providing detailed performance and compliance criteria, possibly including specific activities and processes. Security controls implement standards by defining specific activities, defining individuals to perform the activities, and delineating when and how the activities should be performed.
Figure 1 further shows threats. Risk and threat are sometimes used interchangeably, but they are different concepts.8, 9, 10 A risk is an adverse event that is characterized by its probability and its impact. A threat is the potential for harm that can be inflicted either intentionally (e.g., by an adversary) or accidentally (e.g., random failures or acts of God). A threat is not much of a risk if the target system has appropriate controls and is not vulnerable to that threat. Similarly, threats that are unlikely or have a small impact give rise to minor risk. Laws and regulations are also included in figure 1 as they can also be drivers for security controls (e.g., Payment Card Industry Data Security Standard [PCI DSS]).
As explained in the last section, the information security leader’s challenge is to make sure that the information security threats are understood, adequate mitigating controls are identified, and these controls are deployed consistently across the entire organization and all its technologies. Any gaps in this chain increase the likelihood of security incidents. To offer a more structured framework, the information security leader’s task can be described in terms of five security decisions:
While information security leaders will delegate much of the detailed work of these decisions to their teams, they must understand the bigger picture so that proper priorities are set, key tasks are not overlooked and details are not addressed precipitously.
This section reviews three common mistakes about which information security leaders should be aware:
While information security leaders do not implement or run security programs, they do have to set the priorities and direction of these programs. To support information security leaders in this task, this article presents the key security dimensions and decisions that information security leaders should focus on and it describes common pitfalls to be avoided. Thus, the article supports the achievement of three important outcomes:
The views and conclusions presented herein are those of the author and do not necessarily represent the views of any particular organization and/or company.
1 Zetter, Kim; “Google Hack Attack Was Ultra Sophisticated, New Details Show,” 14 January 2010, www.wired.com/threatlevel/2010/01/operation-aurora/2 ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, 2012, www.isaca.org/cobit3 IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, 20064 Op cit, ISACA, 20125 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Information Technology—Security Techniques—Information Security Management Systems—Requirements, ISO/IEC 27001:2005, 20056 Davis, Adrian; Information Security Governance—Raising the Game, Information Security Forum, September 20117 Chaplin, Mark; Jason Creasey; The 2011 Standard of Good Practice for Information Security, Information Security Forum, June 20118 Bowen, Pauline; Joan Hash; Mark Wilson; Information Security Handbook: A Guide for Managers, SP 80-100, National Institute of Standards and Technology, USA, October 20069 Chen, Thomas M.; “Information Security and Risk Management,” in Encyclopedia of Multimedia Technology and Networking, 2nd Edition, M. Pagani (ed.), Information Science Reference, 200910 Ross, Ron, et al.; Risk Management Guide for Information Technology Systems, SP 800-30 revision 1, National Institute of Standards and Technology, USA, July 201211 Schneier, Bruce; On Security Awareness Training, Crypto-Gramm, 19 March 2013
Klaus Julisch is a senior manager at Deloitte’s Enterprise Risk Services with responsibility for delivering security, privacy and risk management services. Prior to joining Deloitte, Julisch was a research staff member at the IBM Research Lab in Switzerland where he pioneered many of today’s mainstream security technologies.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.