Leading Information Security 

 
Download Article Article in Digital Form

Note on Terminology

Unfortunately, information security terminology is sometimes ambiguous and information security leaders should always insist on clarity of terminology. For example, the terms “security maturity” and “security capability” are sometimes used to designate a variety of related concepts. COBIT defines capability and maturity as measures of process quality, but the terms have no broadly accepted meaning in the security space. Information security leaders must insist that all concepts and terminology are well defined and clear before using them.

Since Operation Aurora was publicly disclosed in early 2010,1 information security and, more specifically, cybersecurity (i.e., the protection of information assets against threats from cyberspace) have become top priorities in many organizations. Executive management generally understands the importance of the topic and follows accepted good practice by setting “the tone at the top.”2, 3 A common problem is that in large organizations with multiple divisions, global operations and layers of management, tone frequently disperses and fails to move the organization toward a stronger cybersecurity stance. What is needed is information security leadership.

This article presents a framework that can help information security leaders build a sustainable information security program that avoids security gaps and blind spots. Specifically, the framework:

  • Identifies the security dimensions that information security leaders must understand
  • Presents five key decisions on which information security leaders should focus
  • Explains three mistakes of which information security leaders should be aware
  • Clarifies the concepts behind some terminology that is not always used consistently

The objective is not to define a detailed framework—volumes have been written on that4, 5, 6, 7—but rather to offer a pragmatic and actionable map that executive managers can use to shape their organizations’ information security in a more direct and tangible manner.

Dimensions of Information Security

Information security is difficult to attain because it is a systemic property that requires vigilance along three dimensions (figure 1):

Figure 1

  1. Security controls are the mechanisms—including procedures, structures, culture and policies—that organizations deploy to obtain reasonable assurance that threats are mitigated and regulatory requirements are addressed.
  2. Organizational structures are the divisions, regions, management layers and processes that determine how organizations accomplish work.
  3. Technology comes in different types (e.g., wireless, bring your own device [BYOD], cloud) from different vendors and different generations or versions.

Failure to properly manage any of these dimensions increases the risk of security incidents. If key security controls are missing, risk increases substantially. If security controls are not deployed systematically across the organization, critical information assets are left unprotected. If security controls fail to cover all critical technologies (e.g., wireless, BYOD, cloud, Wintel, mainframe), the information assets processed by these technologies are exposed and vulnerable. It is the job of information security leaders to prevent such gaps and to oversee the deployment of security controls across all technologies, divisions, regions, management layers and processes.

Figure 1 also shows that security controls follow from policies and standards. A policy is a high-level and generic statement regarding security principles and requirements. A standard refines and operationalizes policies by providing detailed performance and compliance criteria, possibly including specific activities and processes. Security controls implement standards by defining specific activities, defining individuals to perform the activities, and delineating when and how the activities should be performed.

Figure 1 further shows threats. Risk and threat are sometimes used interchangeably, but they are different concepts.8, 9, 10 A risk is an adverse event that is characterized by its probability and its impact. A threat is the potential for harm that can be inflicted either intentionally (e.g., by an adversary) or accidentally (e.g., random failures or acts of God). A threat is not much of a risk if the target system has appropriate controls and is not vulnerable to that threat. Similarly, threats that are unlikely or have a small impact give rise to minor risk. Laws and regulations are also included in figure 1 as they can also be drivers for security controls (e.g., Payment Card Industry Data Security Standard [PCI DSS]).

Security Decisions

As explained in the last section, the information security leader’s challenge is to make sure that the information security threats are understood, adequate mitigating controls are identified, and these controls are deployed consistently across the entire organization and all its technologies. Any gaps in this chain increase the likelihood of security incidents. To offer a more structured framework, the information security leader’s task can be described in terms of five security decisions:

  1. Identify and prioritize the relevant environmental factors.This includes laws, regulations and threats. Many of these factors are generic (e.g., Sarbanes-Oxley Act compliance, activist hackers), but certain industries face unique laws, regulations and threats that must be understood because one cannot select security controls without first understanding what to defend against.
  2. Determine the key security controls. Assess the threats in relation to the organization’s risk appetite; for high-risk threats, identify key security controls (i.e., controls that mitigate the largest possible number of threats and are enforceable and difficult to circumvent). To contain cost, it is important to keep the number of controls as small as possible. Controls that mitigate many threats are, therefore, preferable. Moreover, security controls must thwart intelligent adversaries and, consequently, must be enforceable and difficult to circumvent. Advice not to open attachments from untrusted sources is a weak security control by itself as people can be tricked and attackers can evade the control by luring users to web pages rather than offering email attachments.
  3. Decide on the amount of regional and divisional autonomy. Most organizations use a combination of global and regional/divisional policies, standards and security controls. The decisions about what to enforce globally and what autonomy to give to the regions and divisions are key governance decisions that information security leaders must make. As a general rule, the more essential a security control is, the more likely it is enforced organizationwide along with any associated standards and policies. Further considerations are the security and scale advantages that can be realized by centrally providing controls to an entire organization. For example, identity and access management as well as security operation centers benefit from such economies of scale.
  4. Define the organization. Information security leaders must make sure that all security policies, standards and controls have owners. An owner is an individual who is accountable for the definition, implementation and continuous management of the policy, standard or control. Owners also have certain authorizations that must be defined. In particular, decision rights must be defined along with the limits of decision-making authority (e.g., when reviews or approvals are required). Assigning ownership is a delicate task as existing organizational structures, politics and power relationships must be considered. Further factors to consider include:
    • Whether to assign ownership to the business divisions or to IT
    • Within IT, whether to assign ownership to a support/staff function (e.g., IT risk) or to an operational function (e.g., security engineering or security operations)
    • Seniority of owners and their ability to “own” and advance a topic effectively
    • Organizational affinity; for example, assigning a security role to the chief financial officer (CFO) that may be at odds with his/her interests, skills and time availability
    • Separation of duty constraints
    • Completeness of coverage, i.e., when owners accept accountability for the entirety of their assigned scopes (e.g., enterprisewide, a region, a division, a process, a technology or a combination thereof). Organizations are vulnerable to attacks when they have areas for which policies, standards or controls are not owned by anyone.
  5. Set the budget. As a final decision, information security leaders must allocate budgets to maintain or improve information security.

While information security leaders will delegate much of the detailed work of these decisions to their teams, they must understand the bigger picture so that proper priorities are set, key tasks are not overlooked and details are not addressed precipitously.

Mistakes to Avoid

This section reviews three common mistakes about which information security leaders should be aware:

  • Overshooting—After larger incidents, some organizations overshoot and start working on best-in-class security controls that are designed to “make it go away once and for all.” While laudable, such an approach runs a high risk of introducing too much complexity and cost into the organization, which can ultimately lead to failure. Moreover, by shining the spotlight on best-in-class controls, such initiatives have a tendency to overlook foundational controls with better cost-benefit trade-offs. Organizations should, therefore, consider staged approaches in which security controls are rolled out incrementally and over time, based on actual risk, the costs and benefits of controls, and the organization’s ability to absorb change.
  • Fixing symptoms—Symptoms of weak security controls include, for example, unpatched applications, use of unauthorized software and outdated access rights. It is a good first step to remediate these deficiencies by applying patches, uninstalling unauthorized software and disabling unnecessary access rights. By itself, however, this step is insufficient, as it fails to prevent the same problems from reoccurring. To obtain a sustainable solution, security controls must be put in place to address the root causes. To continue these examples, a vulnerability management process, a software asset inventory and a systematic access right recertification process are needed to mitigate the root causes and improve security in a sustainable manner.
  • Spreading security too thinly—Auditors know that manual controls are error-prone. People are fallible, and when faced with intelligent adversaries, the likelihood of failure increases. Bruce Schneier reaches the same conclusion when he argues that security awareness training has a poor cost-benefit trade-off.11 Organizations that have many part-time security staff members or distribute security responsibilities too widely consequently run the risk of undermining their information security. Put differently, security controls generally work best when they are implemented by dedicated and skilled full-time staff or are automated using tools.

Conclusion

While information security leaders do not implement or run security programs, they do have to set the priorities and direction of these programs. To support information security leaders in this task, this article presents the key security dimensions and decisions that information security leaders should focus on and it describes common pitfalls to be avoided. Thus, the article supports the achievement of three important outcomes:

  • Security gaps are eliminated by driving the systematic deployment of key security controls across all divisions, regions, processes and technologies.
  • Information security is embedded into the organization, where it is engrained and made sustainable.
  • Return on security investment increases and costs are reduced by focusing security efforts on the key issues and priorities.

Disclaimer

The views and conclusions presented herein are those of the author and do not necessarily represent the views of any particular organization and/or company.

Endnotes

1 Zetter, Kim; “Google Hack Attack Was Ultra Sophisticated, New Details Show,” 14 January 2010, www.wired.com/threatlevel/2010/01/operation-aurora/
2 ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, 2012, www.isaca.org/cobit
3 IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, 2006
4 Op cit, ISACA, 2012
5 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Information Technology—Security Techniques—Information Security Management Systems—Requirements, ISO/IEC 27001:2005, 2005
6 Davis, Adrian; Information Security Governance—Raising the Game, Information Security Forum, September 2011
7 Chaplin, Mark; Jason Creasey; The 2011 Standard of Good Practice for Information Security, Information Security Forum, June 2011
8 Bowen, Pauline; Joan Hash; Mark Wilson; Information Security Handbook: A Guide for Managers, SP 80-100, National Institute of Standards and Technology, USA, October 2006
9 Chen, Thomas M.; “Information Security and Risk Management,” in Encyclopedia of Multimedia Technology and Networking, 2nd Edition, M. Pagani (ed.), Information Science Reference, 2009
10 Ross, Ron, et al.; Risk Management Guide for Information Technology Systems, SP 800-30 revision 1, National Institute of Standards and Technology, USA, July 2012
11 Schneier, Bruce; On Security Awareness Training, Crypto-Gramm, 19 March 2013

Klaus Julisch is a senior manager at Deloitte’s Enterprise Risk Services with responsibility for delivering security, privacy and risk management services. Prior to joining Deloitte, Julisch was a research staff member at the IBM Research Lab in Switzerland where he pioneered many of today’s mainstream security technologies.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.