The SANS Technology Institute

Leadership Laboratory

Wisdom and Leadership

This series of papers collects wisdom from leaders in the IT and IT Security Fields. If you are interested in contributing, please drop us a note.

Pearls of Wisdom from Linked In - May 1st, 2009
Eight Critical Success Actions for Information Security - July 11th, 2007

Eight Critical Success Actions for Information Security

July 11th, 2007
By Alberto Partida

How can information security be a business enabler? Currently the interaction of the business with information security can be a painful and expensive process. This creates frustration, both for the business and also for the information security professionals. If we aim for a different result, then we have to act differently. This article suggests eight actions for information security leaders to implement in order to improve both this situation and their daily working experience.

1. Reflect business objectives in infosec activities
"Business is in business to do business" (and I add, not security). These words by Mike Poor say it all. Management boards view infosec as any other support area: an important function, maybe essential, but not the core of the business. Assume it and work with it: reflect the business objectives in the information security policy, objectives and activities (ISO, 2005). All security elements need to be "strategically aligned" (Birchall et al., 2004).

2. Be consistent with the organizational culture
The framework followed to implement, maintain, monitor and improve Information Security has to be consistent with the organisational culture (ISO, 2005). Trying to change the culture of the business from infosec is often not possible nor requested by the business.

3. Link infosec with the Information Systems strategy
Most of the information in the organisation resides on IT systems. Information Security is at the heart of IT’s role in enterprise risk mitigation and allocation. Link the infosec strategy with the information systems strategy (Leskela et al., 2005 and Booker, 2006).

4. Establish a security programme and enforce it
Security programmes focus on protecting information present in business processes. Organisations that articulate and enforce their policies on infosec benefit from doing so. Establish a programme to improve Information Security management enterprise-wide (ISF, 2005) and enforce it (Straub, 1990). Make the Information Security Manager responsible for the implementation of this programme (von Solms, 2005b).

5. Follow a standard as a consistent reference model
Follow an internationally recognized reference framework to establish an infosec governance framework. Companies prefer to follow a standard rather that doing it ad hoc (von Solms, 2005a). Adopting an information security standard seems to demonstrate to staff, customers and trading partners that their data is safe, and that there is an independent verification of this fact (May, 2002). Additionally, make use of case studies as a complementary technique to better understand the totality of risks faced (Aabo et al. 2004).

6. Communicate the business value of infosec
Increase the understanding of the need for security (OECD, 2003). Infosec requires internal marketing. Undertake an effective infosec marketing and awareness campaign at all organizational levels (Birchall et al., 2004 and ISO, 2005). Establish an effective incident management process (ISO, 2005) and let it be the star of your internal viral marketing activities. Articulate clearly the business value of infosec (Scholtz, 2004) using a common risk language and useful metrics to measure infosec performance and management (ISO, 2005). Infosec managers should translate the benefits of infosec practices into clear business terms so that security activities are understood and enhanced and, even more importantly, risk ownership is undoubtedly determined (Coles and Moulton, 2003).

7. Obtain support, commitment and provision to fund from management
If the actions above start to be successful, then it will be easier to obtain management support and sponsorship (ISO, 2005). Their buy-in is essential for the survival and success of the infosec strategy. Get management to communicate the organization’s risk appetite and risk tolerance (COSO, 2004) and to ensure that risk management is part of everybody’s job description.

8. Spend resources wisely and transparently
Prioritise expenditures to mitigate risks using the "bang for the buck" index (Aabo et al., 2004). Avoid spending more resources in assessing risks than those that would be spent if the problems really occurred (Dillon and Paté-Cornell, 2005) and provide financial transparency to risk/return metrics (Rinnooy, 2004). Otherwise, infosec detractors in the organization have an easy and powerful way to show the ineffectiveness of infosec (yes, there are a few detractors, usually due to mismatched goals).


So, have these eight actions in mind, or better, print them so you have them at hand, and then follow this plan:

• Start from 1, 2 and 3
• Organise 4 using 5
• Exercise 6 throughout the entire process
• Create your environment with 7 and 8

And soon the whole business will be benefiting from its information security function.

The author Alberto Partida, MBA, is an Information Security professional holding Gold GSEC, Gold GCFW, Gold GCFA, CISA and CISSP certifications and member of the GIAC Advisory Board.


==
References

• Aabo, Tom, Fraser, John R.S., Simkins, Betty J. (2004). The rise and transformation of the chief risk officer: a success story on enterprise risk management. Version of December 10, 2004. Revised version available in Journal of Applied Corporate Finance, Winter 2005. Pages 1-34, Available from: http://www.gloriamundi.org/detailpopup.asp?ID=453057237 [Accessed 16 April 2006]
• Birchall, David, Ezingeard, Jean-Noël and McFadzean, Elspeth (2004). Information assurance. Strategic alignment and competitive advantage. Grist and Henley Management College sponsored by Qinetiq. Executive summary also referenced. Pages 1-73.
• Booker, Robert (2006). Re-engineering enterprise security, Computers & Security 25. 13-17.
• Coles, Robert S. and Moulton, Rolf (2003). Operationalizing IT risk management, Computers & Security 0167-4048/03. Pages 487-492.
• Committee of Sponsoring Organisations of the Treadway Commission COSO (2004).
• Enterprise Risk Management Framework - Executive summary - Exposure Draft for Public Comment (pages 1-103) downloadable from http://www.coso.org/publications.htm
• Dillon, Robin L. and Paté-Cornell, Elisabeth (2005). Including technical and security risks in the management of information systems: a programmatic risk management model. Systems engineering. 8. 1. Regular paper. Pages 15, 17, 18 and 24.
• Information Security Forum ISF (2005). The Standard of Good Practice for Information Security. Reference ISF 05-104. Pages 1-28.
• ISO (2005) ISO/IEC 17799 Information technology - Security techniques - Code of practice for information security management. Second edition 2005-06-15. Reference: ISO/IEC 17799-1:2005(E). Pages 1-115.
• Leskela, Lane; Knox, Mary; Schehr, David; Furlonger, David; Redshaw, Peter (2005). Client issues 2005: How to achieve regulatory compliance and ERM, Gartner, Research note. 29 March 2005. ID Number: G00126561. Pages 1-4.
• May, Cliff (2002). Risk Management - Practising what we preach, Computer Fraud & Security, 8: 10-13.
• Organisation for Economic Co-operation and Development (2003). Implementation plan for the OECD guidelines for the security of information systems and networks: towards a culture of security. Working Party on Information Security and Privacy. 2 July 2003. Pages 1-6.
• Rinnooy Kan, A.H.G. (2004). IT governance and corporate governance at ING. Information systems control journal. 2 26-31.
• Scholtz, Tom (2004). Articulating the Business Value of Information Security. Security & Risk Strategies, Security Infusion, Global Networking Strategies, Meta Group, Meta Delta 2774. Pages 1-4.
• Straub Jr, D.W. (1990). Effective IS Security: An Empirical Study, The Institute of Management Sciences, Information Systems Research 1(3):255-276.
• Thompson, John with Martin, Frank (2005). Strategic management. Thomson 5th edition. Key success factors and E-V-R congruence. Pages 114 and 125-130.
• von Solms, Basie (2005a). Information Security Governance: COBIT or ISO 17799 or both?, Computers & Security 24, 99-104.
• von Solms, Basie (2005b). Information Security Governance: Compliance management vs operational management, Computers & Security, 24, 443-447.