home |  contact
The BasicsPolicies and ProceduresRegulations and Standards

The Information Security Organization's Identity Crisis


Who are we? and What do we do?

Introduction

Information security has been around since the first computers calculated the most trivial of mathematical equations. For over 40 years, computers have been protected by the basics of physical security and user identification, authentication, and authorization. In the "old days", all the security group had to worry about was a safe and secure data center for the mainframe and management of user ids and passwords. In today's distributed, global, mobile-network environment, all that has changed!

Today's environment requires a security organization with business savvy, technical expertise, and sales/marketing know-how. The need for information risk management in organizations has never been greater and since 9-11, never more visible. Who is the Chief/Corporate Information Security Officer (CISO)? What is the role of todays information security group? Who bridges the gap between business and technologists? How can the organization be successful in the eBusiness environment? The remainder of this article will explore these and other questions as the information security industry struggles to redefine itself to meet the needs of todays business.

Who is the CISO?

I recently spoke with security managers from several corporations to understand the information security role, its place in the organizational structure, and the benefits and challenges of their environment. The businesses included large public companies (Fortune 100) and small, privately held ones. They represented industries as diverse as manufacturing, healthcare, retail, high-tech dot-com, and financial services among others. Most have 15+ years of IT and information security experience. They shared their ideas and opinions with me, but like most in the security industry, they requested anonymity for both themselves and their companies.

The security managers I spoke with had diverse titles, from Chief Information Security Officer/Chief Security Officer and Global Information Security Manager to IT Manager and Data Security Officer. These security managers are, on average, three levels removed from the CEO, with the highest person having a dotted line directly to the CEO and the worst situation being more than six levels removed from the chief executive office. While 21% report directly to the CIO or equivalent, another 25% report outside of IT altogether in such organizations as Legal, Internal Audit, and to the CFO. For the remaining 54%, the information security group is still "buried" in the IT organization, struggling to accomplish the ever-increasing set of responsibilities thrown upon it-network security, application security, intrusion detection, policies/procedures, security awareness training, privacy protection, and IT risk management.

The 2002 CSI/FBI Computer Crime and Security Survey indicates that computer security incidents are rising at an increasing rate, costing businesses hundreds of millions of dollars each year. The situation is so critical that Richard Power writes ..."unless information security is the focus of concerted efforts throughout both the public and private sector, the rule of law in cyberspace, as well as U.S. leadership in the global marketplace will be undermined."[i] Given these statistics and the potential economic damage that can be caused by information security weaknesses, why do so many companies still "bury" the information security organization?

Current research by companies such as GartnerG2 and Giga Information Group, Inc. (Giga) indicate that the role of CISO is on the rise. While the role has existed in the military and financial services sector for some time, it is just recently emerging in other industries. Steve Hunt, Giga Vice President, says "The CSO is a fairly new role in corporations and agencies, but in its brief history has proven to increase operational efficiency and security effectiveness by coordinating security efforts across the organization, managing outsourcing contracts and mapping security measures to real business risks." [ii]

What is the role of the CISO?

Information security professionals recognize that effective information protection begins with risk management. A major misconception in most corporations is that it is up to the CISO or IT management to accept risk for the business. A recent GartnerG2 article confirmed this in saying; "The main responsibility of the CISO is one of risk management, advising senior management about risks to the business due to the implementation of technology used to operate the business. This advisory position includes establishing an information security program and management infrastructure to ensure that technology risks are identified and managed according to the risk culture of the enterprise, which varies by industry and management personality. Ultimately, risk mitigation or acceptance is the responsibility of business management." [iii]

One of the greatest challenges security managers face is getting recognition of their new mission from senior or executive management. Information security is not just an IT issue anymore; it is a business issue that must receive attention from the highest levels in the organization. The CISO must work closely with business unit leaders, Legal, HR, Internal Audit, Compliance, Physical Security, Privacy Officers, and other risk managers to develop a comprehensive approach to managing risks associated with the information assets of the enterprise.

While technology solutions are part of an overall program, security processes and education of all users are even more critical. Security training and awareness are key to a good security program. Of the security managers interviewed that felt positively about their security programs and their overall support, most indicated that their security awareness programs are well received and effective. In contrast, many of the frustrated security managers lamented the fact that they do not have strong security awareness programs; these programs also tended to be heavily IT-focused with little recognition by senior executives of the risk-management mission.

Most of the security managers interviewed have responsibility for developing security policies and procedures, the company's security architecture, and some level of monitoring and incident response/coordination. Business continuity planning is typically a separate function, with the security organization participating in the plan's development. The organizations that have day-to-day security administration responsibilities are among the 54% that report further down in the IT reporting structure, perpetuating the idea that security is strictly an IT problem focused on IT operational issues.

Where should the CISO report?

The question of where the CISO should report is difficult to answer definitively. As more than one interviewee commented, it is heavily dependent upon corporate culture, individual personalities, and the specific industry. It was suggested that for those corporations that are heavily IT-intensive, a logical choice would have the CISO reporting directly to the CIO. The security managers I interviewed had mixed opinions as well, with 52% saying "Not IT", 35% saying the CIO, and 13% indicating the CEO or directly to the Board. For those that said "Not IT", the suggested location varied, with the COO, Legal, and the "risk organization" being the most popular answers.

The trend toward a risk organization that combines the activities of legal, security, privacy, and operational risks was seen in the interview group and has also been noted by the various research groups. Some organizations are also combining information and physical security under a Chief Security Officer, but due to the wide differences in requisite skills, this is unlikely to be successful for most organizations.

GartnerG2 suggests "the CIO and CISO have conflicting goals-the CIO is responsible for the availability of electronic assets, whereas the CISO is responsible for ensuring their confidentiality and integrity. Therefore, the CISO needs to be independent so as to report to senior management any conflicts between the delivery of technology in rapidly shorter time cycles and the need for controls that interfere with the delivery."[iii] Therefore, GartnerG2 recommends that the CISO report directly to the CEO in a peer relationship with the CIO.

Regardless of where the CISO reports, the position must have a level of independence to avoid any actual or perceived conflicts of interest, and must be able to strike a balance between risk and business need. The CISO should provide regular updates to the Board of Directors who are ultimately responsible for the acceptance of risk, particularly in regulated industries such as financial services and healthcare.

Critical success factors

What is the number one factor in whether a security organization is successful? The overwhelming response to this interview question was "management support". It is vital that senior level management regard information security as a critical element in managing overall businessrisk. How does senior management provide support?

One important means is providing budget support. Giga Information Group reports that security spending is between 2 and 20 percent of the total IT budget. ii However, for most of the security managers I interviewed, security spending was less than 1% of total IT spending. It has been reported that large corporations spend more on coffee than on security! President Bush has requested a 64% increase in the government's information security budget for FY 2003 to raise security spending to approximately 8% of the overall IT budget-should corporations not take similar action? Richard Clarke, White House cybersecurity advisor recently said, "If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked." Corporations must ensure that sufficient security is in place to minimize risk to an acceptable level.

A second way to provide support is to ensure that the CISO position reports high enough in the organization to have the respect, political clout, and visibility it needs to be effective. The CISO must be an advocate for risk management throughout the organization, from the boardroom to the business areas to IT management. A CISO that is without security experience/credentials or who is buried in the IT organization will not likely have the respect of others in IT, not to mention the senior executives and business leaders. Senior managers should ensure that the CISO is involved in business risk decisions and is looked to as the authoritative source of security information.

Another critical success factor mentioned by the interviewees included having people with strong technical, project management, facilitation, and communication skills on the security staff. Technical skills are particularly important to ensure that technical security issues and solutions are effectively communicated to, and developed with, IT staff that must implement the solutions. The CISO must be able to communicate the business risks to business leaders, the CEO, and the Board to solicit their support for practical security solutions. The interview group had an average security staff size of 13 people, or about 2% of the size of the IT organization. Senior management support for an appropriately sized and skilled security organization is a must for a successful security program.

A final, often-mentioned critical success factor is personal relationships. The CISO and the security staff must create strong working relationships with IT management, business leaders, and other critical areas throughout the company such as legal, HR, and internal audit. As one interviewee stated "you can't hire enough security police"-it is only by working together that a corporate culture which values security can be created. A corporate culture that values security will minimize risk and increase customer/client/business partner trust in the company.

Recommendations

How can the security organization gain the credibility it needs to be successful? Moving from a traditional view of security as an IT-only issue, to a newer view of security as a risk management function will not occur overnight. However, the following recommendations can help start the process.

  • Focus on business; security must support business initiatives and be an enabler for the business.
  • Focus on risk management, not security for the sake of security; develop data classification and information risk management processes to direct resources (dollars and people) towards the protection of high-risk, critical assets.
  • Educate, educate, educate the senior executives, business unit leaders, and the security staff on the link between good security and good business.
  • Create a strong, effective security-awareness program for all employees and contractors; create incentives for good behavior and link company/personal success to good security and management of risk; enforce policies when bad behavior occurs.
  • Hire and retain high quality staff; the security staff must be respected by their peers in IT and the business units.
  • Fund the security program appropriately; if security spending has been dismal in the past, it may take a few years of higher-than-normal spending to catch up and reduce risk to an acceptable level.
  • Develop metrics; use a scorecard to measure continuous improvements and make sure the metrics are aligned with business objectives. Most interviewees do not have metrics in place; those that did seemed to have an easier time getting the resources needed to make improvements. Another suggestion from an interviewee was to use the FBI/CSI security survey to highlight the issues for senior management and indicate if your company is affected in a similar manner.
  • Network with other CISOs; the security business is complex and no one can have all the answers. By sharing ideas and solutions, everyone can do a better job.

Conclusion

The time has come for more companies to take information security seriously. "The key to a good security program is empowered management, effectively focused staff, coherent and realistic budgets and practical metrics with which to measure success and improvement." [iv] Companies that move from an improvised, fire-fighting approach to security and instead develop security programs that are cost-efficient, quality-conscious, and risk-management focused will achieve greater benefits and reduce costs.

[i] Power, Richard. (2002). 2002 CSI/FBI Computer Crime and Security Survey. Computer Security Journal, XVIII(2), 7-30.

[ii] GIGA Information Group, Inc. (2002). Giga Information Group Reveals Chief Security Officer Salaries Vary Dramatically by Industry. Retrieved May 29, 2002, from http://www.gigaweb.com/content_display/popup/1,,PubID=MPR-032002-00004,00.html.

[iii] GartnerG2 (2001). A look at the role of the chief information security officer. R. Witty. Strategic Planning, SPA-13-2933, 1-6. Retrieved April 30, 2002, from http://www.techrepublic.com/article.jhtml?id=r00220010820ggp01.htm&src=search.

[iv] Hunt, S. and Rosch, P. (2002). Best Practices in Managing IT Security. RPA-032002-00004. Retrieved May 29, 2002, from http://www.gigashop.gigaweb.com.

Home

Services

Partners

About Us

Contact Us
 

©2001-2003 by Itillious, Inc. All Rights Reserved.
Privacy Policy