I did a
couple of webinars
over the last month where I talked about my Four
Tier approach to information security.
Below I’ve
added more of my ideas which led to the Four Tier approach.
Problem - Information
Security is seen as a mandatory technical liability, necessary to protect
secrets and to comply with the law.
How do
organisations support managers to build a culture of protecting information?
Claim - Better use
of IT’s capability to mimic repetitive tasks reduces InfoSec’s governance workload.
Warrant - Web
applications to automate governance and increase managers’ time to support teams
in protecting data.
Problem
We think of
InfoSec as a technical activity. This means money for equipment and expertise.
Much of the budget will go on these two things but the day to day running of
the InfoSec effort is handed to managers who are in charge of other activities.
You might
for example have a centralised BYOD system to control company information on
the drives held by staff but the registering of those devices will be the
responsibility of the team manager. And where is this done? In an Excel spread
sheet kept on a staff drive, hopefully with a unique password. If it’s a simple
flat sheet, that’s okay, enter a new row, transfer information already in an
email and perhaps staff directory. Update and save. How long? 3-4mins. A
relatively long time when the task can be as simple as an additional question
at some other point where employee information is being recorded.
When this
information has to be audited, it becomes a nightmare. I have worked in systems
where the HR, Finance, Facilities, InfoSec and various team managers all have a
different, non-concurrent record of an employee.
Tracking a
lost item! The form filled out by the employee does not provide what is needed
in the Lost Item register. The manager has to find that information elsewhere.
Even if they were synonymous, the task of transferring the data becomes a
repeat of the BYOD activity as before.
When
managers often have to deal with mundane, tedious tasks there is little time left
to develop innovative ways to secure company information. Reliance is built on
the technology and the opportunity to cultivate the work habits that will add a
layer of protection to the information is lost.
Much of
InfoSec is still in the firefighting stage with respect to the problems. Unable
to contribute to business strategy and to developing a culture of doing
business that includes information security. Who has the time?!
InfoSec
priorities across the organisation are affected by these ‘Triplicate’
operations. For each one there is record keeping for operational, audit and
archive purposes.
Below are eleven
(11) InfoSec aspects that all require governance and two associated items.
Maintenance of each of these consumes a lot of resources.
Data
Security – 3rd party links, forensics
Application
Security – development standards, lifecycles
Cloud
Computing – data exchange standards, access
ITSec staff
recruitment, training and retention – ROI, compliance
Business
Continuity / Disaster Recovery – team plans, drills
Identity and
Access Management – SML, systems register
Aligning
ITSec with the business – onboarding InfoSec, reporting
External
Threats – patching, IT audits
Regulatory
Compliance – tick boxes, suppliers
User Sec
training and awareness – frequency, measurement
Mobile Sec –
device registration, change control
These are
all opportunities to create ways of securing the company’s information in a
manner that acknowledges the threat landscape and matches it with the risk
appetite. To accomplish a better risk based approach to InfoSec requires time
and resources.
Claim
Automation
of these governance tasks will save businesses time and money. If the processes
are properly analysed, deconstructed and coded as applications, managers will
have more time to devote to information security as a BAU prerequisite.
I will like
to describe the InfoSec effort as a stack, made up of four tiers.
Tactic –
What is done to achieve a goal; E.g. securely linking with a 3rd party supplier
of a needed service.
Task – How
that activity is carried out; management, documentation and audit of the
process
Habit – When
is the task done; how often, how easy
Culture – What
tactics are we willing to employ and how do we govern them
Leverage IT;
write once, use everyday. Automate the tasks and habits. Avoid the mundane and
tedious. Give managers more strategic responsibilities.
Warrant
When InfoSec
gets past the firefighting mode and move into a true PDCA cycle they will make
better use of the company’s assets to protect information. The technology
becomes transparent, the governance overhead decreases and the business’s core
objectives become closer aligned to the team’s InfoSec efforts.
A team wants
to put in a new system and checks the security of the innovation with InfoSec.
It appears to contravene some standards. What is the next step? For a firefighting
InfoSec, there is no next step, quoting the standard will serve to end that
development. “Try again!”
For an InfoSec
with time and a different culture, it can be the invitation to start a
dialogue, see the process in situ, involve technicians, update standards…
Companies
are not in business to comply with standards. The market is dynamic and
competitive. Is it more efficient to ban a WebEx session than to send a trusted
employee to a supplier’s site? That type of decision needs to entertained and
not cut off by the chapter and verse of policies and standards.
Automation
releases bandwidth for InfoSec to conduct these types of conversations.
On Black Ops
there’s “If I tell you, I have to kill you”. This is the secret services’ attitude
to their information. An outsider gets the impression that everyone there
understands and respects how information must be kept private. When someone
says that they are in this line of work, it is normally a conversation stopper.
Does your staff see company information in the same way?