I did a couple of webinars over the last month where I talked about my Four Tier approach to information security.
Below I’ve added more of my ideas which led to the Four Tier approach.
Problem - Information Security is seen as a mandatory technical liability, necessary to protect secrets and to comply with the law.
How do organisations support managers to build a culture of protecting information?
Claim - Better use of IT’s capability to mimic repetitive tasks reduces InfoSec’s governance workload.
Warrant - Web applications to automate governance and increase managers’ time to support teams in protecting data.
Problem
We think of InfoSec as a technical activity. This means money for equipment and expertise. Much of the budget will go on these two things but the day to day running of the InfoSec effort is handed to managers who are in charge of other activities.
You might for example have a centralised BYOD system to control company information on the drives held by staff but the registering of those devices will be the responsibility of the team manager. And where is this done? In an Excel spread sheet kept on a staff drive, hopefully with a unique password. If it’s a simple flat sheet, that’s okay, enter a new row, transfer information already in an email and perhaps staff directory. Update and save. How long? 3-4mins. A relatively long time when the task can be as simple as an additional question at some other point where employee information is being recorded.
When this information has to be audited, it becomes a nightmare. I have worked in systems where the HR, Finance, Facilities, InfoSec and various team managers all have a different, non-concurrent record of an employee.
Tracking a lost item! The form filled out by the employee does not provide what is needed in the Lost Item register. The manager has to find that information elsewhere. Even if they were synonymous, the task of transferring the data becomes a repeat of the BYOD activity as before.
When managers often have to deal with mundane, tedious tasks there is little time left to develop innovative ways to secure company information. Reliance is built on the technology and the opportunity to cultivate the work habits that will add a layer of protection to the information is lost.
Much of InfoSec is still in the firefighting stage with respect to the problems. Unable to contribute to business strategy and to developing a culture of doing business that includes information security. Who has the time?!
InfoSec priorities across the organisation are affected by these ‘Triplicate’ operations. For each one there is record keeping for operational, audit and archive purposes.
Below are eleven (11) InfoSec aspects that all require governance and two associated items. Maintenance of each of these consumes a lot of resources.
Data Security – 3rd party links, forensics
Application Security – development standards, lifecycles
Cloud Computing – data exchange standards, access
ITSec staff recruitment, training and retention – ROI, compliance
Business Continuity / Disaster Recovery – team plans, drills
Identity and Access Management – SML, systems register
Aligning ITSec with the business – onboarding InfoSec, reporting
External Threats – patching, IT audits
Regulatory Compliance – tick boxes, suppliers
User Sec training and awareness – frequency, measurement
Mobile Sec – device registration, change control
These are all opportunities to create ways of securing the company’s information in a manner that acknowledges the threat landscape and matches it with the risk appetite. To accomplish a better risk based approach to InfoSec requires time and resources.
Claim
Automation of these governance tasks will save businesses time and money. If the processes are properly analysed, deconstructed and coded as applications, managers will have more time to devote to information security as a BAU prerequisite.
I will like to describe the InfoSec effort as a stack, made up of four tiers.
Tactic – What is done to achieve a goal; E.g. securely linking with a 3rd party supplier of a needed service.
Task – How that activity is carried out; management, documentation and audit of the process
Habit – When is the task done; how often, how easy
Culture – What tactics are we willing to employ and how do we govern them
Leverage IT; write once, use everyday. Automate the tasks and habits. Avoid the mundane and tedious. Give managers more strategic responsibilities.
Warrant
When InfoSec gets past the firefighting mode and move into a true PDCA cycle they will make better use of the company’s assets to protect information. The technology becomes transparent, the governance overhead decreases and the business’s core objectives become closer aligned to the team’s InfoSec efforts.
A team wants to put in a new system and checks the security of the innovation with InfoSec. It appears to contravene some standards. What is the next step? For a firefighting InfoSec, there is no next step, quoting the standard will serve to end that development. “Try again!”
For an InfoSec with time and a different culture, it can be the invitation to start a dialogue, see the process in situ, involve technicians, update standards…
Companies are not in business to comply with standards. The market is dynamic and competitive. Is it more efficient to ban a WebEx session than to send a trusted employee to a supplier’s site? That type of decision needs to entertained and not cut off by the chapter and verse of policies and standards.
Automation releases bandwidth for InfoSec to conduct these types of conversations.
On Black Ops there’s “If I tell you, I have to kill you”. This is the secret services’ attitude to their information. An outsider gets the impression that everyone there understands and respects how information must be kept private. When someone says that they are in this line of work, it is normally a conversation stopper. Does your staff see company information in the same way?
Comments