Information Security – Who is Responsible?
In any organisation, private or public, the business benefits of spending money on security defences are hard to define yet security breaches remain at historically high levels, costing UK plc billions of pounds every year*. Unlike other areas of the business where results are clearly visible or can be assessed even by the indirect benefits they cause (such as efficiency gains by investing in systems architecture), the success of security is often measured against what could have happened – a far more intangible measurement. This is generally attained by assessing the intent and capability of the threat actors against the actual damage this threat could inflict on the company, only proven when an attack is mounted – whether detected and avoided or successfully causing damage. One area of security where benefits are hardest to assess is information security management, as not only are the benefits to stakeholders not obvious but the security measures themselves are not easily observable. This is unlike physical security, for example, where defences such as hostile vehicle mitigation or CCTV can easily be seen protecting assets.
Due to this low visibility of both results and mitigations, gaining ‘buy in’ from key stakeholders in the organisation is difficult, as they often cannot see the value of protecting the security of assets and are primarily focused on delivery of their own targets. Therefore, the information security controls and practices must be assessed against other competing business priorities through consideration of balance and proportionality based on the perceived threat. However, it is worth remembering that the cost of dealing with breaches in a purely reactive way post-incident usually outweighs the cost of prevention. Defining the risk appetite for the business is important, identifying which stakeholder is responsible for the risk and which stakeholder has control of the final decision on cost and business priorities.
Bridging the gap
Bridging the gap between control and responsibility is critical for the success of security through one clear, agreed strategy of security for the whole organisation. This bridging is often referred to as ‘corporate governance’ under which IT governance and information security governance are subsets. However, the socio-technical nature of information means that this governance cannot fully be controlled by the corporate governance function and division of responsibility into these subsets is needed.
If ownership of the technology is the responsibility of IT stakeholders and the risk is the responsibility of information security stakeholders, a lack of or clash of opposing strategies can result in significant challenges. Internal politics can jeopardise the bridge between control and responsibility leaving security managers without clear direction, trying to bridge the gap on their own, causing delays. By having one unified corporate direction and ultimate decision making mechanism to resolve internal challenges, managers can be empowered to make decisions themselves, without fear of reprisal.
Almost as important as the security controls themselves, the process of managing IT Change is a key consideration for businesses using technology to increase their competitive edge, and it is therefore important to establish a facilitating process for change as part of the corporate governance security strategy. To be successful with this, corporate governance must consistently promote and enforce a policy of zero tolerance for unauthorised changes. Both IT governance and information security assurance are required for this change management culture to be effective, which should be supported by an agreed and well communicated policy.
Viewing information security positively
Information security should be used as an effective strategic and operational contributor to IT operations, and not viewed as an inhibiting or delaying factor. This can only be achieved through integration between the two departments for operational and change management processes. Technologies are evolving at an exponential rate and changing the way in which companies conduct their business, with increased use of social networks, smart phones and tablets. Security controls for these new ways of working are lagging behind the rate of technology adoption, mainly due to a lack of integration by not utilising information security governance to inform decisions. For example, tablet computers are an efficient portable working tool, but obtaining information assurance to ensure safe use of these tools is often slow due to difficulties assessing possible threats, using only examples from less competent and technically dated systems; meanwhile the tablet technology is nearly a generation old and users feel frustrated by conservative workplaces. A close working relationship is needed to ensure that the organisation’s technology systems are protected for confidentiality, integrity and availability to maintain operational effectiveness. As business adapts to innovations in technology so this relationship is and will continue to be increasingly important to the protection of the organisation.
*Information taken from the 2012 ‘UK Information Security Breaches Survey’ by
pwc based on surveys of 447 organisations.
Leanne Salisbury is a security professional who held a key role in the London 2012 Olympic Games for the assurance of systems security on behalf of UK Government stakeholders. Formerly a Royal Air Force Intelligence analyst, Leanne also has expertise in Specialist Aviation Operations, Threat Assessments and Incident Management.