7. policy and process reign supreme
One of the real dangers of working with technical executives is that some of them tend to fall so completely in love with certain technologies that they fail to remember their overarching goals. This particular malady infects a lot of people in security, who unfortunately focus on buying and implementing tools they view as a panacea.
As in many other aspects of the business, tools support a solid foundation laid by effective policies and processes. It is your job as the head honcho to guide your Chief Information Security Officer (CISO) to make sure he or she isn’t using technology as an ineffective crutch.
As a CEO, you probably already know that there’s no product in the world that can completely solve a complex business problem. It is no less true for information security than anything else in the business.
“...we have to set up a security policy that finds the right balance between overreacting and exposing your system to any and every hack.”
“So if every time there’s a problem and the only thing your CISO is suggesting is technology, you should poke ‘em with a stick,” Pescatore says. “You should say, ‘Wait a minute, where’s the process change or the other things that always have to go with technology to make it work?’”
These “other things” need to include risk assessment, standardized procedures, boundary setting around what employees should and shouldn’t be doing with systems and data, and also setting baselines on how systems are configured. From there, the technology can monitor and enforce all of those policies and procedures, providing reporting to prove to the auditors that everything is working.
“Information security by technical means is not sufficient and needs to be supported by policies and procedures,” wrote Chaiw Kok Kee in a SANS Institute whitepaper on security policies. “Security polices are the foundation and the bottom line of information security in an organization. Depending on the company’s size, financial resources and the degree of threat, we have to set up a security policy that finds the right balance between overreacting and exposing your system to any and every hack.”
5 bASIC TENANTS Of INfOrmATION SECurITy
“Information security governance requires senior management commitment, a security-aware culture, promotion of good security practices and compliance with policy. It is easier to buy a solution than to change a culture, but even the most secure system will not achieve a significant degree of security if used by ill-informed, untrained, careless or indifferent personnel.
Information security is a top-down process requiring a comprehensive security strategy that is explicitly linked to the organization’s business processes and strategy. Security must address entire organizational processes, both physical and technical, from end to end.
The five basic outcomes of information security governance should include:
1. Strategic alignment of information security with business strategy to support organizational objectives
2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level
3. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
4. Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved
5. Value delivery by optimizing information security investments in support of organizational objectives”
Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2006