Security began in the IT department and was viewed specifically as a technical issue. We can label this period as the "caveman phase." If your organization has its security concerns solely managed by the IT group, then your company needs to evolve. Security management should be moved to a management position, as in a CSO or CISO, and there should be a centralized team that is solely responsible for security practices.
Centralization allows security to be looked at as a business issue. Having the security officer in the executive management staff is an advantage. The officer can then understand and mitigate risks using controls that are not solely technology-oriented. Entering more of an "industrial phase," many organizations have recognized that security affects their bottom line, and they have dedicated the necessary funds to reduce the company's risk level.
Although "industrial phase" procedures are more effective than those of the "caveman phase," they are not perfect. It is almost impossible for a group of people who are working in a security department to understand and control all the types of threats and risks in the various departments of an organization. Instead, the security group is responsible for writing policies, configuring firewalls and handling intrusion detection, while also rolling out domain group guidelines, information security awareness training, incident handling and vulnerability management.
Different business unit managers, even board members, need to be involved in the security process. Business unit managers should participate in a risk management committee that is led by the security officer. Such a collaborative meeting will allow the security officer and security team to understand a wider range of risks that the company faces. A security steering committee should also be developed to provide oversight and guidance on security matters. The CEO should receive updates on the company's security posture, also ensuring that business unit managers are participating and the security team is getting enough support.
In what we call the "enlightenment phase," the security process involves everyone to some degree -- from the board members down to the users. It is only at this phase that we can have true information security governance.
Information security governance is a term that refers to all of the tools, personnel, and business processes that ensure an organization's security needs are carried out. The process requires organizational structure, roles and responsibilities, performance measurement, defined tasks and oversight mechanisms.
Let's compare two companies in different phases. Company A (in the enlightened phase) has an effective information security governance program in place and Company B (in the industrial phase) does not. To the untrained eye, it appears that Company A and B are equal in their security practices; they both have information security policies, procedures, standards, the same security technology controls (firewalls, IDS, identity management, etc.), and a security team run by a security officer. But if you look closer, you will see the critical differences listed in Table 1.
|Company A (enlightened enterprise)||Company B (industrial enterprise)|
|Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches.||Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits.|
|CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month and information security is always one topic on the agenda to review.||CEO, CFO, and business unit managers feel as though information security is the responsibility of the CIO, CISO, and IT department and do not get involved.|
|Executive management set an acceptable risk level that is the basis for the company's security policies and all security activities.||CISO took some boiler plate security policies and inserted his company's name and had the CEO sign them.|
|Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units.||All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.|
|Critical business processes are documented along with the risks that are inherent at the different steps within the business processes.||Business processes are not documented and not analyzed for potential risks that can affect operations, productivity and profitability.|
|Employees are held accountable for any security breaches they participate in, either maliciously or accidentally.||Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed.|
|Security products, managed services, and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective.||Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine the return on investment or effectiveness.|
|The organization is continuing to review its processes, including security, with the goal of continue improvement.||The organization does not analyze its performance for improvement, but continually marches forward and makes similar mistakes over and over again.|
Most organizations today have many of the components to a security program (policies, standards, firewalls, security team, IDS, etc.) and work in the "industrial phase," but the management is not truly involved. Instead organizations have a small security team that is responsible for a whole organization's security concerns -- an almost impossible task.
This was first published in November 2006