| Security professionals can rely on the same models and frameworks used by traditional business to earn a seat at the table.
How, then, to best ensure that integration? More than trial and error and experience is required; security professionals need to be well versed in information protection stewardship, able to verbalize the tenets of the job to management, and also tap into a knowledge base of economics and business theory to arm themselves with the appropriate toolkit to gain organizational acceptance of their initiatives.
PROTECTION STEWARDSHIP--SOMETHING OLD
We recognize that information and/or data is more than a valued corporate resource; it has value to entities outside a company. Information stewardship is limited in scope as its most basic goal is to ensure accountability.
While accountability of information cannot be dismissed by information security professionals, the responsibility of protecting assets whether virtual, logical or physical is of the utmost importance. Information security professionals have become the de facto protection stewards of the new millennium (see Figure 1: "Protection Stewards," below).
But protection stewardship must extend beyond IT into the enterprise in order to secure the constructs that enable ecommerce. Protection stewards include executive management, legal, human resources, procurement/contracting and any person or department handling data that is considered to be an asset.
While the aforementioned participate in protection stewardship, it is usually left to the resident information security leader to recommend and oversee the implementation of the controls and countermeasures that will protect the organization from cyber threats.
Protection stewardship blends the tenets of information security, brand protection and business alignment. Now, how do we integrate it with business? Perhaps we should try something new.
PRINCIPLED INFOSECURITY--SOMETHING NEW
The goal of principled information security is to provide information security with the appropriate visibility to management and automatic inclusion in convergence programs (see Figure 2: "Principled Information Security," PDF below). It ensures: (1) information security management, practice and investments will be verbalized in a manner that aligns with the business; (2) Controls, countermeasures and activities will be managed throughout their lifecycle to ensure the value of investments is sustained and even enhanced; and (3) Key investments will be identified, monitored and measured for validation of effectiveness.
Principled information security involves information security leaders, their programs and staff at the onset of each new venture or project. It ensures business alignment rather than after-the-fact input.
SECURITY AS A SCIENCE--SOMETHING BORROWED
We can make information security more consumable by taking a page from economics. If we divide information security in the same manner as economics (its analytical form), we get micro information security and macro information security.
Micro information security is the nuts and bolts that support an organization's information security practice. It's the technology, controls, countermeasures and tactical solutions that are employed day-to-day to defend against cyber threats. It's a step-by-step examination of information security for educational purposes and to facilitate discussion with our peers.
Macro information security is the big picture and can be utilized to keep management in the loop. It's the blueprint, framework, strategic plan, road map, governance and policies designed to influence and protect the enterprise. It's the bottom line.
Macro information security also extends externally to support partners and customers as well as ensure compliance with regulations. Internal organization extension includes support of convergence programs and includes alignment to business goals and objectives.
Macro information security enables security leaders to align themselves and the program(s) they oversee with the business. It bridges information security vernacular with traditional business acumen. When used correctly, macro information security can be the tool that equals success. And, success is being invited back to the table again and again.
Micro information security is solid. Most organizations understand the need for firewall, antivirus and antispam technology. This along with aggressive patching programs and hardened systems provides fairly decent assurance against being easily hacked. Where security professionals certainly can have more rigor is around business planning.
In order to plan strategically, information security practitioners must have an understanding of their organization or enterprise-wide knowledge. This understanding lends itself to the creation of concise and clear information strategies and road maps that integrate security into business and ultimately answer the question: "What is information security?"
Our business peers want to know the answer to the aforementioned question as well as why it should matter to them. Typically, we attempt to answer this through a strategic plan. It can be grueling to explain specifics to those not well versed in information security.
One method for gaining reasonable acceptance of a strategic plan is to allow those immersed in business units to affect the plan prior to it being written through an incremental process using a set of smaller strategic type documents and/or methods. This means applying business modeling throughout the strategic planning process (see Figure 3: "Business Process Modeling," PDF below).
The overall business modeling of information security follows a spiral software development life-cycle (SDLC) process with incremental plans blending the waterfall and agile SDLC methods. The outcome is a toolkit that includes an information security calculator, blueprint, framework, strategic plan and road map that solves the question of information security.
Information security calculator: The calculator is a simple set of basic questions developed for the first two logic-based plans in the toolkit. The questions are typically answered by the practitioner and strategic stakeholders for information security. A good reference for finding appropriate questions is the IT Governance Institute's Information Security Governance Guide 2nd Edition.
Blueprint: The goal is to gather an organization's requirements, provide a visualization of those requirements and initiate the process of interweaving information security as part of the organization's culture.
You gather requirements by using a theory of change logic model. Why? Theory of change models stimulate critical thinking among stakeholders to identify early and intermediate accomplishments that will support long-term cultural change. These models will help identify how security impacts your business. The model will help you describe change and how you can influence change. Integrating security throughout an organization is about influencing a change in culture of an organization's view of what it needs to protect. (Download a visualization of the information security blueprint at searchsecurity.com/infosecblueprint.)
The blueprint should answer the following: (1) What does the organization require and what opportunities exist that can be addressed through information security? (2) What does the organization need today? (3) What results should be reflected? (4) What factors will influence the success? (5) What strategic activities will be required to achieve the desired results? (6) What conditions exist that we cannot change which may affect the strategy?
Once you've completed your blueprint, you have defined information security at a very high level, engaged your stakeholders, and mapped out priorities for the year.
Framework: This will be based on the information gathered in the blueprint. Use of a results chain logic model (download a sample results chain logic model for information security at searchsecurity.com/resultschain) to build your framework will allow you to clearly identify and present the actions that will be taken to achieve an overall outcome.
Greater involvement will be required to build a framework as it is a fairly comprehensive document. We ask the following questions: (1) What would we like to do? And what activities are required? You can use the results from the blueprint as the activity statements. (2) How shall we do it? List the activities required. (3) What shall be the rate of influence by years? List the major categories or programs that address what will be influenced. (4) What is the final outcome? List the overall organizational outcome that should reflect alignment with the business.
Completion of your framework will yield a complete picture of the information security program, the high-level activities necessary to build and sustain a program and identification of actionable goals. At this point you may want to consider engaging a third party to perform a risk assessment to identify gaps and validate the framework.
Strategic plan: A strategic plan defines an organization's long-term direction. When managed as a lifecycle, it can reduce resource waste and misalignment to business objectives. The information you gathered to develop your framework will be used in your strategic plan as major highlights.
The body of the strategic plan will contain the targets you will tackle as identified in your framework. Flowing from those targets are the projects necessary to hit the targets. The projects are identified from the list of activities identified in the framework document.
Additionally you'll add elements such as cost, people resources and challenges. All targets identified in the strategic plan must clearly map to and support organizational goals. At a minimum, the strategic plan will contain the following elements: executive summary, current environment description (this is pivotal as it will justify the targets and activities you've identified); targets (these are the gaps); proposed future state (where you'll identify costs and people associated with the targets); and summary.
Road map: The road map is a functional calendar that blends tactical activities with business activities against a multiyear calendar. Its timeline has likely been prioritized by the findings of the risk assessment with consideration of organizational priorities. It is the path taken to satisfy the targets in the strategic plan. The road map can also serve as your enterprise portfolio and assist with project planning. At its best, a road map will be easily interpreted by business peers and those who support technology. It will communicate without requiring verbal narratives. At a minimum, your road map will contain targets, high-level activities, destinations, timelines, milestones and interdependencies.
Once you have presented the road map, you've ultimately answered the question of what information security is in your organization.
In two years, we will enter the second decade of a young millennium. We will need to have thoughts that compel, influence, resonate and motivate. There are many paradigms and thoughts we can promote in this particular realm. Whatever the method you choose, it should result in you getting invited back to the table.