In my time in the trenches as a chief information security officer (CISO) for several organizations, there was often a stigma associated with security when it came to implementing new technologies and business practices. My security teams, when given the opportunity to provide input, were often viewed as saying "No!" to new ideas. For many infosec practitioners in many organizations, that stigma still remains in place today.
In truth, the relationship between information security teams and the organizations they serve is more complicated than that, and enterprise non-security managers should at least understand that security's role is to protect the company, its intellectual property and brand, and one of the most effective ways to do that is by developing security policies that protect the organization without limiting the business.
Today, every enterprise is being driven to do more and do it faster. Business leaders get easily frustrated by any perceived roadblock from the CISO and often try to find their own solutions. The evolution of cloud computing, Software as a Service (SaaS) and bring your own device (BYOD) make it easier to circumvent traditional IT and classic security processes.
Every CISO must manage technological and business process change in his or her organization to ensure security is a priority from the beginning. However, the role of the CISO is to ensure the technology is secure, not prohibited. In this tip, we'll examine strategies for getting business managers and other stakeholders to buy into security policies that ultimately a more secure way of doing business.
As I've noted in my past columns, there are key philosophies the CISO needs to continuously communicate. If the security team lives by these philosophies, and clients within the business understand them, it will be easier to get everyone to buy into the critical role of security in the enterprise and support it, rather than look to circumvent it.
Assumption of breach. Develop technologies, processes and personnel with recognition that nothing is foolproof and that a breach will occur. Hence as an organization moves ahead with policies in support of initiatives like BYOD, it is important to develop mitigating controls, such as data islanding (also known as enclaving) into these new business approaches. Take the time to help business leaders and other stakeholders understand that the risk of a breach is a constant, and that a few extra layers of security -- such as new coding reviews or added protections -- may be appropriate under this new philosophy rather than doing business the old way.
Understand the business. The CISO and security staff need to understand the business. This will help the security team be part of the solution, enabling secure use of technologies, such as cloud computing or BYOD, but also foster collaboration that will often lead to better ideas on how to make these emerging systems secure, not to mention well-thought-out, grounded arguments to the business managers on why certain security measures must be implemented beyond "because I said so."
Bring security into play early and often. As new technologies are considered and even rolled out by the business, the security team needs to be part of the discussion, shaping the business policy from the beginning with security in mind. If the CISO and his or her team are not included in the project conception, architecture and implementation, the security aspects will probably fail -- or, worse yet, when security does get involved, it normally results in an expensive crisis. As such, security teams must be at the table from the beginning, helping to make the project successful and secure within the confines of the executive management's risk tolerance. The business owners need to view security as part of the solution.
How to proceed
To foster success in these scenarios, it's critical to bring solutions to the table. Don't focus on the security-related problems business stakeholders present; begin with the policies that can foster secure use. For example, an organization about to roll out a BYOD policy might want to have certain business rules in place, such as contacting IT in the event of a lost or stolen device. Not only will this policy help the organization take the necessary steps to keep business data secure, but it'll also help the employee keep the business disruption as minimal as possible.
In order to know what technologies are emerging and how they're being used, pay attention to what is going on in the marketplace: Monitor the trade press, read business news every day for your or parallel businesses and actively talk to the business leaders at your company. The Cloud Security Alliance (CSA) is a great example of a resource for security ideas that the business owners can also see as valuable. It has a wide variety of publications, including those specifically addressing cloud security and BYOD. As CISO, consider bringing these standards and documents to the table during architecture and deployment discussions:
- Security Guidance for Critical Areas of Focus in Cloud Computing, v3 11/14/2011
- The Notorious Nine: Cloud Computing Top Threats in 2013, v1 2/25/2013
- Security Guidance for Critical Areas of Mobile Computing, v1 11/8/2012
Bringing solutions to the table in the form of good security policy will position you as a contributor rather than an obstructionist. Referencing outside resources demonstrates that you have been paying attention to these technical changes, and it raises your credibility.
Other examples of excellent guidance on security policy and technical guidelines that have been vetted globally include the various publications from the National Institute of Standards and Technology (NIST) and European Network and Information Security Agency (ENISA).
These and other guidelines are useful to not only educate the security team on national and international standards, but they may also help educate the business owners and technology implementers without the CISO being seen as a purveyor of FUD -- Fear, Uncertainty and Doubt. Bringing workable ideas to bear makes the new technical systems more secure. As a result, security policies and procedures supporting these technologies will have some "outside backing," and thus provide a better and more credible foundation for the approach.
The bottom line is that a CISO cannot simply say "No!" to the ideas that business leaders and end users pose. Instead, CISOs should rely on their security team to figure out ways to work with the business units and help them develop, deploy and maintain a secure technology that helps reduce risk to the business. Additionally, executives and employees must be educated as to the threats and why certain security aspects are critical to the successful rollout that protects the company and the individuals.
About the author: Ernest N. "Ernie" Hayden, CISSP, CEH, is an experienced information security professional and technology executive, providing global thought leadership for more than 13 years in the areas of critical infrastructure protection, cybercrime, cyberwarfare, industrial controls security, and business continuity/disaster recovery. In addition, he has also focused since 1974 on the areas of leadership and technical business management. Based in Seattle, Hayden devotes much of his time to critical infrastructure protection and analysis, industrial control systems security, energy and utility issues, including smart grid security, and studies the security of these systems against contemporary threats. Hayden is an executive consultant with Securicon and has held roles as a global managing principal at Verizon, and an information security officer and manager at the Port of Seattle, Group Health Cooperative (Seattle), Seattle City Light and Alstom ESCA. Submit questions or comments for Ernie Hayden via email at firstname.lastname@example.org