C-level executives and boards of directors are out of the communications loop when it comes to information security according to results from the Ernst & Young Global Information Security Survey 2004.
Survey results show that people at the highest management levels don't receive adequate, security-related information for making prudent decisions and need to engage more in decision-making communications.
While organizations are dependent on various outside providers (i.e., outsourcing firms) to handle information processing, less than one-third of the respondents say they review an outside firm's compliance with their organization's information security policies. Without such audited compliance checking, risk assessments and related status reports, top managers can't know what's happening -- and most assuredly, won't effectively deal with information security problems.
Information security policy tasks routinely get postponed, and in some cases are ignored by top managers who don't have the background to effectively analyze policy documents, which impacts the quality of their organizational guidance. Most top managers can't properly evaluate these policies, which need approval or modification, and they don't know the questions to ask in order to get informed. Information security is far too important for top management to act as a rubber-stamping service.
The survey results specifically reflect poor information security guidance coming from the top-tier, with only 28% of those managers at the responding firms citing goals to heighten their staff's security awareness level in the upcoming year. This low percentage is surprising, given that survey results also identify "raising the level of information security awareness" as the number one obstacle to improving information security.
While top managers may lack adequate decision-making information, too many workers still subscribe to the "not my problem" perspective about information security. They rationalize their lack of personal involvement with statements like "when top management tells me to do something about information security, then I'll pay attention to it." Workers fail to tell top managers about pressing, and needed security improvements, which contributes to a vicious cycle of ignorance, non-involvement and irresponsibility.
How can organizations break this cycle? The first step is to establish an infrastructure that supports, encourages and requires adequate communication about information security from the top down and bottom up. This can be structured through information security policies used in conjunction with detailed job descriptions and specific information security procedures. Policies and procedures should require top managers to define and communicate an overall strategy, assign responsibility for information security and engage in discussions about appropriate policies. Policies should require internal audits and periodic risk assessments for all information services. They should call for organization-wide information security status reports and compliance reports on laws and regulations (such as Sarbanes-Oxley). They should require incident handling reports and analysis about the adequacy of existing information systems controls.
Such an infrastructure involves many components, which could be mutually reinforcing. For example, a communications infrastructure could include multiple pathways so that important information is more likely to reach top management. This might involve an anonymous voicemail hotline for reports on security vulnerabilities and incidents. Such a hotline could provide an escape valve for channeling important, time-sensitive information, which would otherwise get the reporting individual into trouble with a mid-level manager. Likewise, periodic reports issued to a board of directors' audit committee would ensure that important information gets passed up. This could eliminate the middle management information blocking through other channels, which often occurs out of fear that it might make a person or department look bad.
Clearly, organizations need effective information security communications to adequately respond to today's fast-spreading threats. While an effective communications infrastructure could include other aspects, any improvement would give information security problems well-deserved attention from top management. Better decision-making information would enable top-tier managers to provide appropriate organizational guidance, resources and support, which are sorely missing.
About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of the book and CD-ROM entitled Information Security Policies Made Easy.