Information Security can often present us with many variables and complexities. We are typically concerned with the variables presented by unknown attackers, evolving threats, and the difficulty in determining the probability of all the things that can go wrong. Often we must also face the additional complexity of unknowns presented by the organization itself. Expansion and growth can result in distributed operations at varying levels of maturity with a lack of standardization. The variables produce complexity, and complexity can be the breeding ground for uncertainty.
To limit risks to an acceptable level an information security program must remove uncertainty. The objective is to deliver the proper level of effective controls to protect information resources without excessive cost and without inhibiting required business operations. The italicized words form the gray area that regularly defeat information security metrics and risk equations. Achieving a balance between secured and useful, within budgetary constraints and organizational complexity, is the challenge we all face. These are the principles of business risk that essentially define our role. The gray area is where we either sink or swim.
In the physical world, we can calculate, measure, and quantify the characteristics of the things around us on a molecular level. Why then is the ability to convey a non-subjective, factual, understandable and consistent account of the status of security within an organization an elusive gray area of uncertainty? Physics and quantum mechanics are used to form a fundamental view of the physical world. Explore Heisenberg's Uncertainty Principle or Schrodinger's cat in the box theory to see that the thought leaders in the realm of physics have deeply evaluated aspects of uncertainty.. These theories consider how the act of observation can affect the subject. The act of observation could change the factors while determining the relative position, direction and velocity of any particle using a single measurement at a point-in-time cannot accurately describe all of the characteristics.
Applying the logic provided by these physics theories, I would submit an Information Security Certainty Principle: "That which is not observed will cease to move, and single observations will only determine an inadequate description of the current state." This should not be earth-shattering for any security practitioner. The adage that you cannot manage what you do not measure applies to the management of information security as it does generally within other disciplines. Oversight of information security is an ongoing and constant process.
The activities that provide information security are numerous, and include functions performed by people, processes, and technology. Activities may be integrated into a centralized IS&T operation or distributed across many technology groups and business functions spread throughout the organization. These factors produce a degree of complexity and uncertainty that can only be overcome with the frequent measurement and reporting of oversight.
In the past, trust but verify typically equated to an audit performed at a regular if not infrequent interval. To obtain the level of assurance necessary to achieve a state of security rather than compliance, you must move beyond this infrequent evaluation and move towards a constant level monitoring with reporting. A fundamental component of a successful information security program is oversight and monitoring of the numerous individual functions. Define reporting to ensure that the function is completed regularly, trend the output over time to detect changes, and constantly evaluate the environment to define monitoring for functions that effectively secure information..
At Temple-Inland, we have improved our level of security while reducing costs by distributing information security operations into IS&T operations. Our Information Security Program includes oversight of the functions with reporting performed by the IS&T operational groups themselves, where failures can be quickly identified and corrected. Oversight of a self-monitored process permits the Information Security Team to focus on identifying control deficiencies and protection gaps as well as areas where technology risks can be further reduced.
The success of an information security program depends on lowering risk efficiently and effectively. Too often, information security professionals begin with a focus on metrics and dashboards that measure the value of the overall program. Instead, we must start with implementing processes that help secure our environments along with the oversight that provides the monitoring and management of those processes. Uncertainty is present in many aspects, but it should never be found within the security processes you assume are performed within your organization. The metrics that demonstrate the value of the overall program will be determined by the percentage of implemented security processes with defined oversight. Effective oversight of distributed information security operations can reduce uncertainty and improve security.
SECURITY 7 AWARDS
Title: Director of Information Security
Credentials: CISSP, CISA
- President of the ISSA Capitol of Texas Chapter in Austin
- In a little more than two years, converted Temple-Inland's information security program from a security operations function into a risk management function performing oversight activities
- Guides the information security program across a diverse and distributed organization and oversees numerous functions with limited resources
- Devised an Outreach Program for the ISSA Capitol of Texas Chapter designed to provide an avenue for ISSA members to participate in functions throughout the local information security community
- Implemented a sponsor program to fund the ISSA chapter's numerous educational events and performs all the activities associated with bringing on new sponsors
INFORMATION SECURITY MAGAZINE'S 6TH ANNUAL SECURITY 7 AWARDS
Consumerization of IT and enterprise evolution: Consumer devices in the workplace and the shift to cloud services require new security standards.
An effective information security program requires ongoing monitoring: A successful information security program uses ongoing oversight and monitoring to manage risks.
Online banking security is a balancing act: Online banking security requires providing users with choices in order to minimize risk without becoming intrusive.
Government transformation through technological innovation: The economic crisis gives government entities the opportunity to change for the better.
Maintaining health care privacy and security: In the world of health care, the more we value privacy, the harder we work to protect it.
Implementing an information security strategy in a decentralized environment: Implementing data security in a decentralized organization requires a collaborative approach.
Fighting online fraud requires delicate balance: Countermeasures for thwarting Internet fraudsters must be balanced with customer service.