Published: 17 Jul 2008
Security professionals can rely on the same models and frameworks used by traditional business to earn a seat at the table.
Information security has evolved in the past 10 years from a siloed, über-secret endeavor to an accepted enterprise business practice. With that evolution, most security practitioners understand that information security and its underlying constructs must be integrated into the business. But the overuse of fear, uncertainty and doubt (FUD), compliance edicts and the wily hacker have undermined the positive impact of information security to the business. In turn, the longevity of some leaders' tenure is also in jeopardy when they are perceived as the local bailiwick rather than a respected and contributing business professional.
How, then, to best ensure that integration? More than trial and error and experience is required; security professionals need to be well versed in information protection stewardship, able to verbalize the tenets of the job to management, and also tap into a knowledge base of economics and business theory to arm themselves with the appropriate toolkit to gain organizational acceptance of their initiatives.
Words to Live By
Here's a guide to the terms and theories that can help you integrate security and business.
Convergence program: The programs and or business departments that require the support of information security and in some cases overlap or provide mutual support (e.g., risk management, physical security, crisis management, etc.).
Macro information security: The business structures and plans that influence and protect the enterprise. Typically, this includes a blueprint, framework, strategic plan, road map, governance and policies.
Micro information security: The technology, controls, countermeasures and tactical solutions employed day-to-day to defend against cyber threats. These are often the outcome of the projects executed through a strategic plan.
Principled information security: Information security that is governed by verbalization of practice and investments, the valuation of investments and validation of effectiveness. The end result is clear visibility to management.
Protection stewards: Those who are accountable for the protection of information assets, as well as the virtual, logical and physical constructs or an organization's information infrastructure.
Protection stewardship: Protection of information assets as well as the virtual, logical and physical constructs that enable an organization to achieve success.
PROTECTION STEWARDSHIP--SOMETHING OLD
Information stewardship is nothing new to IT. However, when it crested the horizon, stewards were not readily identifiable.
We recognize that information and/or data is more than a valued corporate resource; it has value to entities outside a company. Information stewardship is limited in scope as its most basic goal is to ensure accountability.
While accountability of information cannot be dismissed by information security professionals, the responsibility of protecting assets whether virtual, logical or physical is of the utmost importance. Information security professionals have become the de facto protection stewards of the new millennium (see Figure 1: "Protection Stewards," below).
But protection stewardship must extend beyond IT into the enterprise in order to secure the constructs that enable ecommerce. Protection stewards include executive management, legal, human resources, procurement/contracting and any person or department handling data that is considered to be an asset.
While the aforementioned participate in protection stewardship, it is usually left to the resident information security leader to recommend and oversee the implementation of the controls and countermeasures that will protect the organization from cyber threats.
Protection stewardship blends the tenets of information security, brand protection and business alignment. Now, how do we integrate it with business? Perhaps we should try something new.
Provide stewardship of information resources throughout their lifecycle, regardless of ownership, state of transit, or final destination
Protect organization reputation
Encourage responsible use of organization information resources to eliminate the results of careless use of technology.
Support organization mission and business objectives
Collaborate to ensure the judicious application of information security countermeasures and controls.
Integrity of information
Ensure the data used in the pursuit of grantmaking, collaboration, research, learning or administration can be trusted to correctly reflect the reality it represents.
Availability of information
Ensure the organization's technology infrastructure and any other such resources are available to support the roles for which they are designed.
Confidentiality of information
Ensure the ability to access or modify data is provided only to authorized users for authorized purposes.
Security leaders are responsible for recommending and overseeing the controls that ensure protection stewardship extends beyond IT into the enterprise
PRINCIPLED INFOSECURITY--SOMETHING NEW
Ask most information security professionals to define information security and they will faithfully recite the information security tenets. And that's OK among peers, or when educating family, friends and coworkers. However, we don't necessarily need to reference them in presentations to management. Instead, information security can be described as a principled approach, and that may resonate with management and other non-information security professionals.
The goal of principled information security is to provide information security with the appropriate visibility to management and automatic inclusion in convergence programs (see Figure 2: "Principled Information Security," PDF below). It ensures: (1) information security management, practice and investments will be verbalized in a manner that aligns with the business; (2) Controls, countermeasures and activities will be managed throughout their lifecycle to ensure the value of investments is sustained and even enhanced; and (3) Key investments will be identified, monitored and measured for validation of effectiveness.
Principled information security involves information security leaders, their programs and staff at the onset of each new venture or project. It ensures business alignment rather than after-the-fact input.
Principled Information Security
SECURITY AS A SCIENCE--SOMETHING BORROWED
Economists figured out long ago that in order to understand the economy, they would have to employ a double-pronged approach. The first approach would look at the economy by gathering data from individuals and firms on a small scale. The second approach would tackle analysis of the economy as a whole. Thus was born micro and macro economics.
We can make information security more consumable by taking a page from economics. If we divide information security in the same manner as economics (its analytical form), we get micro information security and macro information security.
Micro information security is the nuts and bolts that support an organization's information security practice. It's the technology, controls, countermeasures and tactical solutions that are employed day-to-day to defend against cyber threats. It's a step-by-step examination of information security for educational purposes and to facilitate discussion with our peers.
Macro information security is the big picture and can be utilized to keep management in the loop. It's the blueprint, framework, strategic plan, road map, governance and policies designed to influence and protect the enterprise. It's the bottom line.
Macro information security also extends externally to support partners and customers as well as ensure compliance with regulations. Internal organization extension includes support of convergence programs and includes alignment to business goals and objectives.
Macro information security enables security leaders to align themselves and the program(s) they oversee with the business. It bridges information security vernacular with traditional business acumen. When used correctly, macro information security can be the tool that equals success. And, success is being invited back to the table again and again.
Bjorn Brubakk, Adrian Wilkinson Source: International Journal of Service Industry Management
While information security had its start in the late 1950s, its potential, importance and visibility were not realized until the late 1990s and early 2000s. This period marked the end of innocence for the security of computing. Its impact can be clearly seen by a plethora of technology created to protect information, people and organizations, but the residual effects have been stealthier. For example, information security has been woven into traditional higher education institutions, most moderate sized businesses have positions dedicated to information security, and it's one of the few information technology areas that home consumers should be aware of and understand.
Micro information security is solid. Most organizations understand the need for firewall, antivirus and antispam technology. This along with aggressive patching programs and hardened systems provides fairly decent assurance against being easily hacked. Where security professionals certainly can have more rigor is around business planning.
In order to plan strategically, information security practitioners must have an understanding of their organization or enterprise-wide knowledge. This understanding lends itself to the creation of concise and clear information strategies and road maps that integrate security into business and ultimately answer the question: "What is information security?"
Our business peers want to know the answer to the aforementioned question as well as why it should matter to them. Typically, we attempt to answer this through a strategic plan. It can be grueling to explain specifics to those not well versed in information security.
One method for gaining reasonable acceptance of a strategic plan is to allow those immersed in business units to affect the plan prior to it being written through an incremental process using a set of smaller strategic type documents and/or methods. This means applying business modeling throughout the strategic planning process (see Figure 3: "Business Process Modeling," PDF below).
CHANGE LOGIC MODEL for information security
Your organization must address these points as it develops its model:
Describe the change strategy that your program supports.
Define the problem.
Quantify the assets you need to justify your change strategy.
Identify factors that will influence your ability to create change.
Apply best practices that support possible solutions.
Outline your assumptions about why your strategies will work.
Business Process Modeling
The overall business modeling of information security follows a spiral software development life-cycle (SDLC) process with incremental plans blending the waterfall and agile SDLC methods. The outcome is a toolkit that includes an information security calculator, blueprint, framework, strategic plan and road map that solves the question of information security.
Information security calculator: The calculator is a simple set of basic questions developed for the first two logic-based plans in the toolkit. The questions are typically answered by the practitioner and strategic stakeholders for information security. A good reference for finding appropriate questions is the IT Governance Institute's Information Security Governance Guide 2nd Edition.
Blueprint: The goal is to gather an organization's requirements, provide a visualization of those requirements and initiate the process of interweaving information security as part of the organization's culture.
You gather requirements by using a theory of change logic model. Why? Theory of change models stimulate critical thinking among stakeholders to identify early and intermediate accomplishments that will support long-term cultural change. These models will help identify how security impacts your business. The model will help you describe change and how you can influence change. Integrating security throughout an organization is about influencing a change in culture of an organization's view of what it needs to protect. (Download a visualization of the information security blueprint at searchsecurity.com/infosecblueprint.)
The blueprint should answer the following: (1) What does the organization require and what opportunities exist that can be addressed through information security? (2) What does the organization need today? (3) What results should be reflected? (4) What factors will influence the success? (5) What strategic activities will be required to achieve the desired results? (6) What conditions exist that we cannot change which may affect the strategy?
Once you've completed your blueprint, you have defined information security at a very high level, engaged your stakeholders, and mapped out priorities for the year.
Framework: This will be based on the information gathered in the blueprint. Use of a results chain logic model (download a sample results chain logic model for information security at searchsecurity.com/resultschain) to build your framework will allow you to clearly identify and present the actions that will be taken to achieve an overall outcome.
Greater involvement will be required to build a framework as it is a fairly comprehensive document. We ask the following questions: (1) What would we like to do? And what activities are required? You can use the results from the blueprint as the activity statements. (2) How shall we do it? List the activities required. (3) What shall be the rate of influence by years? List the major categories or programs that address what will be influenced. (4) What is the final outcome? List the overall organizational outcome that should reflect alignment with the business.
Completion of your framework will yield a complete picture of the information security program, the high-level activities necessary to build and sustain a program and identification of actionable goals. At this point you may want to consider engaging a third party to perform a risk assessment to identify gaps and validate the framework.
Strategic plan: A strategic plan defines an organization's long-term direction. When managed as a lifecycle, it can reduce resource waste and misalignment to business objectives. The information you gathered to develop your framework will be used in your strategic plan as major highlights.
The body of the strategic plan will contain the targets you will tackle as identified in your framework. Flowing from those targets are the projects necessary to hit the targets. The projects are identified from the list of activities identified in the framework document.
Additionally you'll add elements such as cost, people resources and challenges. All targets identified in the strategic plan must clearly map to and support organizational goals. At a minimum, the strategic plan will contain the following elements: executive summary, current environment description (this is pivotal as it will justify the targets and activities you've identified); targets (these are the gaps); proposed future state (where you'll identify costs and people associated with the targets); and summary.
Road map: The road map is a functional calendar that blends tactical activities with business activities against a multiyear calendar. Its timeline has likely been prioritized by the findings of the risk assessment with consideration of organizational priorities. It is the path taken to satisfy the targets in the strategic plan. The road map can also serve as your enterprise portfolio and assist with project planning. At its best, a road map will be easily interpreted by business peers and those who support technology. It will communicate without requiring verbal narratives. At a minimum, your road map will contain targets, high-level activities, destinations, timelines, milestones and interdependencies.
Once you have presented the road map, you've ultimately answered the question of what information security is in your organization.
In two years, we will enter the second decade of a young millennium. We will need to have thoughts that compel, influence, resonate and motivate. There are many paradigms and thoughts we can promote in this particular realm. Whatever the method you choose, it should result in you getting invited back to the table.
IN THE know
Extend it beyond IT into the enterprise. Get executive management, legal, human resources, procurement/contracting and any person or department handling data that is considered to be an asset involved as a protection steward.
Ensure: (1) Information security management, practice and investments will be verbalized in a manner that aligns with the business; (2) Controls, countermeasures and activities will be managed throughout their lifecycle; and (3) Key investments will be identified, monitored and measured for validation of effectiveness.
Borrow from Business Sciences
Make information security more consumable. Divide it into micro and macro information security with micro being the technology, controls, countermeasures and tactical solutions employed day-to-day, while macro information security is the blueprint, framework, strategic plan, road map, governance and policies designed to influence management and protect the enterprise.