There tends to be a lot of confusion about the role of information security in today’s business environment. Many times, the efforts of the security team are thwarted in the name of “productivity,” because it is widely believed that good cybersecurity practices slow down business processes. This is why it is critical for information security teams to drive home both the benefits and the requirements associated with security best practices.
As with any other organizational policy, security policies must be embraced from the top down to be successful. This is why it is critical for information security leaders to understand the most elemental drivers of information security and how they relate to, and support, business goals.
This will be a six-part series that drills into the critical components of information security. Each entry will get a little more granular, starting with very high-level concepts and ending with operational best practices for front-line practitioners.
In this first article, The Base Elements of an Information Security Environment, we will talk about each base element, starting with the most fundamental drivers and working through understanding how they all work together to build a successful cybersecurity program.
The First Element: The Importance of an Organizational Code of Ethics
Whether it has been officially documented in their company policies or not, every organization operates with a code of ethics. While not every organization or department has an official one, there is an inherent need for information security teams to adopt an official ethical code of information security that specifies the function’s core values and obligations to various stakeholders. Such a code provides guidance to team members and outsourced staff regarding security standards and how to achieve them, as well as detailed organizational security policies and the vision for implementing them.
Adhering to professional security ethics is vital to build a foundation of trust for clients, and the end-users in the organization that serve them. This is especially important in information security, where the function is tasked with maintaining data privacy security, and business continuity.
In many cases, information security policies are related to local or international legislation or standards that provide a set of core values to define professional ethics. For example, the Sarbanes-Oxley Act (SOX) requirements mandate a great deal of transparency in financial reporting and codify practices for publicly traded organizations. SOX includes a requirement for corporations to report on how they manage financial reporting, internal controls, and controls structures that are usually under the purview of the Chief Information Security Officer (CISO).
The Second Element: The Application of Security Concepts
A component of information security’s responsibility revolves around the practice of ensuring that information remains available, correct, and complete and that it is reliably gathered, measured, and generated routinely. This can be seen in banking, health care, and other public-facing organizations that have become web-enabled, data-intensive, and automated. Failures of these services, systems, and infrastructures due to poor information security controls can have harmful consequences. As a key step to avoid or minimize those consequences, it is important to transform the general idea of “who has access to what and why at all times” into working definitions as part of the information security program.
The baseline for any information security program hinges on one main goal: maintaining confidentiality, integrity, and availability of the data that is classified as having importance in the organization. This includes data in any form, whether it is stored electronically or in printed hardcopy, and it also applies to any systems, mechanisms, and techniques used to process, manipulate, or store that data.
The Third Element: How to Align Security to Business Strategies, Goals, Mission, and Objectives
The most fundamental concept in information security happens to also be one of the most difficult to understand. In most cases, a business or organization can exist without the information systems security practice. However, this generates another fundamental question: Does information security have a reason to exist without a business?
Is there any exception to the rule? For example, could companies whose primary purpose is to provide security services to others exist without a customer? The answer is no! So, as security practitioners, we have a complex challenge in understanding the organization’s functions and goals, so we can then determine how security is incorporated to enhance processes. Security governance policies, roles, processes, and identity access mechanisms must be aligned with organizational goals to prevent the kinds of poor security control implementations that inhibit productivity, slow time-to-market releases, drive unnecessary costs, and hinder strategic efforts.
The Fourth Element: Organizational Governance Processes
Governance is one of the main pillars of information security. In any given organization, a governance program is designed to support decision-making and decision-makers, “by whom and how.” The goal of the information security team is to enhance and support business goals, understanding that security practices can affect business and organizational decisions due to changes to security policies, plans of action, and controls. The following are some business decisions that might affect the organization’s security:
- Acquisition: If an organization moves to purchase another business unit, the security implications can be extensive. New legislation and regulations that are imposed on the acquired business may now affect the parent company. Policies and practices that differ between the entities must be merged and updated, as well. The information security team must determine if security risks or vulnerabilities may be introduced to the corporate network.
- Merger: Merging two or more organizations entails alignments on security governance. Risks often involve the gaining organization inheriting the legacy systems, as was the case in the Marriott data breach, as CSO magazine reported a few years ago.
- Divestiture: When an organization decides to sell off or cede operations of a subsidiary or business process, it is vital to assess what property exists and requires security controls and whether to include data, infrastructure, or applications. Often, organizations are required to move identities and data across tenants, this is especially true regarding small tenants within a large organization. For example, if an organization has a single tenant/domain with thousands of users, information security teams want to reduce the number of small tenants to control management overhead. It is best practice to perform a security assessment, including identity clean ups, both pre- and post-divesture to consolidate the inventory of assets that will be affected. Finally, there is another scenario where a whole tenant is not being acquired or divested, where only subset of users and data are acquired. In the case of these partial divestitures, organizations need to consider cross-tenant moves as the main option.
Merger and Acquisition (M&A) risks often involve the gaining organization inheriting legacy systems, policies, procedures, and data. In these scenarios, the role of the Information Security Officer is to incorporate governance activities, such as systems security assessments, systems configurations management processes, or other prudent information risk reduction measures. The decision to acquire and merge is often made at the executive level, and it usually does not involve CSO inputs like detailed system vulnerabilities, Identity Hygiene, or security compliance.
The Fifth Element: Organizational Roles and Responsibilities
Organizational hierarchy is also determined by the goals and the industry in which a business operates. However, different structures can impact how security governance is created and implemented, or even how security functions are defined.
Every organization has its own organizational structure and roles that are determined based on its desired security posture and business goals. For instance, in organizations where the Security Manager/Security Officer/Security Director reports directly to the CEO, much importance is placed on the security strategy of the organization. On the other hand, an organization that has security managers reporting to an administrative role director or within the IT (Information Technology) structure (e.g., reporting to a Chief Technology Officer) tend to lose many of the organizational authority and independence to perform their information security tasks and responsibilities. This is often driven by a conflict of priorities, as CTOs (Chief Technology Officer) tend to focus on operability, which is often seen to be “at odds” with security.
The role of the Information Security Officer is to advise on security matters, assist in drafting security policies, manage security operations, and represent the organization’s leadership on security matters in groups and meetings (e.g., by managing and leading the Configuration Management Board).
What is a Configuration Management Board (CMB)? Sometimes also referred to as Configuration Control Board (CCB), the CMB is a primary function of the information security practice and support organization to define two critical elements of the organization’s information security processes.
- Deciding what, why, and when to make changes, a.k.a., “management” (e.g., production environment changes).
- And, taking steps to make those changes correctly, a.k.a., “control,” to validate that deployment plans are defined following the organization standards (e.g., infrastructure readiness, deployment process, and rollback plan).
Industry best practice tells us that security managers should not report to the same role or department that oversees information technology (e.g., Chief Technology Officer) due to conflict of interest.
The Sixth Element: Navigating the Information Security Legal and Regulatory Environment
Maintaining the security posture of an organization is not limited to identifying information security risks (like identity access management) and/or following internal or external legal requirements (e.g., legislation, regulations, standards, contracts, etc.). It is also important to acknowledge how these can affect the way organizations conduct business.
Our main responsibility as information security professionals is to embrace the legal requirements and convert them into technical and methodological approaches. Being responsible for upholding compliance also includes high accountability from C-Level executives to design and implement the working plan. In other words, accountability for compliance falls into the lap of the C-level executives in the organization. This standard is becoming more common and more serious, as was reported by MSN regarding the recent fallout from the massive 2020 SolarWinds breach.
In principle, every organization operates under both internal and/or external mandates that explicitly state expectations for performance or conformance. These mandates usually appear in the form of the security standards for which each organization is responsible to customize and implement, intending to protect themselves from any liability or legal precedent.
Compliance is adherence to a mandate, and regardless of the industry, organizations are required to demonstrate compliance with a stated “security standard.” The success of the compliance program hinges on the two steps in the process outlined above: 1. Demonstrate the adherence (proof of security controls) to the standard and, 2. proof of the tools, processes, and documentation being used for the implementation and operation of the security controls.
One practical approach for organizations is to create a procedure for reviewing systems and processes for compliance that satisfies the standards or baseline previously defined. For example, including audit of the security controls, configurations/baselines, and financial records, formally and independently (via external auditors) or informally (via internal staff).
Internal and external auditing is a great process for an organization to test that the design, implementation, and operation of the security controls are aligned with the security standards.
The Wrap-Up or TL:DR
As mentioned in the onset, security policies must be embraced from the top down to be successful. This is why information security leaders must understand the most elemental drivers of information security and how they relate to, and support, business goals. These fundamental elements include:
- Adopt an official information security code of ethics that specifies the function’s core values and obligations to various stakeholders. Such a code provides guidance regarding security standards, detailed security policies, and the vision for implementing them.
- Applying fundamental security concepts to maintain confidentiality, integrity, and availability of important organizational data, whether it is stored electronically or not. This also applies to any systems, mechanisms, and techniques used to process, manipulate, or store that data.
- Align security goals with business goals so that security governance policies, roles, processes, and identity access mechanisms prevent poor implementations that inhibit productivity, slow time-to-market releases, drive unnecessary costs, and hinder strategic efforts.
- Implement organizational governance processes to enhance and support business goals, understanding that security practices can affect business and organizational decisions due to changes to security policies, plans of action, and controls.
- The role of the security leader is to maintain functional independence to properly advise the business on security matters, assist in drafting security policies, manage security operations, and represent the organization on security matters.
- Embrace compliance requirements and convert them into technical and methodological approaches. Regulatory mandates appear in the form of security standards the organization is responsible for implementing to protect themselves from liability.
Ensure that your organization starts with the most fundamental understanding of where information security asserts its influence and then aligns its mission and goals with those of the business. By doing so, you can leverage your efforts as a support mechanism for business success and reduce the prejudice that security slows productivity.