Security Essentials for CIOs: Establishing a "Department of Yes"
IBM Center for Applied Insights Executive Series Security Essentials for CIOs Establishing a “Department of Yes” Consider for a moment the most vital operation in your enterprise. It might run financial processing around the Highlights: world, control a city’s electrical distribution, or handle millions of passengers’ airline reservations. What happens In order to embrace the opportunity for to your business if the computers directing such operations innovation, IT security must evolve from a culture of “no” to “yes.” At IBM, we’ve are hacked, sabotaged or shut down — if customers can’t transformed the security organization into process transactions or global airline reservations go dark? five core functional areas — all designed Facing such frightening scenarios, it’s not surprising to to foster a pragmatic, affirmative, and strategic approach to risk management. imagine that many information security leaders might want to shut the door and say no to initiatives that might threaten their delicately balanced security operations. In fact, a study by IDC/RSA suggests that security concerns inhibit innovation. More than 80% of executives surveyed in 2008 said they “occasionally” or “often” didn’t pursue innovative business opportunities because of information protection concerns.1 More recently, security concerns have been seen as contributing to slowing the adoption of a number of innovative technologies — from social technologies and electronic medical records, to open government platforms and smart grid technologies.2 By shooting down ideas and standing in the way, IT security has grown in many enterprises into the “Department of No.” This must change. Security has to expand its role into the operations of the enterprise, so that each new idea or initiative is conceived and designed with security challenges in clear focus and the appropriate response baked in. Such change requires a comprehensive systemic approach to security — and an organizational structure to support it.
Executive Series Security IntelligenceThis is what we have done at IBM, and in the process we 2. Planhave turned security into a “Department of Yes.” This At this point, the job moves to the policy and architectureapproach was developed over time, with leadership from the unit. These professionals (which in small companies couldtop, shining a spotlight on security. It also took important of course be the same as the strategy team) map out stepsorganizational changes. to take. They identify the technology and suppliers, and come up with the budget and timetable. In short, they design aIn this paper, based on our experience, we will outline plan so that the strategic goals are actionable.five functions to help create a pragmatic, progressive,organizational structure for enterprise security, one thatbalances innovation with risk and can transform thedepartmental culture from “No” to “Yes, here’s how.” Each security function provides the opportunity for continuous1. DefineThe first function is dedicated to assuring the organization improvement, so developing ahas a forward looking strategy (~3-5 years) for addressing feedback loop is essential.IT risk. How? Practically, this organization will captureinformation about both existing and emerging IT risks tothe business (based on new initiatives or changes in thelandscape) and determine whether the risks are managed 3. Implementeffectively. If executed correctly, this function will “chart A management team must carry out these plans. If it’s anthe course” and identify where and when course corrections anti-virus program, for example, they install it across themay be needed. Most importantly, this activity allows you designated systems. At the same time, they register the stepsto treat risk expenditure as investment. they’re taking into a service catalog. This way, the tools they’ve installed can be re-used. And if something should go wrong, a detailed record will be available for analysis. Key risk scenarios: Cyber Security An attack or virus contagion cripples 4. Measure a data center, spies on operations, Specialists in compliance analyze the effectiveness of the leaks customer data controls in place. They determine where the efforts are IT Compliance A regulatory snafu, such as faulty meeting security goals and, more importantly, where handling of customer data, can cause they fall short. This unit identifies key risk indicators, such business interruptions, not to mention as the malware infection rate. It details its findings on a a bruised reputation balanced scorecard, which it presents every quarter to the Supply Chain A technology supplier fails, strategy team. leaving obligations unmet and services disrupted 5. Respond Business Transformation A strategic technology project Even with meticulous planning and organization, things go faces delays, budget overruns or wrong. This is when the incident response team swoops operational glitches in. In the process of responding to crises, they come up with vital information about what went amiss. This feedback is provided to the strategy unit to further refine technology and policy components.1 “ Innovation and Security: Collaborative or Combative”, IDC, Sponsored by RSA, September 2008, http://www.rsa.com/innovation/docs/IDC_innovation.pdf2 “ HP and AMD Research Shows Concerns about Security, Technology Budgets Are Main Barrier to ‘Gov 2.0’”, April 24, 2012, http://www.hp.com/hpinfo/newsroom/press/2012/120424c.html 2
Executive Series Security IntelligenceIBM CIO—IT Risk: Functional Organization IT Risk Policy Management Compliance Computer Strategy Team Architecture Team Operations Team Audit Team Incident Analyze existing and Design policy controls Execute initiatives Measure Response Team emerging risk identify technology maintain service report compliance Incident handling “chart the course” and suppliers catalog status response 1. Deﬁne 2. Plan 3. Implement 4. Measure 5. Respond A feedback loop between each function offers continuous improvement. IT Risk Strategy Deﬁne risk map risk posture improvement strategyEach function provides the opportunity for continuous Join the conversationimprovement, so developing a feedback loop is essential. For To read additional articles, learn more about Security Essentialsexample, by analyzing the balanced scorecard, the strategy for CIOs, or share your thoughts with other security leadersteam can spot areas that need to be fixed or enhanced. This join us at ibm.com/smarter/cai/security.might call for improving the efficiency of a technical control,clarifying a policy requirement, or investing in employeesecurity awareness programs.One key to success is a seat for the information securityleader at the executive table. In the 2012 IBM ChiefInformation Security Officer Assessment it was determinedthat the most influential security leaders have a strategic voicein their enterprise.3 This means they have the ear of seniormanagement, the power to convene a security/risk committeewith top executives, and effective metrics to measure risks,and to craft appropriate responses.At IBM, our risk management team meets quarterly with a About the authortop advisory committee, including senior vice presidents of all Kristin Lovejoy is Vice President of IT Risk, Office of the CIO,the business units, who report directly to the CEO. These IBM. She can be contacted at email@example.com the leaders of many functional areas including finance,marketing, technology and others. Each of these executives About the IBM Center for Applied Insightsmust understand the security risks to his or her unit and what The IBM Center for Applied Insights introduces new ways ofcontrols are in place. Together, they shape and decide strategy. thinking, working and leading. Through evidence-basedSecurity, after all, is intimately tied not only to their units, but research, the Center arms leaders with pragmatic guidance andto the future of the enterprise. the case for change.3 “ Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment”, IBM Center for Applied Insights, May 2012, http://www.ibm.com/smarter/cai/security 3