How do we make executives accountable for IT Security?
Michael outlines the general challenges, details key items of concern and discusses the focus areas that can be taken to improve the daily governance of IT security in your organization.
2. What we continue to see…
• Information Security Programs lacks support
• Policies poorly monitored & enforced
• Organizations are consistently reacting to
point-in-time issues regarding security, privacy &
asset protection
Copyright 2007 – Seccuris Inc.
3. Executives are not accountable
The issues:
• Executives are busy
• Communication Barriers
• Unknown accountability
• Executives are not engaged
Copyright 2007 – Seccuris Inc.
4. Executives are not accountable
The issues:
• The missing “Tone from the Top”
• C-Level relationships often poorly aligned
• Executive involvement not defined
• The “Super CISO” misconception
Copyright 2007 – Seccuris Inc.
5. Executives are not accountable
The issues:
• Relevance of Information Security to business
not seen daily
• Business objectives / goals seldom communicated
in an aligned fashion to information security
• Critical attributes that the company requires are
seldom defined in terms information security
understands
Copyright 2007 – Seccuris Inc.
6. Executives are not accountable
The issues:
• Information Security is not industry specific
• Not seen as business requirement
• Roles / Practices / Language inconsistent
• Information Security continues to press best practice,
Without considering what the organizations minimum
practice should be
Copyright 2007 – Seccuris Inc.
7. Why do we want to make
Executives Accountable?
The wrong reasons
• Misunderstanding responsibility and accountability
• Deferring the tough decisions to others
• Dealing with poor visibility or respect of information security
(from business units) by hiding behind executive
• Gaining leverage to continue poorly understood FUD campaigns
• Using unwitting executives to drive your poorly justified
security “improvements”
Copyright 2007 – Seccuris Inc.
8. Why do we want to make
Executives Accountable?
The right reasons
• Improving understanding of information security
within the business
• Improving communication of the business needs
around security and what priorities exist
• Ensuring consensus of business and asset
stakeholders
Copyright 2007 – Seccuris Inc.
9. Why do we want to make
Executives Accountable?
Focusing on the right reasons
• Security should be understood by the business
• Security should align and support the business
• Security program should be defined and agreed to
by executive
Make executives “want” accountability
for information security
Copyright 2007 – Seccuris Inc.
10. How do we make
Executives Accountable?
What executive involvement do we need in
our Information Security Program?
Program Area Requirement
• Strategy Visibility
• Gap Analysis Minimum Practices
• Action Plan Commitment
• Performance Measurement Acknowledgement
Copyright 2007 – Seccuris Inc.
11. Where do we need executive
involvement?
Information Security Scorecard
should align with the business
Organizational
Information Systems
Balanced Scorecard
Information Security
Balanced Scorecard
Balanced Scorecard
The Learning & The Business
Information Information
Growth Process Critical
System
Technology Security
Perspective Perspective Business
Development
Applications
Security
Management
Computer
Networks
Business Risk Installations
The Customer The Financial
Management
Continuity
Perspective Perspective
Copyright 2007 – Seccuris Inc.
12. Where do we need executive
involvement?
Information
Security Policy
Information Security
Balanced Scorecard
Security Management
Dashboard*
Critical
System
Business
Development
Applications High-Level Security Security Secure
Direction Organization Requirements Environment
Security
Management
Management
Malicious Risk
Special Topics
Review
Attack Acceptances
Computer
Networks
Installations
*Includes KPIs from each aspect of Security Management
Copyright 2007 – Seccuris Inc.
13. How do we make
Executives Accountable?
How does Information Security want to be involved with
executives?
Role of Security in Management Activities
Planning Security at table
Directing Security Encouraging / Supporting
Doing Involved / Aware
Reporting Facilitating
Refining Involved
Information security should be “built-in” to the organization…
Copyright 2007 – Seccuris Inc.
14. How do we make
Executives Accountable?
Our focus should be on building information
security directly into the business
Alignment of:
• Governance structure & Organizational models
• Common business & security language
• Visibility of Information Security in the organization
Copyright 2007 – Seccuris Inc.
15. Building Information Security In
Why does alignment help?
• Communication of intent, plans & actions
• Consensus of short term goals and controls
• Visibility and understanding of long term strategy
Copyright 2007 – Seccuris Inc.
16. Building Information Security In
Why does alignment help?
• Creates awareness of information
security requirements in business terms
• Involves Information Security in the business
• Creates accountability & responsibility for information
security outside of traditional InfoSec roles
Copyright 2007 – Seccuris Inc.
17. Improving the situation
How do we approach alignment?
In general:
• Education Executive Workshops
• Requirements gathering Working with BUs
• Dialog On-going 7 minute meetings
• Long Term Planning Defining plans over time
Copyright 2007 – Seccuris Inc.
18. Improving the situation
Governance Structure &
Organizational Models
• Defining Accountability &
Responsibility of IT Security
• Development of good
governance structures
Copyright 2007 – Seccuris Inc.
19. Governance Structure & Organizational
Models
Defining Accountability &
Responsibility for IT Security
Ensure:
• Asset owners are involved & accountable
• Practices exist for defining & accepting minimum practices
• Policy exception & Risk Acceptance processes exist
Copyright 2007 – Seccuris Inc.
20. Governance Structure & Organizational
Models
Development of good governance structures
Council CEO
Plans
Initiates
Monitors COO CRO CFO CIO
Reports
BU
CISO
Manager
Dept Security
Manager Manager
Dept Security
Manager Manager
Dept
Manager
Copyright 2007 – Seccuris Inc.
21. Improving the situation
Translating business goals &
objectives into common attributes
• Defining common attributes for business drivers
• Using attributes to map business goals to security
controls
Copyright 2007 – Seccuris Inc.
22. Translating business goals & objectives
into core attributes for protection
Defining common attributes for business drivers
Copyright 2007 – Seccuris Inc.
26. Translating business goals & objectives
into core attributes for protection
Using attributes to map business goals to
security controls
Business
Business Driver Metric Type Measurement Approach Performance Target
Attribute
Zero successful attempts at unauthorized disclosure.
Reporting of all unauthorized Alerts of unauthorized access attempts, produced and delivered to systems
disclosure incidents, including manager and business owner within 30 minutes.
Hard
number of incidents per period,
severity and type of disclosure Summary reports of number, severity and type of unauthorized access
attempts to private data produced and delivered to systems manager and
business owner monthly
Private BD17
Independent audit and review
with respect to the prevention System passes review by audit team to a degree deemed acceptable by the
Soft
of unauthorized disclosure of legal department to prevent prosecution under Canadian privacy law.
private information
Copyright 2007 – Seccuris Inc.
27. Improving the situation
Visibility of Information Security in the
organization
• Visualization of the Security program
• Alignment of program with management activities
• Provision of on-going education & dialog
Copyright 2007 – Seccuris Inc.
28. Visibility of Information Security
Visualization of the Security program
Copyright 2007 – Seccuris Inc.
29. Visibility of Information Security
Alignment of program with management activities
Business Attribute(s) – Identified KPI
CSF: Maintain the privacy of
E-mail Privacy
personal and business information
Incidents
that is stored, processed and
communicated (BD17) Unauthorized
Identified Investigated Reported Disclosure
KPI: The number of E-mail privacy
45 30
544 311
incidents identified, contained,
investigated or closed on an
Monthly
monthly basis.
E-Mail Privacy Incidents
Business Logic: If the number of 80
E-mail privacy incidents that 70
60
resulted in disclosure is more then 1 50
Identified
a month then show as critical. Inspected
40
Reported
30 Unauthorized Disclosure
(cont) 20
10
0
Jan Feb Mar April May June July Aug Sept Oct Nov Dec
Copyright 2007 – Seccuris Inc.
30. Visibility of Information Security
Provision of on-going education & dialog
• Continuous refining of business attributes
• Discussion of information security action plans
• Assessment of changes to companies priorities and
potential impact to security program
• Awareness of Incidents, Short term and Long term
activities
Copyright 2007 – Seccuris Inc.
31. Improving the situation
Improvements in executive involvement can
be made by alignment of these areas
• Governance Structure & Organizational Models
• Specific business & security language
• Visibility of Information Security in the organization
Copyright 2007 – Seccuris Inc.
32. Moving forward
Enabling Actionable Improvement plans
How do I tell we are improving?
• Action plans involve Security & Business
• Initiatives are reviewed by Executive
• Improvements to Action Plans are described in
Business Terms
• Action Plans have increasing number of Business
Unit initiated activities
Copyright 2007 – Seccuris Inc.
33. Moving forward
Integration of security management in business cycles
How do I tell we are improving?
Specialists
Designers
Advisors
Reviewers
Copyright 2007 – Seccuris Inc.
34. Summary
We can build security into our organizations by aligning
Governance, Language and Visibility
By building security in,
we involve security directly in the business
By involving information security in the business we
ensure effective accountability in our executives
Copyright 2007 – Seccuris Inc.
35. Thanks
Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA
Founder & CIO
Seccuris Inc.
Email: Michael.Legary@seccuris.com
Direct: 204-255-4490
Main: 204-255-4136
Fax: 204-942-6705
Copyright 2007 – Seccuris Inc.