There are five basics from a technology standpoint and five basics from a management standpoint.
Here are the technology basics:
- Strong Passwords
- Patch the Operating System
- Patch Third-Party Applications
- Application Whitelisting
We can leave the technology to the technical people, but management needs to be involved in deciding what risks the organization should take. These risks may include the following:
- Risk of Budget Overrun
- Risk of a Reduction in Productivity
- Risk of a Breach
- Risk of NOT Taking a Risk
- Risk of Not Doing Anything
Are you a risk taker? How much risk are you willing to accept to drive your business forward? No risk? Some risk? Lots of risk? Las Vegas-level risk?
It is no secret that businesses are made up of risks and rewards. As executives at the top of our game, we take risks knowing that if you don’t take a risk you won’t get the reward. Risk is required.
To the many variables in risk, we have risk managers, business intelligence software, industry white papers, consultants, and of course our intuition, drive, and ambitions. The best we can do is find out as much about the risk involved, do our research, make a decision based on the balance of risk vs reward, take a guess, and complete a leap of faith.
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.” – Donald Rumsfeld
IT risk is a component of the overall risk universe of the enterprise. In many enterprises, IT-related risk is considered to be a component of operational risk, e.g. in the financial industry in the Basel II. However, even strategic risk can have an IT component to it, especially where IT is the key enabler of new business initiatives.
The same applies for credit risk, where poor IT (security) can lead to lower credit ratings, loss of reputation, cancelled contracts, and (in case of regulated industries) fines and/or criminal prosecutions. For that reason, it is better not to depict IT risk with a hierarchic dependency on one of the other risk categories but instead, perhaps as shown in the example given. Like IT risk, information security and privacy risks should not be treated as an ‘IT-only’ issue.
Information security professionals tend to make dealing with the issue more complex. We try to talk to management about XSS, APT, UDP, TCP, and other things that are intended to make us sound knowledgeable, but they end up having the opposite effect. Generally, we reveal we have no understanding of business or how business is run.
Information security spending only makes sense if the end result is an increase in business, more efficiency, and profit. Profit, bonuses, perks, salary, end game… if these do not have a place in business, you are either a charity or a governmental agency.
Running with Scissors
Up or down, we can’t slow down or put them away. We didn’t invest in an email system so we can block viruses and spam. We invested in an email system because we use it to further advance our mission, as well as increase customer communications and company efficiency.
Our real priority is to help our 750M USD company become a billion USD company. We have to run faster with the scissors, and we need to make them sharper.
Too many failed security initiatives cost the company money and have little or no effect on their ability to protect company property or client privacy. In some cases, they actually hinder the company mission. Think TSA in the United States.
Their mission statement is ‘Protect the Nation’s transportation systems to ensure freedom of movement for people and commerce.’ (Have you flown lately? How is your ‘freedom of movement’ in the airport?) Sure, there is a three-year-old girl with Spina bifida in a wheelchair who will never threaten the transportation system again. She is terrified to enter an airport after her experience of ‘freedom of movement’. Most IT security initiatives have taken their eyes off the ball. They focus on ‘prevent’ when they should focus on ‘enable.’
Information security needs to add real value to our company, showing that a properly run security and privacy group can reduce costs, increase customer and user satisfaction, and drive revenues. Information security professionals should live with the following five financial terms stapled to our foreheads, or at least on our screen savers: bottom line, gross margin, fixed vs. variable costs, equity vs. debt, leverage, capital expenditures.
Information security is not rocket science, and reducing risk while not interfering with business is difficult. There is no end to the amount of money that can be spent on security and privacy. What we need is to jointly understand how much risk we are willing to take with our security and privacy decisions, as well as how best to prioritize budgeted dollars. Trying to use FUD to justify security spending works for about three months or until you come to the realization that the dire predictions of gloom and doom didn’t happen.
The first dollar spent is 98% effective, the second dollar is 97% effective, and it goes downhill from there. Target actually made the right business decision not to overspend on IT security. Yes, it led to the CIO and CEO being fired, but Target stock was $60 a share before the breach in November 2013, reached $83 a share last July, and is currently trading at $70 a share.
They made the wrong security decision, but made the right business decision. This is where we need the help of the CEO and CFO. Once we understand the business priorities, ‘Aligning IT with Business,’ we can jointly work to prioritize security budgets.
Working with IT or Information Security: Form a committee, director-level or above, who meet quarterly to discuss information security issues. Business should lead the agenda with this committee, which should have the power to direct the high-level policies for the organization, including how much risk they it’s willing to accept. There should be a budget to work with. Any costs above that number need executive management approval.
Information Security Is Not Rocket Science
After a couple of meetings, you will tame the information security beast. You will understand your IT risk and be more comfortable with the decisions you have made.
About the Author: Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached at http://www.securityprivateers.com/.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.