Information security is a business problem, not a technical one, and it must be addressed from a business perspective. Technical prowess is certainly a vital component when it is required, but there is much to achieve before that level is reached.
In the main, there are four critical areas for a formal information security program. These are executive strategy, operational planning, tactical execution and consequence management.
The four aspects identified here work in a top-down fashion, in a cause and effects model. Each level of the model builds upon the previous efforts. As with building a new house, the lack of effort at any particular juncture will cause inadequacies. Without the key planning efforts, the outcome is unpredictable and will almost certainly not meet your original vision.
The first and most visible activity required by the C-level executive team is to provide clear and unified executive sponsorship. Poor or non-existent executive sponsorship will inevitably lead to deficiencies in subsequent levels - if management is not on board, it will be difficult to build an effective program.
This effort could initially consist of merely drafting a letter to employees that outlines the importance of security to the bottom line and the role that each employee has in protecting company resources. The letter should also designate who is expected to create and then enforce information security policy.
The second (and equally important) step is to make constantly apparent to all staff members that the intent of the executive sponsorship is genuine. Information security is as much a corporate culture issue as anything else, and lack of open support at the C-level will permeate throughout the organization. Strong and visible support, however, will have a powerful, positive impact.
Additional activities, such as the creation of the security organization and the corporate security policy, should also be addressed at this level. C-level executives typically choose to delegate much responsibility to the newly created security staff, but making initial recommendations at this level shows continued support.
The security organization created by the executive strategy described above, typically maintains responsibility for the operational security level of the security program. Primary tasks performed include the creation of all standards, procedures and guidelines, as well as the adoption of a user security awareness program. The security staff should develop all documentation and training to support the direction initiated by the executive strategy.
Carrying it through
The security team, with support from C-level executives, must now execute and implement all the operational components throughout the organization. All tactical efforts will revolve around supporting the standards, procedures, and guidelines already in place.
It is important to note that this is the step where many organizations mistakenly begin their security. If an organization begins its security efforts by purchasing security software and implementing it without the required background support, it will be without a solid foundation and will likely fail.
Even in the most perfectly formed and executed security program, problems and issues will arise. It is important to create coherent processes and procedures to handle them when they do. Consequence management examines such issues as business continuity and disaster recovery. As the events of September 11, 2001 showed us, not all information security issues arise from technical malfunction. The security team must develop a plan of action before a security breach occurs, so that it can respond and manage the problem quickly and effectively.
Ask the right questions
The executive level needs to address several key issues. Each one will dictate how an organization performs its duties and how seriously security is perceived.
First, as outlined above, the lack of unified and visible support from executive management will certainly cause security efforts in the organization to fail. If executive management does not take security seriously, the rest of the organization will follow their lead.
Second, how does security affect/protect the bottom line? One of the most important steps an organization can make is to clearly determine what resources it is trying to protect and from whom it is protecting them. Whether it is financial loss due to an outage of services, reputation damage due to embarrassing media exposure, or loss of business due to the compromise of intellectual capital, information must be classified by the impact it has on the business and the organization's ability to continue functioning as desired. Once the bottom line is factored in, C-level executives will beg to be involved, rather than be bullied into it.
One way to obtain this information is to perform a risk assessment in the organization. These words strike fear into many hearts, but when performed properly, it should require minimum investment of time and money. In today's fast-moving environment, where recommendations that take several months to develop are out of date before they are reported, the scope of any risk assessment should be as small and as tightly controlled as possible. This permits a rapid conclusion of the risk assessment process and allows security staff to take appropriate action quickly, after reviewing the results.
Counting the costs
The bottom line for why information risk assessments should be performed is deceptively simple: expend the least amount of money and effort necessary to provide a sufficient level of protection for the information on which the continued operation and survival of the organization depends. It is important to remember that it is the information that is valuable - typically many times more valuable than the cost of the computers on which it resides, the applications that process it, or the administrative and other facilities necessary to support it.
All of the factors mentioned in the previous sentence, with the exception of the information, are known, predictable costs of operating the business. The cost associated with collecting, developing, or generating the information is often underestimated. In order to conduct a successful risk assessment, an organization needs to quantify the cost associated with an information compromise, as well as the consequential impact on the business. Without this knowledge, the organization cannot possibly know whether it has adequately protected its information or not.
Third, look at cost savings versus cost avoidance. Will information security provide an actual cost savings or just help avoid costs in the event of a security-related incident? It is much more difficult to justify large security projects when they are strictly based on 'what if.' Security staff should examine each security program initiative to see where it will help the organization to immediately save money. This is not always possible, and some element of security will always be a cost of doing business.
In today's environment, where security threats continue to grow each day in number and sophistication, it is absolutely critical for organizations to develop comprehensive security strategies to protect resources. Many organizations erect firewalls and install security software, but these efforts are not sufficient. A sound security posture requires technology, policy and people to support it, and C-level executives need to involve themselves at the infancy of the program's development.
Executive management set the tone in an organization, and their actions send a message to the rest of the employees. If C-level executives recognize the impact security has on the bottom line and take the initial steps to initiate policy development and delegate responsibility to appropriate staff, the rest of the program's development and maintenance will fall into place much more smoothly.
James L. Bindseil, CISSP, is technical operations manager, Global Symantec Security Services (www.symantec.com).