When such a situation surrounds IT security, a chief security officer can essentially take one of three approaches:
1. Scare them into investing. This is accomplished by highlighting the
worst possible scenarios, and then getting them so worried that
they invest in anything just to get the peace of mind that they are
addressing the issue.
2. Invest reactively. This is where everyone just sits back and waits
for a problem to occur. Once it does, they hurry and invest in a
point solution to fix that specific issue, but rarely look into an
overall IT security strategy to safeguard the company.
3. Plan and invest proactively. This approach is accomplished
through raising IT security awareness through discussion, training
and business alignment. In this way, the entire company has
bought into the idea that IT security is important and worth the
investment - that is actually is a mandatory investment.
There are, of course, pros and cons to each tactic.
Scare tactics are risky. They can cause businesses to over react. This not a strategic approach and not respected by most C-level executives as a good business practice. Though it usually works in the short-term, it is not seem as applicable to a specific business entity.
Reactive measures are extremely risky. By the time the security issue is noticed it may be too late to protect the company, so CIOs loose credibility with the business. Given the current heightened awareness of security in general, this approach appears not well thought out and not a strategic approach to protecting a company's IT assets, though C-level executives easily invest in security after an incident.
On the other hand, it is more difficult to get C-level buy-in initially for proactive measures. But it is a strategic approach, enabling CIOs to gain credibility with the business and supporting business audit and security requirements.
So given this, proactive approaches seem the obvious way to go. But how do you go about doing it?
Start with a structured approach to data classification. The objective of data classification is to determine what information within the company is actually important to secure. This is an easy thing for the C-level executives to understand and support, and is not an IT/technical approach to the issue. A simple approach to data classification is to define the data as
- Highly restricted - only available to a limited number of people in the organization. Company confidential - available to anyone who is an employee of the company.
- Confidential - available to employees and business partners under a non-disclosure agreement.
- Public - available to the general public.
Draft a matrix showing the various types of company data and how it would be classified. It is important that this matrix be specific to the company. Use real names of information types and reports. Be prepared with examples to support why the information should be classified a certain way and what the risks are to the company if the information is not protected. Discuss the various types of internal and external security risks.
Review the data classification definitions and the draft matrix with the C-level executives. Usually they will agree that not all information is the same, and that different information needs different security measures.
These steps are critical to gaining executive awareness of the importance of protecting the information and linking the IT security measures to the risks of unprotected information. Now that the executives have agreed that the information should be protected, and understand the real risks to the business of not protecting the information, the conversation about how to protect the data can begin. There are several parameters to protecting the information
- Security awarenes. This starts at the C-level and must permeate the entire organization. Awareness begins with a security policy and information dissemination.
- Security infrastructure. This involves providing the capability within the organization to protect the information. It is where the majority of the investment in security is made.
- Security audit. This step in the process ensures that the agreed upon security measures are being carried out. It is an ongoing process to continually review and improve the security infrastructure of the company and respond to any new developments regarding the company's information security.
All of these activities require some level of funding. The security awareness can be funded within information systems as a project expense, within HR as a company training expense, or within finance as an internal controls expense. Any of these funding approaches can be successful, but it is ultimately information systems' responsibility to coordinate the activity. The success of the security policies is heavily dependant on having the appropriate security infrastructure in place to implement, monitor, and report on security issues. The responsibility to provide the security infrastructure rests within the IS organization since the information is developed and maintained within IS systems.
The security infrastructure is funded and implemented within information systems, which must interpret the security policies they helped develop through the data classification approach, into the specific software, hardware, and information systems procedures necessary to implement the policies. Each of the data classifications should have a phased approach to implementing security, and depending upon the current level of information systems within the organization, this could be a multi-year effort. Every investment item should be tied directly to the data classifications and types of security risks that were discussed and agreed upon with the executives. This business linkage is vital to gaining approval for the IS security infrastructure investment.
Security audits are often funded within the internal audit activities of a company. In this way there is a 'check and balance' to the security process since IS is not responsible for auditing itself. Security audits are usually conducted using outside experts who are very experienced in performing IS security audits. IS security audits is a specialized skill which requires broad knowledge of the IS technical infrastructure and current information on not only security protection technologies, but also on the current techniques and tools used to violate IS security.
The most critical part of the funding process is to ensure linkage to the business. Do not try to scare the C-level executives into investing, but explain to them the potential pitfalls of not investing and the potential damage to the company. Even if they make the business decision not to invest, it is the CIO's responsibility to bring these issues to their attention in a manner that clearly demonstrates the potential risk to the company and the risk mitigation strategy that can be implemented through IS activities.
Linda Hughes is CIO and managing director, North Highland Company (www.north-highland.com), a management and technology consulting firm.