Our Polymorphic Fluid Field of Information Security

Several years ago, I witnessed the first meeting of a newly-minted Director of Information Security with his supervisor, the CIO of a major insurance firm. The CIO carefully drew a large circle on a whiteboard and proceeded to inscribe the word “SECURITY” in the center of the circle. Then, the CIO dramatically pointed his finger at the Director and said: “Your job is Security. All of it.” The finger quickly outlined the circle. “All of this is your responsibility. When I think of Security, I think of you!”

After a week or so, the CIO proceeded to add further responsibilities to the information security function. First came the need to verify listings of workstation administrators. Then the Director was asked to reduce the number of world-writeable Unix files. Still later, the CIO insisted that the Director must monitor the log of all visitors to the data center. New responsibilities seemed to emerge on a weekly basis, but the Director was never provided additional staff to perform these ever-expanding duties. Finally, the CIO determined that the “circle” of Information Security was inadequately tended; the Director lost his job.

But is the metaphor of a circle, with its clearly demarcated boundary, really an apt description of the field of information security? Maybe. But the boundary of that circle more closely resembles a permeable membrane than a solid border. The responsibilities associated with information security differ from one company to another. Even within the same organization, those responsibilities may change—sometimes on a daily basis. As a result, the field eludes definition; it lacks a clear identity. Information security professionals cannot draw their line in the sand and state, unequivocally, “Here is where my work commences and the tasks of others—auditors, compliance and privacy officers, information technology specialists, or whatever—should not intrude.”

Viewed from certain perspectives, this is something of an irony. At least two major organizations provide certifications to information security practitioners; this seems to imply that the field has adopted certain practices and a shared common body of knowledge. Also, several universities are now offering courses concerning information security—indicating that the field is at least sufficiently stable to enable sustained and structured learning. Yet, in daily practice, the information security function continues to present itself as an amorphous entity charged with ever-expanding (and sometimes shrinking) responsibilities. Why is this the case?

Perhaps the first culprit is our famous CIA triad: Information security, we are well aware, has a duty to ensure the Confidentiality, Integrity, and Availability of data. Unfortunately, our mantra is shot through with ambiguity. For example, does Confidentiality include the controlling of access to systems on a “need-to-know” basis? Does it involve developing a data classification scheme? What about establishing policies concerning the secure shipment of tapes from one destination to another? Is the secure archiving of paper within storage facilities within the purview of information security? How about the acceptable usage of cell phones on corporate property? Is information security responsible for determining how the data associated with obsolete applications should be archived? Questions quickly proliferate concerning the role of information security as guarantor of data Confidentiality. And many additional questions may be raised about the manner by which InfoSec protects data Integrity and assures data Availability. The problem, it seems, is that the CIA triad has too broad a scope to adequately provide a clear identity for the field of information security.

The emergence of new technologies and regulatory requirements has also served to alter the shape of information security. The Internet, laptops, cell phones, USB devices, MP3 players, PDAs, and radio frequency devices have each brought new security issues which may (or may not) call for the intervention of InfoSec. Many of these issues, such as the problem of lost laptops, cell phones, and PDAs, bring information security into areas of concern traditionally associated with physical security functions. Others, including access control measures adopted for e-commerce web sites, require information security specialists to remain sensitive to the needs of corporate communications, marketing, and public relations. Regulatory requirements, such as those introduced by the enactment in the United States of Gramm-Leach-Bliley and HIPAA, have also required rethinking of the information security function. Most important, these regulations have emphasized that data privacy—in addition to confidentiality—cannot be ignored. In addition, the regulations have placed greater emphasis upon risk assessment processes. Practically, the regulations require InfoSec professionals to adopt collaborative relationships with compliance and privacy officers and with legal specialists. As mentioned earlier, the boundary of the circle representing information security has really become a permeable membrane.

Finally, each organization’s internal culture significantly determines the manner by which information security is viewed within that organization. In particular, the relations between Information Technology, Telecommunications, IT Audit, and Information Security are especially susceptible to cultural influences. For example, some companies prefer that InfoSec personnel should both approve and implement firewall rules; in other organizations, these tasks are performed by separate functions. Security-related risk assessment tasks may be a role of information security or they may be conducted by an altogether different department. Scanning servers for security vulnerabilities may remain with the purview of IS or, alternatively, may be conducted by an IT infrastructure group. Developing a data classification scheme may be a primary responsibility of the CISO or it may be assigned to Legal, Compliance, or another control function. Although most corporations have established an “Information Security” group, the roles assigned to that group differ from one organization to the next; the “circle” of InfoSec assumes diverse sizes.

That information security cannot establish its own distinctive turf, that the field cannot draw its line in the sand, has both great disadvantages and benefits. Certainly a major downside to this situation is discussed in the first paragraphs of this article: Senior management may continue to insist that InfoSec assume additional responsibilities, yet neglect to provide the necessary technical and human resources to meet these responsibilities. As a result, the information security staff gradually become mere fire-fighters, superficially solving problems while deprived of the ability to consider the long-range effects of their so-called solutions.

But there is also an upside. The mutability of information security allows the field, and individual practitioners, to adopt flexible perspectives required to address challenges posed by ceaselessly evolving technologies and new regulatory requirements. Steadfast adherence to a timeworn body of “common knowledge” is hardly practical when technological and regulatory developments are gradually rendering the “knowledge” obsolete. In addition, of course, the absence of a clear identity ensures that the practice of information security will never be boring.


  1. Anish Mar 27, 2008 at 2:20 pm | Permalink

    You are right, clear delegation of roles and responsibility is very much important in a security org. and these kind of CIO’s can be found in plenty, it;s just that more strict compliance will take care of the stuff. for eq. one person can perform only one role within the org.

    — Anish

  2. Ashish Mar 28, 2008 at 1:32 am | Permalink

    Very interesting! In fact there is another angle to address this issue and every organization should enable its employees in that regard. Let me explain by bringing in another triad…JAR. The JAR triad, if I run it backwards, is Responsibility, Accountability and who’s Job is it anyway? In the matrix organization structures we live in today, when it comes to information security for enterprises, no single function can be held liable. It has to be a joint effort from people who what information security and people who enable it. The senior members of business are the ones who know the criticality of keeping information confidential and they should be responsible for identifying what information needs “protection”. Having done that, it is the job of InfoSec team to ensure that adequate enablers are provided for the business team to exercise this protection. Both go hand-in-hand. If the business fails to identify what needs protection, no amount of enablement will help. At the same time, “categorization” of information for security by business has no meaning if IS has not provided security frameworks. Also, sometimes the roles reverse, where in its the InfoSec that identifies what needs to be protected, and the business enables it (by following processes etc).

    The real need of the hour is security frameworks that allow this enablement and role reversals. Security frameworks that provide full control on business critical information. In todays collaborative world, where sharing of information is taken for granted (within and outside of the organization), this control should be exercise-able on information regardless of where it is physically residing. Also, since business is dynamic, the security policies also should be dynamic, and new policies should be applicable to information even after it is distributed. All this also needs complete central administration and monitoring capabilities. In other words Information Rights Management needs to be applicable on distributed information, where by the “content” is distributed, but the “control” on its usage is held back.

Post a Comment

Your email is never published nor shared. Required fields are marked *