- BlogInfoSec.com - https://www.bloginfosec.com -

Who’s In Charge Here? The Problem of Information Security Governance

A long-time friend of mine recently called with surprising, and sad, news.  “I’ve been laid off due to poor profits,” he said.  “I receive eight-month’s severance.  But if, at the end of eight months, I tell my ex-employer that I’m retired, I’ll get family medical benefits until I turn 65.”

My friend is 55, and has been employed in the field of Information Security for more than two decades.  Until a few days before the phone call, he had served as CSO at a major manufacturing company.

I asked him how the function of CSO would be replaced by his former employer.  He said that the job would be delegated to another senior executive in IT.  “And the other security roles will also be reassigned-network security will be moved to Telecommunications; policy and procedures will transfer to Communications.”  In other words, the central Information Security unit would be dissolved and its functions incorporated into several existing operational, technical, and other areas.  “But how,” I wondered aloud, “will all these areas work together to create something resembling a consistent information security program?  Where’s the managerial glue to hold it together?  Who’s in charge?”  My friend replied, quite simply, “I don’t know.”

This single telephone conversation is one among many indicators that, to an increasing extent, the problem of governance continues to haunt the field of information security.

A few months ago, I learned that the ISO of a large financial services institution informed his staff that it was unnecessary to obtain the CGEIT [1] (Certified in the Governance of Enterprise IT) certification, newly offered by the Information Systems Audit and Control Association (ISACA).  “Governance,” he announced, “has nothing to with information security.”  And, indeed, certain trends within the field seem to confirm this view.  For many years, organizations have outsourced various access control functions (such as password changes) to Help Desks and to offshore service providers.  However, to an increasing extent, large organizations are assigning specific information security functions-including  risk management, network security, and policy development-to other departments within the broader IT organization.  In some cases, information security roles are embedded within business units.  In short, InfoSec is becoming balkanized.  And, it seems, little thought is being given as to how dispersed security functions comprise a coherent security program.

To some extent, this is merely a continuation of several long-term historical trends.  Information Security has, for many decades, been an “orphan of the corporate org chart [2].”  Also, the field has never developed a sufficiently stable identity [3]to establish well defined functions that must be performed by a specific, centralized administrative unit.  In a 2005 study [4]published by the Aberdeen Group, governance was identified as a chronic weakness of most information security programs:

Although 26% of all firms in the world are performing at best-in-class levels when it comes to managing security, less than 10% are operating governance programs that are at best-in-class levels.  By contrast, 26% are best-in-class for network and infrastructure, 20% are operating best-in-class information and access programs, and 23% are operating Sarbanes-Oxley programs that are at best-in-class levels.

However, the increasing tendency to disperse information security functions throughout the organization will only exacerbate the already problematic governance issue.  InfoSec is becoming not merely an “orphan” of the org chart; it seems actually to be disappearing and replaced by various information security “functions” scattered throughout the organization.

The effects of balkanization

These developments are not without merit.  For the past several years, IT and IS professionals have been informed that their objectives and processes must be “aligned” to meet the meet the needs of business.  This means that the organizational divides between business units, Information Security, and IT specialties (such as telecommunications and application programming) must be bridged.  Business managers must become knowledgeable concerning the security risks associated with their access needs, their applications, and the technical infrastructures supporting these applications.  Similarly, technologists must be sensitive to the security implications (including associated risks) of their coding practices, patching methodologies, network architecture designs, and other decisions.  The needs of all parties concerned-business areas, IT, and InfoSec-are best met when they collaborate, not when they function in isolated “silos” of self-interest.  Embedding information security professionals within business areas, IT units, or both, can assist that genuine collaboration will occur.  It seems that this trend is unlikely to reverse.

But perhaps we should return briefly to that somewhat nasty term, “self-interest.”  My 55-year-old friend is certainly not pleased that the decision to “embed” InfoSec throughout the organization has resulted in the elimination of his job.  Yet, when Information Security has ceased to be a centralized administrative entity, is there really a continued need for the ISO, CSO, or CISO?  At least one organization has determined that the response is “No.”  Maybe others will in the future (and possibly already have) make a similar determination.  Such a development may not betoken good things for the long-term career paths of information security professionals.

However, the dispersion of information security responsibilities across the organization chart has yet another potentially dangerous result-the loss of adequate governance.

According to ISACA’s Information Security Governance:  Guidance for Boards of Directors and Executive Management, 2nd Edition [5], information security governance “consists of the leadership, organizational structures and processes that safeguard information.  Critical to the success of these structures and processes is effective communication amongst all parties on constructive relationships; a common language and shared commitment to addressing the issues.”  Governance, therefore, is the administrative and managerial “glue” that permits the establishment and implementation of a comprehensive, cohesive, and consistent information security program.

Unfortunately, the well intentioned notion of dispersing information security functions throughout the organization, thus permitting an alignment of business, security, and technical objectives, does not necessarily facilitate the establishment of an effective governance structure.  And professional organizations and governmental oversight agencies offer little assistance.

Information Security governance from the perspective of professional organizations and governmental agencies

The Information Systems Security Association [6](ISSA) is perhaps the major international organization devoted to the concerns of InfoSec professionals.  A visit to their website will reveal numerous-and free-valuable resources, including webcasts, white papers, and publications.  However, virtually all these materials are concerned with discussion of technical matters; nothing is (as yet) available to assist with issues involving information security governance or management.

To its credit, ISACA’s Governance Institute has recognized that InfoSec governance is a problematic issue and has published a booklet (available via free pdf download) intended for “Boards of Directors and Executive Management.”  (See above for link.)  However, the majority of ISACA’s publications, and its excellent CobiT assessment methodology, focus primarily upon the issue of Information Technology governance, rather than the narrower topic of governance for information security.

The “Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” [7]published in the Federal Register in 2001 to assist financial institutions to comply with the privacy safeguarding provisions of Gramm-Leach-Bliley, contains a passage relevant to the matter of InfoSec governance:

The Agencies invited comment on whether the Guidelines should require that the board designate a Corporate Information Security Officer or other responsible individual who would have the authority, subject to the board’s approval, to develop and administer the Institution’s information security program.  The Agencies received a number of comments suggesting that the Agencies should not require the creation of a new position for this purpose.  Some financial institutions also stated that hiring one or more additional staff for this purpose would impose a significant burden.  The Agencies believe that a financial institution will not need to create a new position with a specific title for this purpose, as long as the institution has adequate staff in light of the risks to its customer information.  Regardless of whether new staff are added, the lines of authority and responsibility for development, implementation, and administration of a financial institution’s information security program need to be well defined and clearly articulated.

Following this passage, which narrowly defines the issue of information security governance in terms of accountability, the Agencies note that prior regulations (e.g., 12 CFR 21.2 [8]) already require financial institutions to appoint a security officer.  However, perusal of these regs reveals that the required “security officer” is involved primarily with physical security-such as the protecting of banks from robberies and burglaries; information security is not mentioned.

The Federal Financial Institutions Examination Council (FFIEC) Information Security booklet [9]does not ignore the issue of InfoSec governance.  Indeed, the booklet states that “Senior management should designate one or more individuals as information security officers.  Security officers should be responsible and accountable for administration of the security program.  At a minimum, they should directly manage the risk assessment process, development of policies, standards, and procedures, testing and security reporting processes….the information security officers should report directly to the board or to senior management.”  Once again, as with the “Interagency Guidelines,” the FFIEC injunctions seem focused upon providing a management structure that ensures chain-of-command reporting and accountability; they do not constitute a governance framework that necessarily promotes a comprehensive and consistent information security program.

Who’s in charge here?

Professional information security organizations and governmental oversight agencies provide only a minimal degree of assistance concerning the formulation and implementation of an InfoSec governance structure.  Certain themes emerge from review of this material:

But, in view of the tendency in many organizations to disperse information security throughout business units and IT areas, the question yet remains:  “Who’s in charge here?”  What organizational structures will contribute to the formulation of a comprehensive, cohesive security program?

In its conclusion to Information Security Governance, ISACA offers a compelling case for the importance of InfoSec governance as a critical concern:

The traditional focus on technical solutions must give way to the understanding that security is fundamentally a management problem to be addressed at the highest levels.  As organizational assets continue to become more intangible, the requirements of due care in the protection of information assets will require greater attention and resources.  Additionally, effective information security governance is becoming a necessity to adequately address the numerous legal and regulatory/statutory requirements.

It seems that, at a minimum, professional organizations and governmental oversight agencies could take certain actions that will foster the development of “effective information security governance”:

Although professional organizations and oversight agencies can stimulate concern for the establishment of improved governance structures, practicing information security specialists can also increase their awareness of the significance of governance.  This is especially true when InfoSec functions are increasingly dispersed throughout an organization and the managerial “glue” necessary for a security program is running thin, or even disappearing.

It is perhaps easier-and possibly more interesting-for us to discuss the security vulnerabilities associated with Wireless Zero, or appropriate encryption methodologies for email transmissions.  But this “traditional focus on technical solutions” in information security will not solve the problem of whether our solutions are actually contributing to an organization-wide security program.  Indeed, the real focus must be on whether we actually have an organization-wide security program.