This is the first post in a series designed to help information security professionals build an InfoSec program from scratch, or to help people find ways to improve their existing programs. Information security management is a daunting task, and understanding and successfully implementing all of the components that need to be in place will take considerable resources, both in time and financing.
We are starting this series at the highest level: upper management. In order to have an effective information security program you need to have the support of the highest levels of the organization, as they are the ultimate decision-makers. Without the support of the C-suite, information security program managers will likely be fighting an uphill battle for the staff, hardware, software, and time required to have a successful program.
There are two common pain points that will need to be anticipated:
- InfoSec does not generate profit. For other departments, such as sales, marketing, or even the non-security components of IT, it is fairly easy to demonstrate how their contributions add to the business’ bottom line. Even in not-for-profit organizations, these other areas are seen as critical for operations. Information security, on the other hand, is primarily a defensive measure. Best case scenario for a successful program is that nothing bad happens to the organization, which may lead management to wonder why they’re spending so much money on a problem that may not exist.
- Change can be intimidating. You may be asking them to sign off on things that make their jobs harder: strict password security, admin rights restrictions, multi-factor authentication, and the like may complicate the way they are used to conducting business. However, these can be short-term pain points, as in the long-term deployment of more sophisticated technologies such as single-sign-on (SSO) and automatic configuration and monitoring can considerably improve the efficiency of the organization as a whole.
It is your job as an information security professional to understand the nature of these concerns and complaints, and be able to illustrate exactly why information security is now an essential part of any business consideration.
Information security is a benefit
One of your key requirements as information security management is to articulate and sell the benefit of InfoSec to senior leadership. At its core, information security is all about identifying risks and managing those risks in order to enable a business or other organization to achieve its mission, to protect its users/clients/partners’ data, and to minimize the impact of threats. If you’re able to effectively communicate that idea and demonstrate its value you are likely to get the support you need. For example:
- Confidentiality – In today’s business climate, confidentiality is of the utmost importance to both consumers as well as business partners. History has proven that serious damage to an organization’s reputation, business relationships, and products can result from a data breach. With news of a breach of another organization seemingly every other day, it probably won’t be difficult to get management to agree that your organization should not be one of them.
- Data integrity – If one of the key sources of value to your organization is the data you hold, what would happen to your business if the data was corrupted or modified without authorization? Malicious attackers could seek to ruin you by destroying what makes you valuable. Insiders could unintentionally (or intentionally) delete critical data stores and leave you dead in the water. Having solid data security controls protects you against these risks.
- Availability – Data that cannot be accessed is functionally identical to data that you do not have. One of the most common attacks today is the crypto-ransomware attack. Cryptolocker (and variants) infects your systems and data stores and encrypts all of your systems’ hard drives with uncrackable encryption and then ransoms you for the key to unlock them. If you don’t have solid backups that are kept separate from the rest of your systems, you could find yourself resorting to pen and paper. Similarly, if any public-facing systems are not continuously available, your organization’s finances or reputation could be materially impacted.
Information security is intended to further the organization’s core mission, not run counter to it. In order to be successful as an InfoSec manager, you need to have executive leadership that understands and accepts the importance of information security, otherwise you will find yourself facing dead ends and brick walls whenever you try to get anything done. If management doesn’t understand the need, they will resist change, and they will question your recommendations every step of the way. All parts of the organization need to play a part in the information security program, and that participation starts at the top.
Lead, follow, or get out of the way
In any organization some stakeholders are bound to push back on information security program initiatives for one reason or another. They might say implementing a control is too expensive. They might say it is too cumbersome and will lead to inefficiency. These protestations have merit in some respects, and are issues that you’ll need to work around in order to get anything real accomplished. Learn to anticipate the pushback that you will get and to circumvent it by building safeguards against potential issues. For example, if you are embarking on an initiative to strengthen authentication to critical applications delivered through a web browser, investigate single-sign-on (SSO) technology and multi factor authentication tied to SMS or corporate issued mobile devices, keyfobs, smart cards, YubiKeys, and other well-known technologies.
What if I can’t get management’s support for my InfoSec program?
Management support is key to obtaining the resources, people, and tools needed to implement an effective information security program. If you find that you’re running into a brick wall, you should ask yourself if you’re really in the right place. Do you want to spend your entire career fighting for basic common sense information security controls and policies, making little progress, taking two steps forward and one step backward the entire way? The information security industry is dramatically understaffed right now, and if you’re not in an organization that supports you, consider looking elsewhere. Sometimes it’s your only choice.
- InfoSec from Scratch, Part Two: Get with the Program (Structure) - August 2, 2016
- InfoSec from Scratch, Part One: Manage Your Management - June 14, 2016