Security standards — friend or foe?

Information Security Standards are a must-have in any modern IDC environment. They help to convey the security expectations of the organisation to employees, but when applied without pragmatism or in a draconian way, they can lead to poor business outcomes.

In a typical organisation, information security workers will tend (due to the nature of their role) to treat security standards with supreme importance. They will see it as their duty to uphold and enforce those standards. It’s also common for information security professionals to be evaluated based on their success in ensuring standards compliance.

Such a focus on standards often leads to conflicts between security and other staff. Architects designing security solutions often need to balance unrealistic time frames with adherence to standards. Project managers can begin to view security as a foe, an impediment to getting the job done, because speedy delivery of outcomes is often at odds with the rigid application of security standards.

Without consideration of security standards’ contribution to reducing risk, the slavish adherence to security standards ‘because they are there’ simply complicates a situation. It’s a recipe for conflict.

While ICT workers go to war over standards, other business units become increasingly frustrated. Security professionals get painted as uncooperative, and architects are seen as unconcerned if they side with the business unit or unresponsive if they side with security staff. Poor business outcomes are the net result, and the image of the whole ICT function is a casualty. A subsequent audit usually confirms poor compliance anyhow.

Amongst the chaos, there is often another hidden problem. The information security standards implemented were not “fit for purpose or fit for use”. In many cases security professionals blindly follow the path of the known—implementing standards that have worked in other environments, or that consultants have recommended.

Following this approach, organisations fail to interpret any meaning from the standards, overlooking the value and potential impact they can have within an organisation. The same standards enforced in one organisation may be complete overkill in another organisation. So how can we ensure that information security standards are used in a pragmatic and productive way?

In our experience, the concept of a risk-based enterprise helps. When an organisation-wide enterprise risk framework exists, it is best to create an information security governance framework as a feeder to the enterprise risk framework. If not, a standalone governance body with senior executive endorsement can work equally well.

The concept of a risk-based enterprise gives “power” to security standards by providing enforcement endorsed by executives and understood by the business. It helps avoid conflict situations and is a mandate for architects to design within the boundaries of the standards, helping them be productive. It also enables information security professionals at lower levels of the organisation to articulate and escalate non-compliance situations to senior staff.

To ensure security standards are useful, the following five considerations are key:

  1. Establish an Information Security Management Framework (ISMF) that is supported by security standards and policies, endorsed by the management team and owned by an executive, usually the CIO, CISO or CRO.
  2. Establish an information security governance body to which risks can be escalated, assessed and accepted.
  3. Ensure that the members of the governance body are suitably senior to enable acceptance of risk and that the governance body is chaired by the executive responsible for information security risk.
  4. Ensure a robust, enterprise-wide communication process is in place to capture and communicate key decisions, ensuring that all decisions and risks are accepted by all parties, and that the risk remediation process is also clear.
  5. Finally, consider risk assessing the individual statements within the security standard/s to decide which are of the highest importance and relevance, ensuring that the focus of all compliance efforts is on these identified statements. Foster and support an environment of risk-based information security decisions.

To put it all simply: rigid and onerous security standards are a friend to no one, nor are standards implemented in the absence of an endorsed ISMF. Lastly, if information security standards do not have the support of the executive, they are simply a recipe for organisational conflict.

About CSO Opinion writer Lucas Williamson: Lucas Williamson is an experienced ICT Architect and executive advisor, most recently holding Chief Architect positions in large organisations. He has experience in running architecture and security teams, and expertise in formulation and execution of security programs and large ICT transformation programs. He holds industry certifications in security, architecture, and service management disciplines.

About CSO Opinion writer Puneet Kukreja: Puneet Kukreja is the Managing Director of Affirm Risk Pty Ltd. a boutique information security and risk advisory firm. He has demonstrated experience in successfully delivering enterprise security programs and establishing integrated security delivery functions within complex multi vendor and multi stakeholder environments. He is an experienced information security and systems auditor with in-depth controls advisory experience. He holds the following certifications CRISC, CISM, MSP, CEA, ITIL ICT (M), MCSE (Security), CCNA, CCSP, Security +.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CSPIDC AustraliaISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Williamson and Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place