Information Security Standards are a must-have in any modern IDC environment. They help to convey the security expectations of the organisation to employees, but when applied without pragmatism or in a draconian way, they can lead to poor business outcomes.
In a typical organisation, information security workers will tend (due to the nature of their role) to treat security standards with supreme importance. They will see it as their duty to uphold and enforce those standards. It’s also common for information security professionals to be evaluated based on their success in ensuring standards compliance.
Such a focus on standards often leads to conflicts between security and other staff. Architects designing security solutions often need to balance unrealistic time frames with adherence to standards. Project managers can begin to view security as a foe, an impediment to getting the job done, because speedy delivery of outcomes is often at odds with the rigid application of security standards.
Without consideration of security standards’ contribution to reducing risk, the slavish adherence to security standards ‘because they are there’ simply complicates a situation. It’s a recipe for conflict.
While ICT workers go to war over standards, other business units become increasingly frustrated. Security professionals get painted as uncooperative, and architects are seen as unconcerned if they side with the business unit or unresponsive if they side with security staff. Poor business outcomes are the net result, and the image of the whole ICT function is a casualty. A subsequent audit usually confirms poor compliance anyhow.
Amongst the chaos, there is often another hidden problem. The information security standards implemented were not “fit for purpose or fit for use”. In many cases security professionals blindly follow the path of the known—implementing standards that have worked in other environments, or that consultants have recommended.
Following this approach, organisations fail to interpret any meaning from the standards, overlooking the value and potential impact they can have within an organisation. The same standards enforced in one organisation may be complete overkill in another organisation. So how can we ensure that information security standards are used in a pragmatic and productive way?
In our experience, the concept of a risk-based enterprise helps. When an organisation-wide enterprise risk framework exists, it is best to create an information security governance framework as a feeder to the enterprise risk framework. If not, a standalone governance body with senior executive endorsement can work equally well.
The concept of a risk-based enterprise gives “power” to security standards by providing enforcement endorsed by executives and understood by the business. It helps avoid conflict situations and is a mandate for architects to design within the boundaries of the standards, helping them be productive. It also enables information security professionals at lower levels of the organisation to articulate and escalate non-compliance situations to senior staff.
To ensure security standards are useful, the following five considerations are key:
- Establish an Information Security Management Framework (ISMF) that is supported by security standards and policies, endorsed by the management team and owned by an executive, usually the CIO, CISO or CRO.
- Establish an information security governance body to which risks can be escalated, assessed and accepted.
- Ensure that the members of the governance body are suitably senior to enable acceptance of risk and that the governance body is chaired by the executive responsible for information security risk.
- Ensure a robust, enterprise-wide communication process is in place to capture and communicate key decisions, ensuring that all decisions and risks are accepted by all parties, and that the risk remediation process is also clear.
- Finally, consider risk assessing the individual statements within the security standard/s to decide which are of the highest importance and relevance, ensuring that the focus of all compliance efforts is on these identified statements. Foster and support an environment of risk-based information security decisions.
To put it all simply: rigid and onerous security standards are a friend to no one, nor are standards implemented in the absence of an endorsed ISMF. Lastly, if information security standards do not have the support of the executive, they are simply a recipe for organisational conflict.
About CSO Opinion writer Lucas Williamson: Lucas Williamson is an experienced ICT Architect and executive advisor, most recently holding Chief Architect positions in large organisations. He has experience in running architecture and security teams, and expertise in formulation and execution of security programs and large ICT transformation programs. He holds industry certifications in security, architecture, and service management disciplines.
About CSO Opinion writer Puneet Kukreja: Puneet Kukreja is the Managing Director of Affirm Risk Pty Ltd. a boutique information security and risk advisory firm. He has demonstrated experience in successfully delivering enterprise security programs and establishing integrated security delivery functions within complex multi vendor and multi stakeholder environments. He is an experienced information security and systems auditor with in-depth controls advisory experience. He holds the following certifications CRISC, CISM, MSP, CEA, ITIL ICT (M), MCSE (Security), CCNA, CCSP, Security +.