Information Security Management: The Basics

Good information security management will successfully embed security program principles into the DNA of your organization

It's one thing to establish a security program that meets the needs of your organization. It's quite another to successfully embed the principles of that program into the very DNA of your organization.

However, it can be accomplished if you take a multi-faceted approach to information security management that incorporates organizational, managerial and operational aspects that are closely associated with the business.

This approach can be condensed into three major areas: assessment, implementation and monitor/measurement. Here is an exploration of these three areas:

1. Assessment The first step in information security management is to assess is the culture of your organization. Few things are more frustrating than trying to fit a square peg into a round hole. Thus, it's important to know where you stand, from an organizational perspective, before launching an initiative with as potentially high impact as a security program. After all, security is a change agent, and people by nature are not conducive to change. Making matters even more challenging, security professionals typically work in resource-constrained environments, in which they have little authority.

Corporate culture.

When you work within the confines of your organization's culture and align the security program with the cultural reality of your organization, you can gain a key leadership edge. It's essential for the security professional to adapt the look and feel of the local practice.

Business alignment. In order to provide value from a security perspective, it's essential to work very closely with the business, understand the business's needs and be able to fully articulate the business value of the security program. Indeed, business alignment is the only way to gain the cooperation and buy-in from your business constituents that's critical to the success of the security program. Unless you truly understand the business, you can't accurately and forcefully strategize, deploy and communicate the value of the security function.

Management commitment. Depending on the maturity of the information security program in your organization, your management effort may require anything from a few tweaks to a full implementation of substantial controls, implying significant budget considerations. Therefore, it's imperative to have executive management sponsorship and line management buy-in. Security professionals must make themselves visible and known to business management, especially business leaders who will be most involved with the program or feel the effects of it the most. It's a symbiotic relationship that pays off in the end.

In fact, collaborating with other functions within the organization is essential to the success not only of the security professional but also of the business. The most important business areas to align with include compliance, governance, business continuity, operational risk and audit. Information security is interdependent on all of these areas. One way to build functional commitment and collaboration is through security councils.

Risks. Information security governance is operational risk management. Indeed, implementing an information security governance program starts with enterprise management identifying the full scope and extent of the real risks that the enterprise is up against and creating processes for managing those risks.

It's important to understand that risk assessment is not an exact science; it simply makes it possible to decide which risks to mitigate, which to assign and which to accept.

We must keep in mind, though, that operational security risks are just some of the many issues on the CEO's mind, making it imperative to put security risk into the perspective of overall risk. In order to do this well, you need a methodology for assessing and prioritizing security risk. This methodology need not be complex or quantitative. It does, however, have to be consistent, repeatable and agreed upon by all players.

2. Implementation The best-qualified professional is one that can display a particular set of competencies and skills. Above all, effective security leadership requires leadership skills and business knowledge. In the end, security leaders are good business leaders.

Hire a qualified professional.

Hew to business drivers. It can't be said enough that business and security must be aligned and that successful security functions are driven by business requirements. Anyone who institutionalizes a security program that is focused on business drivers can rest assured that they've built their program on a strong foundation.

Develop and sell a strategy. One way to get people frustrated and impede security from gaining momentum is to launch a bunch of "one-off" security projects, without purpose or direction. Success comes from developing, implementing and selling a strategy for risk management using the results of a thorough risk assessment.

A concentrated focus on mitigating risks deemed as top priorities should be the center point of the strategy. Strategy development should encompass eight key steps: identifying and prioritizing threats; identifying weaknesses; tailoring the strategy to your company's risk profile; establishing ownership in the plan; implementing realistic timeframes; considering small, phased steps; reviewing the strategy against industry-accepted standards; and demonstrating and measuring progress.

If the business understands that security can help, the sell is not as difficult. Thankfully, businesses are becoming more aware of threats to sensitive corporate information, and they are engaging security officers in their quest to secure it.

Policy, standards and processes. These are the three tenets around which an effective security program is founded. It's incumbent on the organization to help personnel make the right decisions by providing formally documented guidelines and policies that are also clear and concise.

As important as policies are, however, they are only as good as their relevance to the management of operational risk. Strong security programs don't implement specific controls because it is policy; rather, they implement the control because it is the direction of the executive team. The policy serves as the method of communicating that message.

3. Monitor/measurement

Measure effectiveness. Security policies are not worth the paper they're written on unless they are enforced. Policy enforcement requires that everyone in the company knows the requirements and understands their role in complying with those requirements. In addition, compliance must be routinely monitored, and non-compliance must result in corrective action. Simply put, there's no reasonable assurance of the effectiveness of security and controls unless they are monitored and measured.

Establishing a security program that meets the needs of your organization is a daunting but doable task. By following a structured approach that involves assessment, implementation and monitoring - and builds on a foundation of business-oriented organizational, operational and managerial concerns - any enterprise will have the tools it needs to succeed.

##

Micki Krause is co-editor (with Harold Tipton) of the Information Security Management Handbook, Sixth Edition (Isc2 Press)

. This article draws from chapters contributed by Steve Skolochenko, Lynn McNulty, Dr. Don Saracco, Harry DeMaio, Joyce Brocaglia, Todd Fitzgerald, Rolf Moulton and Robert Coles, Bill Murray, James Christiansen, Michael Corby and Vaune Carr, Billi Lee, Peter Browne and Steve Katz, Randy Sanovic, Howard Schmidt, Rebecca Herold, and Mark Rasch.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.