Data Security Responsibility Should Not Be ‘Pushed Down’

Securing information assets is a continuous process, with new threats and user demands emerging every day, which requires changes to control frameworks.  But the dynamic nature of security and the increasing need to allow information to “travel” are not good reasons for security managers to push data protection responsibilities to business managers.

I decided to put pen to paper when I read a recent CSO Online article by Andrew Jaquith.  Jaquith starts off the piece by attempting to make the case that things are getting too complicated for CISOs; they need to offload some of the work of protecting information.

Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.

Source:  Data Security: Whose Job Is It Really?, Andrew Jaquith, CSO Online, 30 March 2009

As I read through this, I remembered the days when I tended to get confused about the right things to do.  That was before I decided to take a different approach.  Instead of reacting to vendor assertions and emerging threats, I developed a strategy to build a controls framework which encompasses all types of threats in general, with flexibility to address individual issues as they arise.  This is supported by a threat/controls matrix which allows my team to view-at-a-glance gaps in our defenses.  If a vendor calls with their newest product or an exploit is announced, we use the matrix and an accompanying exploit assessment process to determine if we are already protected.  We quickly determine whether we care about new solutions, exploits, or vulnerabilities without eating up a lot of resources.

Using tools to assess risk to information assets is an information security manager’s responsibility.  Further, implementing a comprehensive defense framework should not be the responsibility of business managers, even if they are the assigned data owners.  Business users have a different focus when they come to work in the morning, like generating revenue and keeping the customers happy.  The following is my view of the relationships between information protection stakeholders, an interpretation which resonates somewhat with points made in Jaquith’s article:

1. All data should be assigned a data owner.  This person, responsible for determining what is and is not acceptable use of specific sensitive information, should be a business manager.  In some cases, he or she may dictate specific levels of controls for various data classifications.  He or she might even play the primary role in selecting the right security management solution.  However, the security manager should provide oversight during implementation and day-to-day operation, ensuring policy and regulatory compliance. 
2. IS personnel should be caretakers, data owners should manage risk.  Data owners are responsible for determining whether business risk is too high based on existing threats, vulnerabilities, and asset value.  They are presented with estimated risk levels by security personnel familiar with the existing controls framework and trained to assess emerging threats and exploits.  If risk mitigation is required, business managers should work with security managers to identify new controls or adjustments to existing controls.
3. Management should inform users of what is or is not acceptable behavior and help them be successful.  It isn’t enough to write policy.  Policy content must be delivered to users in the form of training and awareness programs.  Further, business and IS managers should both ensure business processes don’t make it difficult or impossible for employees to maintain policy compliance.

This approach provides a good balance between making business managers responsible while allowing the security manager to insert sanity whenever necessary.  It creates healthy tension between attempts to reach operational objectives and those to maintain tight control of information, ideally resulting in negotiated middle-ground solutions.

A final point Jaquith makes in his article, and one with which I whole-heartedly disagree, deals with security managers giving up attempts at centralized control of sensitive business data.  He writes,

Succeeding at data security requires CISOs to abandon plans to control data access in a centralized manner. Devolution of data security responsibilities to business units is the key.

All data may not be centralized, but managing how data are protected on mobile devices or traveling across foreign networks should be.  For example, protecting laptops and thumb drives via encryption is considered an important control for an enterprise.  The best way to ensure all devices comply is via a centralized management portal.  In many cases, the portal is part of a suite of products used to manage mobile devices, detect anomalous movement of sensitive information, and update anti-malware software.  I certainly don’t want business managers managing these functions, although they absolutely have a say in how they are configured.

Overall, I have two issues with pushing security responsibility down to distributed business managers.  First, business manager priorities differ from those of security personnel.  It requires the close cooperation of both, and oversight by security, to ensure continued protection of information assets. 

Second, allowing business managers to decide how to protect data within their areas of responsibility may result in lack of centralized oversight and the presence of multiple control frameworks which may or may not work well together. 

I agree that information is increasingly distributed, but this means we need to adjust our controls rather than throw up our hands and pass responsibility off to our business peers.