Evolution of Information Security 25
importance of information security. At this stage of the evolution of information
security, one of the CSO’s main tasks is to educate employees and instill a culture
where information security is integrated into business processes. The key messages
that CSOs should focus on today include:
“Evangelize” the importance of information security — The CSO must
educate people about what information security is, where it fits into the
business, and why it is important. CSOs also must educate company
executives about the impact of security risks in terms of dollars, damage
to reputation, and other relevant impacts. The CSO must “evangelize” to
the right people and build a culture where information security is viewed
as being important. Information security should be integrated into business
processes, and employees should understand their responsibility as it
relates to information security. It must be stressed that information security
is something for which all personnel have responsibility. This culture
change is very important for CSOs as they try to succeed in their mission
to secure the assets and information of a company.
Align security measures with business risks — It must be understood that
security measures help manage risk and are a business issue — not a
technical issue. Best-of-breed technology and complicated business pro-
cesses to ensure that internal controls are built in are not always the
answer. The financial and resource commitment required for information
security measures can be significant and must be considered. The ROI
(Return on Investment) for security must be demonstrated, which can be
difficult because a cost-benefit and ROI analysis for security is not always
possible due to the unknowns and intangible aspects of security. However,
showing ROI is absolutely critical for information security to go to the
next level and be viewed more strategically in an organization. As infor-
mation security professionals, we need to think like other parts of a
business and think in terms of ROI and cost-benefit when it comes to
security spending. Security expenditures face the same level of scrutiny
as other expenses when it comes time to budget. In one way, security
expenditures might face even more scrutiny because it is sometimes dif-
ficult to quantify the benefit. By its nature, security is preventive, like an
insurance policy. For some security measures, people do not see the value
until something happens — e.g., the value of intrusion detection is not
seen until there is an intrusion. It is important, particularly with financial
decision makers in an organization, to show how security measures help
manage risk, how they are aligned with key business processes, and how
they make sense from a cost perspective.
View security as a revenue enabler — As stated earlier, security is like an
insurance policy. No one really likes the idea of spending lots of money
on something that “might” be useful. For many companies, spending on
security is viewed as a “necessary evil” at best, or it is done because there
is some other compelling reason to spend on information security such
AU1706_book.fm Page 25 Tuesday, August 17, 2004 11:02 AM
26 A Practical Guide to Security Assessments
as legislation (e.g., HIPAA or GLBA) or a requirement from a business
partner. Although these are good reasons for having information security
in place, a better way to view security is that of a “business enabler.An
example is the business-to-consumer space, where security is very impor-
tant. Numerous surveys cite security and privacy of personal information
as one of the primary concerns that consumers have when shopping online.
In the case of business-to-consumer, information security measures and
some type of security certification might provide consumers with the
assurance they need before they shop online and thereby enable revenue.
In any business, it is a much more powerful argument if you can show
that information security is not so much a cost as something that will help
a company enhance revenues and reach financial goals.
Some other key findings from the survey of approximately 1,000 security pro-
fessionals (referenced above):
60 percent had a CSO or someone dedicated to IT security.
45 percent report to either the chief information officer (CIO) or the
Information Systems (IS) director.
80 percent reported that the security budget was part of the overall IT
budget.
What do these statistics mean? First, security is still considered an IT issue because
of where the position sits in the organization. Because the security budget is part of
the overall IT budget, it competes with other IT initiatives in terms of priority. As
a result, security is still not being viewed as something that is different from IT in
many companies.
Ideally, the CSO should not report to IT, as the goals of a security organization
can conflict with those of an IT organization. In fact, having information security
not reporting through IT creates a mechanism for helping to ensure that security
issues surface and are addressed.
When conducting a security assessment and reviewing the organization and roles
and responsibilities, the existence of a CSO is significant because it shows some
level of commitment to information security. Ownership, accountability, and having
dedicated resources for security immediately diminish some of the security risk
related to the lack of ownership of security. Although the CSO will not perform
every security task, this individual does have the ability to instill a culture where
information security becomes pervasive and to establish an information security
program complete with policies and procedures, security technology, and a mecha-
nism for monitoring and compliance. The CSO also has the opportunity to be a part
of the executive team and make security a consideration as new business initiatives
are developed. During a security assessment, it is important to understand what
authority the CSO has — budgetary authority, dedicated staff reporting to this
individual, etc.
AU1706_book.fm Page 26 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security 27
AUTONOMOUS DEPARTMENTS DEVOTED TO INFORMATION SECURITY
Separate autonomous departments devoted to information security are a strong
indication that security is taken seriously at a company. Typically, information
security responsibilities from a technical perspective fall into the IT department and
other security-related responsibilities are dispersed among various departments. For
example, system administrators might have information security as part of their jobs,
where they are responsible for log review and ensuring that certain security-related
configuration settings are in place. With the recent reductions seen in IT, system
administrators are especially stretched thin, and because their security-related
responsibilities might not be seen as critical or as a key priority in their job respon-
sibilities, it is sometimes questionable whether they are able to devote the proper
time to this function.
It is not black and white as to where information security responsibilities should
fall. Some information security responsibilities fall on end users and different depart-
ments, such as human resources (for personnel-related security issues), IT, and
management. However, a separate department dedicated to information security
shows a real focus in this area. For some companies, a dedicated group makes sense
in the short term, because the group can build an information security program and
try to ingrain it into the culture of the company, An ideal scenario is where security
is a separate department outside of IT with authority to enforce good security
practices and make decisions as they relate to information security.
What does having a separate group devoted to information security tell you
about a company when conducting a security assessment? Two key aspects are worth
noting.
Independence and the Ability to Escalate
A separate department devoted to security, depending on how it sits organizationally
(i.e., is it separate from IT?), allows the information security function to be inde-
pendent. Similar to an internal audit–type function, a separate department will not
have any conflicts in implementing security measures or escalating security-related
issues to management when necessary. The ability to do this is very important from
an enforcement perspective. Without enforcement, it can be very difficult to ensure
that security policies and procedures are followed in a company where security has
been lax.
When conducting a security assessment, give enforcement of security policies
and the ability to escalate significant consideration. If information security policies are
being enforced and there is a track record of management requiring employees to
address information security issues, the overall security posture of a company is
significantly enhanced. From a security assessment perspective, this attitude from
management would indicate that security is not an afterthought. In these organiza-
tions, information security personnel are probably abreast of changes in the organi-
zation and have the opportunity to raise security concerns before those changes are
implemented.
AU1706_book.fm Page 27 Tuesday, August 17, 2004 11:02 AM
28 A Practical Guide to Security Assessments
Expertise
A separate group devoted to information security probably implies specific expertise
in the area of information security. With the advances that have been made in
technology and in how business is conducted, it is becoming more difficult to rely
on people being “jacks of all trades.” In the past, security was viewed as a technology
issue, and IT departments would deal with security issues. Technology, related
business processes, and functionality relative to business requirements are compli-
cated enough without thinking of all the related security considerations. Attacks are
being developed all the time using vulnerabilities existing in all parts of the IT
environment including the network, operating systems, databases, and applications.
Those who subscribe to alert services or newsletters where vulnerabilities and attacks
are published know the sheer number of vulnerabilities and attacks out there. In fact,
one of the significant areas of the information security industry is that of providing
security intelligence services to help companies take the necessary measures to
protect themselves from these attacks. The bottom line is that security is very
significant, and someone or some group should own the responsibility if possible.
It can cost a company dearly if the company does not have the security expertise to
react to security incidents and security risks facing it. Besides these incidents,
companies face many security issues related to their internal staff, such as segregation
of duty issues and users with inappropriate system access. Although a separate
security function may not be appropriate for some small companies, the value can
be seen in mid-size and large companies.
From a security assessment perspective, dedicated security staff probably means
that specific security tasks, such as reviewing logs, applying security patches on a
regular basis, keeping up with the latest vulnerabilities, and applying mitigation
strategies, are potentially performed. Also, it is more likely a company is employing
a proactive approach to security as opposed to a reactive one. Some examples
include:
Security patches are applied before the related security vulnerability is
exploited.
Potential intrusions are detected and appropriate adjustments are made to
perimeter security measures as needed before an intrusion actually takes
place.
Security-related logs are reviewed on a regular basis.
These are only a few examples of where security procedures are performed proac-
tively instead of reactively.
Companies that do not have dedicated security staff do not necessarily see the
value if they have never suffered a security incident. The argument can be made that
a dedicated staff cannot prevent security incidents, and that is true. Dedicated staff
can, however, minimize the risk of security incidents taking place. At the end of the
day, information security is about managing risk in a cost-effective manner. Com-
panies need to go through the exercise to determine whether the cost of having
dedicated staff is worth it based on what is being protected. It is also worth noting
AU1706_book.fm Page 28 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security 29
that other options exist, such as outsourcing the security function. Some companies
have recognized the importance of security and decided that they do not have the
staff to do it, so they outsource some portion of the security responsibilities to experts
in the area for a reasonable price.
SECURITY CERTIFICATIONS
One of the major forces in the evolution of information security is that a “body of
knowledge” is slowly being carved out. This is being driven by a number of factors
including industry certifications such as the CISSP (Certified Information Systems
Security Professional) and CISA (Certified Information Systems Auditor), which
have defined a body of knowledge that someone needs proficiency in to become
certified, and employers who are trying to fill security-related positions and adver-
tising for these skill sets. The information security profession itself has, to some
extent, led the way in defining what information security is. International organiza-
tions have played a role. For example, Information Systems Security Certification
Consortium, Inc. (ISC)
2
, the body that administers the CISSP certification, has
defined a common body of knowledge that security personnel are tested on before
they can receive the CISSP certification. This body of knowledge includes opera-
tional, management, and technical concepts related to information security.
As the body of knowledge has become more defined, there has been a prolifer-
ation of certifications in the information security profession. The certifications have,
to some extent, established standards of knowledge for the profession similar to
those of other professions such as accounting and IT. As some of the certifications
have gained in popularity, the demand for them has also risen. Some employers now
either require a certification or a commitment to obtain a certification within a
specified period of time as a condition of employment. Employers are having their
own employees with security responsibility obtain relevant security certifications to
help them in their jobs. These certifications are establishing minimum standards of
knowledge for information security professionals. Although certifications today are
differentiators or “nice to haves” for security professionals, they will become require-
ments in the future.
As more security professionals become certified, certification should be kept in
perspective. For the information security profession, security certifications establish
minimum standards of knowledge that security professionals should have. Like other
certifications, security certifications are mostly based on examinations. Candidates
must be able to take a test reasonably well. A certification does not necessarily mean
that a person has mastered the subject material. Conversely, someone without a
certification can be an expert.
From a security assessment perspective, certifications show a certain level of
competence in information security or a specialty area of security, depending on the
certification. In addition, some of the certifications have minimum experience
requirements, which can give an indication of the level and type of expertise a
security professional has. It must be stressed, however, that a certification does not
take the place of real world experience, as is true in other professions.
AU1706_book.fm Page 29 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.35.60