INTRODUCTION

‘Once more unto the breach’ is a key phrase from the ‘Cry God for Harry, England and Saint George!’ speech of Shakespeare’s Henry V, Act III, 1598. The breach in question is the gap in the wall of the city of Harfleur, which the English army held under siege. Henry was encouraging his troops to attack the city again, even if they had to ‘close the wall with English dead’. We read these kinds of battle-cry stories now, in our enlightened and empowered times, and find it hard to countenance such unfailing support for heading into a perilous situation.

As an information security manager (ISM), you enter each day not knowing what it may bring, in spite, perhaps, of a well-formed plan or at least a ‘to do’ list. Each event or incident that you encounter is only a gnat’s whisker away from being a full-scale breach, depending upon your knowledge, skills or ability to cope under pressure. This book is centred in this space and is based on the clear appreciation that there is no such thing as 100% security and you can never be 100% risk free.

From an academic perspective, the author is straddled between a historical methodology – seeking to review the history of IA and why it is that there is so little real agreement with regard to an understanding of the definition – and that of grounded theory, whereby through interactions and research, the author creates a theory and then tests it over a period of time. The author’s contention is that it is as a result of a fundamental lack of knowledge that we now have difficulty (and confusion) in progressing to a mature IA profession. Health warning – I should say up front that this book won’t pull any punches.

In many media reviews of the year, 2011 was hailed as both the year of the hacker, in terms of the volume of media coverage and, therefore, widespread global awareness, and a year of significant data breaches and losses, again as a result of the numbers of individuals directly affected or impacted. In reality, the longer you work in the industry, the more you realise that each instance of a breach that is reported is only the tip of the iceberg. Beneath the facts of the story as reported, whatever the truth might be, there is usually a raft of information security-based failings that have been going on for quite some time. Why is this the case, given that there are likely to have been many valid audit reports containing reference to issues that needed to be addressed? Indeed, there is no doubt that had recommendations been adhered to, risk reduction would have occurred and the number of breaches would equally have been lessened. In more broad and fundamental worldwide citizen terms, it seems to me that 2011, in particular, was a year of seeking openness and transparency, in all walks of life, across all levels of leadership. I believe we should be doing the same in our own industry.

This book is an ‘inside-out’ view of the reality of how many actual breaches (seen more as incidents) are going on all the time, but do not get reported, either internally or externally. The educational point of the book is to reframe what we actually mean by being an ISM, as well as what we mean by an incident, how we respond to it and what the most appropriate reporting and reactions should be. We will do this through the old art of storytelling, in the hope that better informed and more aware ISMs will be able to provide much greater protection to their organisations and their information assets.

The book will be peppered with references to real issues, conflicts and conundrums that ISMs are constantly having to deal with and hopes to shed light on possible solutions and pragmatic ways forward. It should be usable as a learning device and reference guide.

The chapter structure is based on a 12-month chronology, running from August to July.

August – pulling a team together. As a project manager in information security, you get what you are given and you have to make the best of it, so you have to enthuse those around you as to what it is that they are seeking to do, and explain the change in behaviour expected and what the end game looks like.

September – street trash. This chapter is centred on an event that is resonant of the reality of when you read news stories and don’t expect them to happen to you. But when you spot the blindingly obvious, always remember to take a photo so you have the evidence to ‘show and tell’, following the mantra ‘a picture speaks a thousand words’.

October – compliance is only skin deep. Once you’ve completed an audit, in whatever shape or form, following a ‘tick box’ exercise is no good if you can’t back it up with evidence. Now starts the hard work of living by your word.

November – how remote is remote? Identifying homeworkers and remote workers can be a tricky business, depending on your partners and your boundaries, the competing requirements of each, and conflicting legislative and standard requirements.

December – oh, for the sake of yet another proposal. A large project involves much more than just dealing with the actual security controls required to be implemented. Battling with politics and management can be hugely time-consuming and diverting.

January – a battle won. Whilst the project politics game can be won in the end and you’ve got your budget, you still need to manage it tightly and closely before everyone else wants to get their hands on it and get their pet projects resolved!

February – money doesn’t buy happiness: ’twas ever thus. Whilst the financial resources are available, it can be difficult to apportion them appropriately and spend them in time, particularly in the public sector. And if you don’t spend them, you run the risk of losing them, which is a shame when you have worked so hard to get them in the first place!

March – slipping through the net. When working in local government, you are only a small part of a much larger picture. The links with central government can be strong or weak, depending on your position. An impending election puts a significant, nationwide embargo on spend and project completion seems further and further away. And to top it all off, there is an anti-virus outbreak. So what do you do when malware strikes? A Conficker infection runs the risk of doing some significant network damage and any publicity needs to be very carefully handled.

April – linking InfoSec with InfoGov. In order to arrange some level of succession management, it is important to arrange for the right players to work together to deliver a more holistic solution for the organisation. This has always been the case, but takes on a new meaning, given the changing political landscape.

May – politics and management. Situational awareness is an important element of your role and you need to be aware of the bigger picture in which you are operating, as an organisation, in order to maintain appropriate information security.

June – what the auditors shouldn’t know. Following a significant review of laptop usage across the organisation, it was found that the costs and likely level of breach to the organisation were huge, were one to be lost or stolen, given their current unencrypted status, but a senior management team thought it best to ‘bury the bad news’.

July – so near and yet so far. Following the election of the new government, and in line with many public sector cuts and project closures, the project management role was let go and it was time to walk away.

Throughout the book, there are breakout sections referencing events that have occurred or thoughts that have arisen as a result of things people have said that have provided inspiration to the author. There is also what will appear to be a great deal of repetition – but this is exactly the reality of the job of the ISM. Life in the trenches is one long exercise of doing the same things over and over again, but with nuances and learning as you get to know the organisation, its culture and what works. The tasks don’t stop – hence security is not a project!

The job of the ISM is to consider everything in terms of the potential risks to the organisation and to seek to implement appropriate preventative or deterrent controls in due course. The role is never-ending, as there are always new employees that need to be embraced into the culture of your organisation and who need to understand their responsibilities and the requirements placed upon them in terms of protection of information assets.

Being an ISM is about being both a counsellor for many and a change activist for your organisation. There is a level of inspiration required for you to do what needs to be done, given that the historical view of the role and its positioning has not necessarily been entirely positive. I hope that this book goes some way to changing this impression for the better.

Consumerisation will no doubt be featuring large for many organisations as part of ‘the three Cs’ of Cyber, Consumerisation and Cloud that dominated 2011. This is also referred to as ‘bring your own device’ and presents significant challenges to ICT departments in terms of estate management and the incorporation of different operation platforms alongside existing corporate systems. This book is not designed to address the issue as there is a growing number of resources available to do so. Suffice to say, from an information security point of view, the task in hand remains that of needing to protect information assets, and this requires controls and safeguards, and consideration of all aspects of confidentiality, integrity and availability.