|
Management's role in Security
Insecurity is not a technical failing
Today’s Managers, CIOs and Senior Executives readily accept that
"security" is an important consideration for their business,
underpinning all responsibilities and impacting on all spheres of
operation. So given this widespread appreciation, why do security
breaches and Hacker attacks remain so prevalent? Is security being
paid only lip service or are the controls being implemented simply
ineffective? The root cause is not a technological failing – it is
not due to weak cryptography or intrusion detection systems that
simply cannot detect ongoing attacks – the real issue lies with the
divide between security personnel and management.
With increasing levels of regulation creeping into industry, most
notably the Basel II accord (framework of capital adequacy
regulations, underpinned with the requirements for due diligence and
risk assessment) and CAD3 (the transposition of the Basel Accord
into EU legislation), organisations are becoming legally obliged to
demonstrate a level of capability and consistency in measuring and
managing elements of risk throughout their business. The main
difficulty is that management struggle to translate the concepts of
security and risk into business terms. Conventionally, business
practices are governed by Return on Investment (ROI), Total Cost of
Ownership (TCO), and the all important bottom line. Risk management
strategies, on the other hand, are complex and it’s often very
difficult to attach monetary value to all but the most tangible
elements. Whilst a number of proposed formulae are available for
calculating Annual Loss Expectancy (ALE) values and Return on
Security Investment (ROSI), there remains widespread disagreement on
how to effectively measure the full value that a security programme
brings to an environment. Furthermore, risk management practices can
be very time consuming, forcing organisations to seek quick wins by
focusing on risks that would potentially impact on daily operations,
rather than addressing larger and potentially more destructive
concerns. This ‘Kaizen’ styled approach to security, making small
incremental steps to benefit the whole, would appear reasonable
enough but is only truly effective in environments where risk has
already been assessed and controls implemented to provide an
acceptable level of integrity and continuity.
One thing is clear – despite marketing hype and vendors that might
argue otherwise, Information Security is not about tools and
technologies. Information Security is about people, policy and
process. Looking at each one in turn, notice that ‘people’ is the
element listed first. The human component to risk management is
fundamentally important and yet often the most overlooked aspect of
any risk management strategy. Two decades ago Gerald Weinberg wrote
in his book The Secrets of Consulting about the generic laws of
consultancy and management. The second law was that “no matter how
it looks at first, it is always a people problem”. This may be a
very broad and blunt statement, but it holds very true when applied
to information security. Research powerhouse Gartner has suggested
that “upwards of 80 percent of network attacks are facilitated by
employees opening attachments of unknown origin or even providing
their username and password to someone else”. The attacks and the
effects can vary but the cause can in each instance may be traced
back to the actions or omissions of individual employees.
Insecurity breads through ignorance, uncertainty and doubt.
Management must therefore take heed of the advice from risk managers
and foster a culture of pervasive security across the firm, driven
from the boardroom down to the shop floor. People are valuable
assets – in a security context they are often your first and final
line of defence.
TURN
TO PAGE 2
|
