One size doesn’t fit all: sustainable security isn’t just about following frameworks
24 March 2017
A casual look through many of the articles published on security improvement every week will leave you reeling under a weight of acronyms and abbreviations: the long list of available security frameworks, from NIST 800 to the Cyber Security Essentials. Using a recognised framework, whichever you prefer, is a great way to shape your security strategy. It provides a structure to think about the capabilities and controls your business needs, a wealth of different benchmarks, and assessment methodologies to help you demonstrate your progress. But is it the whole story? How helpful is your security framework in securing your business?
Organisations who use a recognised security framework to drive their programme will, with thought and reference back to their key risks, very likely end up with a more appropriate security capability landscape than ones which don’t. The flaw in this approach is that while they guide you in what controls and capabilities you need, the mainstream frameworks don’t tell you how to deliver them. They provide no guidance on how to organise your security function, or on how to interface it with your internal and external stakeholders: they can’t, because there are almost as many “right” options as there are organisations. One-size does not fit all.
Defining an operating model for information security is one of the toughest pieces of advice we’re asked to give our clients. We use our Operating Model Framework (just in case you thought I was down on frameworks!), which requires a deep understanding of the organisation’s strategy, culture, politics, risks and regulatory regime. So what are the common factors that influence target operating model design?
- Mandate. The $64,000 question. What is Information Security’s (‘IS’) role in the business? What are its accountabilities, what is the business accountable for and how does IS enable different stakeholders to take on those accountabilities?
- Segregation of Duties. What are your obligations in the regulatory space and how is your organisation set up to deliver IT? What is IS’ role in operating controls and how separate must your span-of-control be between lines 1, 1½ and 2?
- Business structure. Is your organisation homogenous, or are you made up of different business units with different objectives, risk appetites or regulatory regimes? Can a single first-line serve these different ambitions? Is a single assurance model even possible?
- Maturity. Often an overlooked question. How mature are your IS, IT, change delivery and service capabilities? Can we build capability ‘x’, which we need, by leveraging maturity in capability ‘y’? And how mature are our business processes in security terms?
- Oh, did I mention ‘mandate’? If you don’t know who is delivering what, and who owns what, now’s a good time to think that through…Start with a simple RACI (Responsible Accountable Consulted and Informed matrix).
Starting from these questions is often a good entry point to validating whether your operating model is fit for purpose and signposting you towards issues. What are the common ‘sticking points’ in cyber operating model design?
How do I set my IS team up to enable the business? My IS team is so reactive; how can I get in front of business requirements and start being strategic?
The role of the Chief Information Security Officer (CISO) is critical here. A successful CISO should spend most of his/her time facing outwards, helping to shape and influence key business decisions, not inwards, building security controls.
Larger organisations also often have a dedicated security consulting team, perhaps covering architecture, design and risk management advice. If your organisation can’t reach to this kind of scale, consider formally aligning each of your senior security people with one or more business unit; make them accountable for engaging and understanding it, and (importantly) give them space in their workload to build relationships and engage outside of formal projects. By the time a business idea becomes a project, it’s probably too late to really influence it!
We invest a fortune in security technology, but we don’t seem to be able to drive down the number of control-gap findings.
Have you looked at how your security operations team operates? In many organisations, security ops sit with or within IT ops, yet the measure of effectiveness of these two disciplines is very different. The latter is all about ‘availability-is-king’, ‘speed of response’ and ‘cost’: three things often running counter to effective security!
Do you apply the same service transition approach to your security technology as you do to customer-facing products? It’s common to see security technology implemented by the same people who will run it. While this direct connection is powerful, it’s important to make a clear transition between the two to help achieve sustainability and the full return on investment.
My IS team is accountable for managing our information risks, but they can’t get the risks closed.
This isn’t so much an operating model as a governance challenge. It’s worth breaking the “accountable” rows down when you think about your cyber RACI. Look carefully at who owns the risk, versus who owns providing the security solution, versus who is accountable for implementing and operating it. Clarity on these distinctions can sound like an academic debate, but drilling down to this level can be powerful in understanding how your business works.
Who should my Head of Information Security report to?
A tough question, and like most, one to which there is no right answer. Most often they are in the CIO, CFO or CRO reporting lines. For many organisations ‘CIO’ is the default answer, but it tends to send an undesirable signal that cyber risk is just an IT problem. It also runs counter to the CIO’s usual measures of success: agility, availability, cost control, etc.
Cyber risk is a business imperative, and the right reporting line is likely to be driven as much by the politics of sending that message as the reality of it. It’s also important to look at how far down the reporting line your IS leader sits. If they’re helping the business to manage its largest operational risk (as is the case in many organisations), they’re unlikely to be able to get the visibility and funding if they’re buried eight tiers down your management structure.