Infosecurity Europe 2008: Security governance and the wealth of nations

What possible link could there be between the writings of an 18th century economist and the management of information security in the 21st century?

Could Adam Smith's famous quote, "When ownership and control of corporations are not fully coincident, there is potential for conflicts of interest between owners and controllers" still have relevance today in an information security context?

Among the complexities of today's regulated world it is easy to lose sight of the basic premise behind Smith's writings. All he was saying was that where there is a potential for interests that should be working towards a common goal (principally the creation of wealth) to diverge, there should be mechanisms in place to ensure equilibrium.

How should we relate this principle to information security? It is the board of directors of an enterprise who must bear ultimate responsibility for the success or failure of the security measures established to protect corporate assets.

This is where the Adam Smith principles of governance come in because, although unambiguously it is the responsibility of the board to protect the business assets, the actual processes established to provide that protection are usually managed by others.

Although these tasks may be delegated, the responsibility for ensuring that they are managed effectively and that they deliver the expected protection cannot be. So how can the board satisfy themselves that the security mandate has properly been fulfilled?

Should board members themselves become experts in security technologies? The answer obviously is no, but, in order to carry out their governance mandate, board members must seek informed assurance that the security measures in place are appropriate to the risk and are effective in operation.

The first step is to recognise and understand the risk and ensure that policies are developed to guide the detailed processes that will be implemented to provide mitigation.

The media attention given to recent security breaches highlights the need for a comprehensive information security policy, endorsed and owned by the board, and communicated regularly to all staff.

The principles of governance extend also to defining responsibilities for information security. What is being secured is business information and, while many of the techniques used to ensure security may include technical solutions that require specialist expertise, it is the business that has to bear the prime responsibility for security. Only the business can decide on the levels of security that may be appropriate to diverse corporate information. To treat all information alike would lead to some being over-secured and some under-secured.

Another key governance responsibility is to ensure that sufficient resources are available to acquire, develop, implement and manage the appropriate security measures.

A further, and overriding, key principle of governance is never to assume that all is well. Purely allocating responsibility for security tasks is insufficient. Those responsible for governance need to obtain regular, informed assurance. This requires the development of reporting mechanisms to prove to the board that information security is operating effectively and efficiently.

Any board that ignores, or gives less than full attention to, information security governance will be failing in its stewardship responsibilities.

Paul Williams is chairman of the ISACA Strategic Advisory Group and IT governance adviser to Protiviti and is speaking in the keynote programme at Infosecurity Europe 2008