Regular readers will know I’m critical of our current approach to information security management. In my view there’s too much emphasis on compliance and economics, rather than on effective responses to emerging threats. The question is what should be done? This posting provides the first in a short series of thoughts on what we must do to achieve a change of direction.
There are in fact several underlying problems that need to be addressed. Organisations need to change the basis of their perception and sponsorship of security. Security standards and compliance requirements must change. New solutions need to emerge. And new security skills are required. This posting addresses the first of these problems: the need to change our perception and sponsorship of security.
The most widespread weakness in contemporary security management arises from the fact that it’s driven by compliance. This situation has arisen because security is a primarily ‘grudge’ purchase. Left to their own devices, many organizations would choose to ignore it, or perhaps just recruit a security manager as an easy solution and a potential source of blame.
Regulators step in when enterprises fail to address important requirements. Unfortunately, compliance is an imperfect solution. It’s constrained by a need to avoid tilting the marketplace, so it ends up focusing on basic principles and agreed approaches. It’s also backward-looking, as controls have to be based on established practices, rather than emerging needs.
For these reasons compliance is not an adequate driver of information security management. It can be part of the solution. But its limitations must be recognised. Compliance encourages a minimal, tick-box response with emphasis on paperwork and evidence, rather than effective controls.
A further problem is that organisations expect to see a solid business case for security, ideally with a positive return on investment, which places too much control with the finance function. The perception that security is a smart financial investment is reinforced by vendor marketing hype and academics studying the benefits of metrics or the economics of security. The end result is that security is hugely constrained by paperwork, audits and business cases, progressively eliminating any sense of initiative, imagination and innovation.
Twenty years ago, this was not the case. Organisations responded to security when they identified risks or encountered incidents. This freedom enabled the emergence of new standards, technologies and skills. But we got the future wrong. We built and cemented an outdated industrial age approach to security, based on standardisation and quality management principles. This approach might have been fit for purpose twenty years ago, but it will not meet the demands of the 21st Century.
Security today is different. It’s not about constructing layers of imperfect controls to discourage casual access. It’s about hardening assets from professional attack. Standards and audits can’t help with this. It demands a careful eye, a tailored approach and smart solutions. Security decisions and priorities need to be reclaimed from the auditors, and give it back to the professional specialists.
To move forward we need to accept some basic principles. Firstly, investing in security is a leap of faith. Future risks and results are either unknown or uncertain. It has always been this way. And it’s not the only business investment like this. Initiatives such as advertising, brand management and customer relationship also suffer from a lack of concrete evidence of return on investment. Yet instinctively we know they are necessary, and companies will invest millions of dollars in these areas, often because they are backed by the Executive Board, rather than because they pass a financial investment hurdle.
We must persuade boards that information security is essential and that it requires a forward-looking approach and a reasonable level of funding, as well as a degree of freedom and power to take decisions. We need to de-emphasise the importance of business cases and compliance processes, and encourage innovation, personal judgement and freedom of operation.
We also need to ensure that everyone understands that success in security cannot be measured by metrics. Security is a long-term, uncertain investment. It is not a temporary requirement, like a level of terrorist alert that will eventually be lowered, or a once-off reaction to a major incident. Security is here to stay, growing in significance and requires specialist advice from trusted and empowered security managers.