What’s in scope for Information Security? I discussed this topic earlier in the year (see my blog of Feb 22) where I asked the question “should information security just involve itself with electronic data assets or ALL data assets however they present themselves?”
The answer, at least as far as I’m concerned, is that information security governance has all data assets in scope. But that’s too simple an answer because scope is still a matter for a good deal of debate and too often becomes entwined in politics with the “old school” on the one hand who silo security in with IT, and the “new school” who read CIO magazine from cover-to-cover and then turn to the Financial Times for a conflicting view and just end up confused about the whole thing. Of course, us security folk think we know best and frankly, that doesn’t help.
What’s the answer? Who better to ask than those good guys from Gartner. Tom Schultz and Jay Heiser say “Effective information security requires an integrated approach that makes security part of the core fabric of the business processes and a key component of the organizational culture.” Good words and I agree but I also think it’s a bit ambitious given that few organizational cultures are likely to be prepared to make that sort of leap. It would take years of evolution. I also think it’s a rather American-centric perspective – French or German businesses with their works councils are likely to be far tougher nuts to crack.
Much better is Christian Byrnes’ description of what information security governance should cover:
– Risk strategy
– Security policy
– Security architecture
– Application design
Christian rather controversially goes on to say “Although CISOs are involved in all aspects and activities of governance, they are not decision makers in any of them.” I hear what he’s saying but I disagree. CISO’s should, in my opinion, be strong decision makers because in most organisations there are few other individuals who understand information security risks. But, effective governance requires buy-in. It’s the difference between leadership and management – managers manage while leaders need followers. Those responsible for Information Security need to lead and have the credibility to do so at all levels of the organisation.
We could also use compliance requirements to define scope or turn to ISO27001. Does it matter though? If the CEO says that he wants Information Security to have electronic data in scope but not paper based data, or does not believe that the CISO has a role to play in DR planning then should you be concerned? Not in my view. If you think that your role is not broad enough then make your case and if you communicate it well enough you might get what you want. But make sure that you first understand what the business priorities and strategies are and, don’t try to broaden scope unless you can deliver the goods as well.
In the end, security governance tends to sit – sometimes uncomfortably – inbetween the business and IT stakeholders. The trick is to be trusted by both. Sort that one out and that’s most of the battle won.