CEOs want security plans for businesses, says Gartner Security Summit

Following notable breaches at the likes of RSA, Sony and Epsilon, security pros have the ears of business executives like never before.

Suddenly every member of the C-suite cares about [security]. This puts a burden on us as security professionals, because, for the first time, we have their ear.

Marc van Zadelhoff, director of strategy, IBM Security Solutions

LONDON — Notorious data breaches in recent months – at Sony, Lockheed, Citigroup, RSA, Epsilon and many others – have finally made information security a board-level concern. This provides the information security profession with a rare opportunity to gain the attention and support of senior management, and finally to implement proper security.

That is perhaps the unifying thread running through many of the sessions at this year’s Gartner Security and Risk Management Summit in London. Senior management now understands the risks of insecurity, and that security professionals can now take the opportunity to build effective information governance across their organisations.

For Gartner Research Vice President Tom Scholtz, it is a question of building much stronger links between security and the business, so responsibilities for protecting information can be properly allocated. He explained that, if security is always left to the IT department, then other departments have no incentive to act responsibly.

“Information owners need to be responsible for protecting their information,” he said. “If people in business units are encouraged to take risks, but do not take responsibility for any losses, then they will take more risks.” He added that if IT is given all the responsibility – and is blamed when things go wrong – then it will overcompensate and become a barrier to business.

Sholtz described how security plans for businesses should always be a collaborative effort, with all stakeholders involved in their formulation. Where disagreements or tensions arise, arbitration committees should help to resolve them and balance the appetite for risk against the need for security. “A key part of information governance is arbitrating between the different parties,” he said.

He also said the IT department and the security function need to be empowered to act on behalf of the rest of the business, and, in return, they should report back to the stakeholders and demonstrate the value of what they do for the organisation.

The “time to value” of different projects should also be considered, so some tangible benefits are delivered on a regular basis. “Some security projects can take time to deliver value, and executives have a short attention span,” Scholtz said. Thus, clever IT departments will ensure some shorter-term projects are mixed in with the bigger ones, so regular benefits can be demonstrated.

Sholtz also had some advice on how to achieve effective policy management. There is no point, he said, in producing huge policy documents if nobody reads them; it is far better to create a hierarchy of shorter policy documents that are more relevant to people and their jobs. “Policies should clarify accountability,” he said.

To accomplish this, he recommended having a top-level security charter of no more than two pages – a mission statement outlining the basic security standpoint of the company. This policy document should cover general detail, such as password management, while specific job-related documents should be produced for different areas of the business. “Don’t mix policies, standards and guidelines in the same document,” he advised. Policies tell people what they must do, standards outline what should be done and guidelines provide advice.”

Stronger collaboration was also an underlying theme for Debra Logan, a vice president and distinguished analyst at Gartner, who spoke about the rising tide of litigation in the UK and the associated requirement for electronic disclosure of evidence. She said many UK organisations were still unaware that, in the case of lawsuits, they might be required to submit large volumes of information as evidence.

“Some organisations believe it doesn’t apply here,” Logan said, “but that’s a myth.”

Well-applied information-retention policies can help organisations manage the demands of the courts, Logan said. For instance, if the policy is to delete emails after six months, the company will have a clear explanation of why it cannot supply emails older than that. In reality, however, companies accumulate vast amounts of data and may be required to sift through the lot if asked by the court.

Logan said IT security people needed to learn more about the law, and to collaborate more closely with the legal departments in their organisations. “Legal and IT need to work together properly, and to forge a strong working relationship,” she said. She also advocated investing in technology to help with the task, and cut down on legal bills. “Lawyers make software look cheap,” Logan quipped.

Marc van Zadelhoff, director of strategy for IBM Security Solutions, who also spoke at the conference, said security has suddenly become a board-level issue with customers. “The most senior people in our customers are asking us to help them do security differently,” he said. “They have lots of point solutions, and they realise it’s just not working any more.”

He said the challenge is to express security issues in a way that resonates with the CEO and company boards. “Suddenly every member of the C-suite cares about this issue. This puts a burden on us as security professionals, because, for the first time, we have their ear. We have been asking for years for the business to care about security – now they do,” he said.

“The most effective thing you can do in security is to create awareness," van Zadelhoff said. "If you have the lines of business involved in the risk discussion, there is a good chance they’ll help you raise awareness.”

Read more on Security policy and user awareness