Business understanding is key to security, says Elsevier CISO

Security professionals must have a good understanding of the business they support, says Elsevier CISO David Cass

Information security professionals must have a good understanding of the business they support, says David Cass, chief information security officer (CISO) for publishing firm Elsevier.

“They must know what is important to the business and what the key business drivers are so that information security can be aligned with those,” he told Computer Weekly.

Many businesses have an increased need for agility and want to be able to test products quickly and adopt “fail-fast” models or expand rapidly, he said.

The cloud is well suited to these cases, said Cass, but security professionals must be able to articulate what the business risks are, and provide adequate protection.

“In the past, a security breach tended to mean the end of a CISO’s career, but now the bigger career-limiting factor is if you are unable to help the business to innovate,” he said.

This generally means helping the business to use social media, mobility and cloud computing securely to enable new products and services.  

The best way to achieve this is to take a partnering approach, said Cass. “My information security team is essentially a business-facing structure,” he added.

Elsevier does not own any traditional IT infrastructure, so its information security team works with the business and technology suppliers to work out how to achieve business goals.

This approach is enabled at Elsevier by the fact that, as CISO, Cass reports into the company’s legal department.

“This means I am a peer with our CIO, and it give me the opportunity to peer with our business product owners and senior managers to work out how to achieve business goals,” he said.

To support this process, Elsevier has created a risk framework for assessing applications that draws on industry best-practices, such as the COBIT framework, combined with a capability maturity model (CMM).

Key areas of focus include network and system security, application security, data security, security operations, and security metrics.

Several areas are evaluated in each of these. For example, data security includes data classification, data model and flows, data ownership, and access controls.

“Based on the agreed risk level of an application that the business may want to create, the security team defines security and privacy characteristics that need to be met,” said Cass.

“Then we will work with the CIO and his team to find ways to accomplish this, and if those characteristics can be met, we are agnostic as to whether this is done in the public cloud, Elsevier’s own hosted datacentre, or a co-located facility.”

But this means recognising that the approach has to be different because some traditional security measures do not work in the cloud.

For example, going to the public cloud may require using a system to log all transactions to meet the agreed-upon level of maturity for that particular application if it is a high-risk application.

“By defining the security and privacy characteristics that we require, it gives the business a clear understanding of the true risk associated with an application,” said Cass.

“And if they can meet the requirements in the public cloud, it also gives them the flexibility to assess whether it is more cost-effective to do so.”

In this way, he said, it becomes a business decision based on the risk of the application and whether it is possible to meet the characteristics that security has worked with the business to define.

The business also decides whether the cost to meet the required characteristics can be justified by what the application is trying to achieve and the revenue it can generate.

Elsevier can use its risk framework for both new and existing applications. With new applications, the security team works with the business unit in the planning phase and technology teams in development.

With existing applications, the framework is used to review the application development lifecycle and carry out a deeper security and privacy assessment.

In this way, Elsevier can identify any potential gaps and retrospectively improve areas of code to meet the characteristics defined by the risk framework.

The fact that these characteristics have been agreed by all the stakeholders means they are supported across the organisation.

“As a result, the requirements are not perceived as something that has been inflicted on the business by the information security team,” said Cass.

The risk framework was the result of a collaborative effort to look at what is important to Elsevier as a business and agreeing on a maturity model to support that.

But Cass admits it was not without its challenges. As CISO, he still had to demonstrate business knowledge and an ability to work with the senior leadership of each of the groups involved.

“My advice to other CISOs is to understand the business and look for ways to innovate at small scale to prove what is attainable, and to share as much information as possible to break down silos,” he said.

“Once you can demonstrate that you understand the strategic direction of the business, you can look at how information security can help the business deliver on those goals.”  

Cass will take part in a panel discussion on Security as an enabler: supporting enterprise innovation and transformation at Infosecurity Europe 2014 at Earls Court London on 29 April to 1 May.

He will be joined by moderator Peter Wood for the ISACA London Chapter and fellow panellists Lee Barney of the Home Retail Group and Michael Colao of Axa.

Read more on IT risk management