Maksim Kabakou - Fotolia
It’s another Isaca conference and there are hundreds of security professionals in the room, all itching to understand the latest thinking on where the greatest amount of cyber risk resides. Is it cryptojacking, attacks from nation states, rogue insiders, vulnerabilities in CPU design, fileless malware?
The reality is that there is no master list of cyber risks. When it comes to cyber threats, there is no one size fits all. The cyber security risks are mostly dependent on the organisations themselves – what products and services they deliver, what information of value those activities contain, how good their existing cyber security defences are, how much a company may have accidentally antagonised a potential hacker – but here comes the real problem:
In order to protect your information of value – you have to know about it. You have to know not just that you have it, but where you have it, and where you allow it to go. This is because, if you don’t know what your information of value is, or where you allow it to flow – you have no chance to ensure that you apply the right security to it.
There is a wave of agreement that rolls through the audience. Everyone agrees that you need data governance. After all, there is a reason that the discipline is called “information security”.
Based on my own audit experience (and now also based on asking this same question at many conferences), I ask the audience this question – and I invite you (the reader) to think about your own response: Put your hand in the air if your enterprise has a single, up-to-date inventory of all your information of value, including all of the places you expect and allow that data to flow – suppliers, cloud services, applications…?
In rooms filled with 200 or more security professionals, how many hands do you think go up in the air? Sometimes a few and, often, none at all.
So, how does this happen? How do so many security professionals get left without a basic component they need to help deliver security efficiently and effectively?
Read more about information management
Well, this has nothing to do with the competence of the professionals in the audience. They are always well aware of the need for effective data governance. They know that any datasets of value should always be subject to data classification. There is also no lack of training and guidance, for example, there are plenty of great data governance resources available across the Isaca publications and education programs.
In my experience there are three main drivers for the issues around data governance.
- Cyber security used to be about network security: For quite a while, it was possible to treat the company network like a gated community. Security professionals were expected to cut corners and protect the community (the network) rather than go through the more expensive and laborious process of getting each dataset of potential value to go through a data classification process. That method no longer works, but getting governance structures to adjust back to placing data governance at the centre of their security universe is somewhat similar to asking a supertanker to make an immediate 90 degree turn and then drive across for a few miles.
When all the structures and departments are geared up for certain roles and then the objectives change, it takes time to re-engineer and re-equip those roles. This leads on to the second challenge:
- Not enough time allocated to security staff for training and education: The technology landscape is changing faster than ever. If you want your security professionals to keep pace, then just expecting them to be able to keep up by allocating a small amount of training time and budget will not serve you or your staff very well. I spend over 50% of my time on research and I barely keep up with the essentials.
We need to recognise that security professionals need a much more sizable percentage of their time allocated to continuing professional education than most other roles. Isaca requires an average of 40 CPE [continuing professional education] hours per year for members to maintain their certifications. The reality is that most of us have to attain far more than the minimum. If you are an organisation struggling to recruit or retain staff, you might want to look at just how much ongoing training and education you offer security personnel.
3. The CISO is not reporting to the main executive: Just where do you plug-in a chief information security officer (CISO)? In Isaca’s State of cybersecurity 2018 survey, it was found that even within the security staff themselves, there was a ‘striking lack of consensus’ about where they should report. Only 35% of survey respondents indicated their roles are reporting into a security function, 30% reporting into CIOs (chief information officers) and the remaining 35% reporting to a multitude of functions and departments.
Reporting to the CEO
In my opinion, there is only one effective place for a CISO to report and that is directly to the CEO (chief executive officer) as part of the main executive. If I was in any doubt, I offer this as further evidence; I have only ever seen a few hands go up to acknowledge that their organisation had managed to get their data assets and data flows inventoried.
When I asked a follow-on question, there was a 100% correlation. The only people that had their data governance working properly also had a CISO reporting into their CEO.
What does this mean in practice? It means that understanding your data of value and where you permit it to travel, are key to being able to achieve effective security.
However, it also seems like the organisations most likely to get to that position are those that recognise the need to put their CISO right up on the main board with the chief financial officer. You might think twice before allowing money to just flow around without the right checks and balances. It’s time to think about information flows with the same level of integrity.