Security needs cross-organizational buy-in

As the new year begins, one thing is clear: The information security discussion needs more constructive involvement from upper management and business unit leaders.

From a long-term perspective, the security situation is getting worse. There is more responsibility being loaded onto IT, more interdependence of far-flung organizations, and more criminal activity, automation, complexity, regulatory scrutiny and risk.

Short term, the industry goes through phases. We make strides against worms and viruses, then get devastated by phishing, spyware and other attacks. The cat-and-mouse game with attackers will continue, but organizations need not be doomed to a series of large-scale surprises and expensive, reactive fire drills. If companies follow a comprehensive security approach that is sustainable over time, then major incidents and emergencies can be reduced and managed when they occur.

It would be great if IT security required only a strategic understanding of technical countermeasures and funding for the tools. But security requires people and processes as well as technology. Sometimes it’s not about increasing the security budget but allocating funds to what’s really critical to the business, and getting processes such as change control, hiring, software development and partner management to build in security properly. This takes crossorganizational buy-in.

A rapidly changing IT environment is part of the problem. As organizations engage in outsourcing, offshoring and distributed networks of partners, the number of potential insiders increases. Applications and perimeters become more distributed, there are more sites and technology components to defend, and many third parties to involve. Yet IT staff usually doesn’t have control over the third parties that management brings to the table.

Compliance demands organizations prove that separation of duties, change management and other controls exist. This requires a role-based security approach, but roles and processes need to be defined and maintained by management as well as IT. Instead of looking for a mythical checklist of best practices that will make compliance easy, businesses need to focus on management and process issues. But many organizations are in turmoil because, for all their pockets of technical excellence, they aren’t following good security practices comprehensively from the top down. Executives have the fiduciary duty to create the tone at the top, the risk management that sets priorities and duties to protect, and security policies that ensure they get the knowledge they need and the security work gets done.

If you are not an executive, you can raise the level of the security discussion by communicating more effectively with management. For example, business people don’t need to know much about viruses and technical security details, but they do need to understand and make decisions about risks and compliance, define roles, get control over third parties and help set application security requirements. If technical security people can help the business people see what they have to do, and provide some templates and encouragement for getting started, significant progress can be achieved.