AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY

Monday, August 16, 2010

The Death of Information Security

It may be hard for you to imagine a day without an Information Security group, but the truth is that the role of the security team is changing rapidly as priorities shift and other functions become more security savvy. Certainly the responsibilities of the current security team won't ever disappear, but I see more and more organizations adopting a decentralized model of managing information security. We now have robust privacy and compliance functions within many organizations with responsibilities that greatly overlap with the traditional security team. The most significant trend that I see is the move towards a deeper focus on risk management principles. This shift away from more traditional approaches to finding a risk and crushing it into oblivion with security controls is drastically changing the role of the security team. Governance and oversight activities are becoming the main focus for many of the more mature security programs, and less time is being spent on operational tasks. Rather these daily responsibilities are being dispersed amongst the existing operational teams as part of their functional work. No longer does the security team need to own every security related control or project in the organization. It is even becoming less common for the security team to have a staff of operational/technical engineers managing and monitoring security devices. The role of a security manager is also evolving more into an oversight focus. Provide guidance and tools for the existing operational teams to perform their daily function, and regularly assess their effectiveness.

Interestingly, as our industry pushes to get a seat at the executive business table, it forces us to also become more integrated into the business and adopt a risk-based model that the organization can use outside the security group. This raises doubts about the future of information security as a function and distinct team within the business. Will the Chief Information Security Office (CISO) exist as a position in 10 years? What about the privacy or compliance officer? No one can say for sure, but it seems likely that these functions and the oversight being performed by the information security team today will be absorbed into existing functions within the organization. Most security awareness programs try to emphasize that protecting the organization’s interests is not just the responsibility of the security team, but that every employee is responsible for security. Be careful what you wish for. The realization of this dream may land you out of a job. Ultimately wherever the functions and activities of information security end up in the organization, each business will need someone with vision, leadership, and subject matter expertise to provide oversight and ensure that there is a cohesive approach to protecting the business’ interests.

I think that security teams should really approach an Information Security program as if they are consultants hired to help guide the business. The majority of your time should be spent interpreting security policies and standards, and helping the organization to understand how and when to apply them. If you think about the major components of your security program, likely you spend a lot of time managing out-of-compliance issues, working with auditors, assessing discovered vulnerabilities and emerging threats, and responding to incidents. All of these activities really need to be grounded in a robust risk management framework if you have any hope of being successful. Using the risk-based approach will help to prioritize where you should spend your energies and determine which risks are acceptable for the organization. We need to move away from a culture of expecting 100% compliance and zero risk. That just isn't a reasonable goal. Which ever risk model you choose, be sure that it provides a flexible yet consistent methodology for assessing and analyzing risks as they pertain to your organization in particular. No more of this reliance on everything being a blanket 'best practice' to justify security initiatives. In the past we have fostered a culture of saying 'No' which put us at odds with the business growing and evolving. It's the difference between security and the business standing on opposite sides of the mountain trying to figure out how to get over the top, as opposed to us standing on the same side trying to find the best solution together. Once you start to really analyze and understand the risks to the organization, you will be much better equipped to advise the executives how to best minimize exposures without compromising the organization's objectives.

Risk management is still new to many security professionals in the field. If you are interested in learning the fundamentals of risk management and how to use this foundation to build a mature security program, I recommend a new course being offered by SANS, MGT442 Information Security Risk Management. The debut of this course is being hosted in Hopkinton, MA on September 28th & 29th. More information is available here.
 

Mr. Wheeler is a security expert and an Akibia customer at Omgeo.

LABELS:

Evan Wheeler,

Compliance,

Security,

Training,

Risk management

Post a Comment

BLOG ARCHIVE

• 2011 (29)
  • December (1)
    • Is Employee Cybershopping Threatening Your Company's Security?
  • October (1)
    • Plans are nothing; planning is everything
  • September (1)
    • Has it really come down to a bag of chips?
  • August (6)
    • Modernization is The Key
    • VRM (Vendor Relationship Management)
    • The Double Dip Recession is Coming!
    • Security Faux Pas
    • Too Extreme? I don’t think so. Tying security to compensation.
    • Unique Requirements for Exchange 2010 Based Messaging Platform and Dependencies
  • July (2)
    • Configuration Management with System Center
    • Keep living in a fantasy world…
  • June (7)
    • The Softer Side of Information Security…
    • The Black Hats Get It. Do you?
    • More from midTECH
    • midTECH IT Summit
    • Advances and Limitations of Windows DHCP/DNS Services
    • Choosing the Right Consultant
    • Don't Panic Yet
  • May (3)
    • Citrix Synergy 2011
    • Citrix Summit 2011 - Day 1
    • Federal FISMA Compliance Rated "Poor"
  • April (1)
    • First Time Offshoring?
  • March (3)
    • AFCOM Data Center World - Day 2
    • AFCOM Data Center World - Day 1
    • RSA SecurID Breach: Are Your Tokens Safe?
  • February (1)
    • You can outsource the work, but not the responsibility
  • January (3)
    • P3 Cubed: Focus on the Basics Part III
    • P3 Cubed: Focus on the Basics Part II
    • P3 Cubed: Focus on the Basics
• 2010 (19)
  • December (1)
    • The Next Generation of Smartphones in the Enterprise
  • October (1)
    • How to Ensure a Successful Monitoring Implementation
  • September (2)
    • Too Many Requirements; How One VP of IT Handles It
    • The Missing Link
  • August (2)
    • Informationweek Survey of Sun Customers - Demonstrably Worse Service
    • The Death of Information Security
  • July (1)
    • Moving to Larger Mailbox Sizes with Exchange 2010
  • June (3)
    • Top 10 Features in Exchange 2010 for Users
    • Low Risk Support Alternatives for Cisco End of Life Equipment
    • Health Providers Beware of the New HITECH Act
  • May (1)
    • Compliance and Security Go Hand in Hand – How to Achieve Both
  • April (2)
    • A Boston Globe Article Ignites a Password Controversy - Why We Need Them, How to Make Them Effective
    • Reviewing Oracle's Changes - Has the Sun Set on Sun Systems?
  • March (2)
    • New Requirement - New Fire Drill?
    • Why HP is Worried about TPM's
  • February (1)
    • Has the Sun Set on Flexible Support Options?
  • January (3)
    • You Inherited Your Cisco Infrastructure, But Do You Know Why You are Still Buying It?
    • Your Workers are Surfing While Snacking on a Big Mac - Time to Revisit Managing Your End-Point.
    • Ensuring Security in the Virtualized Environment
• 2009 (34)
  • December (1)
    • Monitoring Via the Cloud
  • November (2)
    • Sun Makes More Changes Amid Uncertainty
    • Sky High Cloud Chatter
  • October (2)
    • Improving Vulnerability and Patch Management
    • A Couple Quick and Easy Green IT Steps
  • September (3)
    • Don’t Put off Until Tomorrow…
    • Boston's Missing Email Case Has Many People Asking Questions about Digital Forensics
    • IT Needs Turbo Compliance
  • August (3)
    • Take Full Advantage of System Monitoring
    • Implement, educate and enforce strict Social Media usage policies – in that order
    • Preparing for a Return to Growth? It’s Not Too Soon to Make Process Improvements
  • July (2)
    • Death by A Thousand Processes: Getting Compliance Right Requires a Change in Thinking
    • Wrest Control of Your Data Center Back From the OEM
  • June (3)
    • Getting Ready for Cloud Computing
    • A Letter to Ralph Szygenda, the CIO of General Motors
    • Lax Web Site Security: The Site Owner's Responsibility
  • May (3)
    • The Checklist Approach to IT Security is Failing You
    • Financial Strength of Your Vendors…Show Me the Money!
    • PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
  • April (4)
    • The Near-Term Impact of Oracle Buying Sun
    • On the Path to the Cloud... Walk Before You Run
    • CIOs Need to Manage Up, Broadcast Successes
    • Consolidate Support Vendors?
  • March (4)
    • A Potential Sun Acquisition - Impact on Service
    • April 14 is Decision Day for Those Running Microsoft Exchange 2003
    • HIPAA Revitalized in 2009 and Beyond
    • Ten Steps for the Mass Data Security Law
  • February (7)
    • Tightening Budgets and Their Impact on IT Security
    • Recent Breaches Remind us to Focus on Security
    • The Training You Need Vs. The Training You Receive
    • Emphasizing Virtualization Security
    • DNS Audits: A Practical Guide
    • Practical Green IT
    • "Practical Use" Fills the Gap Between Idea and Implementation

BLOGS WE LIKE

• CIO - Blogs and Discussion - Best Practices
• InformationWeek’s Global CIO Weblog