What the **** is my information security “strategy”?

Build from an interesting conversation from [cisspforum] – Main participants : Elvis Ademba, Paul R. Dittrich, Gary Hinson, Ray Pesek

I had an interesting conversation with one of my close friends (also a consultant), on the challenges for security professionals in their organizations.

What came out strongly is that, (and he was adamant about it) most IS professionals and organizations do not know what their information security strategy is or should be. He told of a story with a client when asked about his InfoSec strategy, the CISO, answered

“What the **** is my information security “strategy” what do you mean?”

This got me thinking of why this is the case? And how to fill the gap in the market. Because most of the time as IS professionals – especially consultants, we are called in to address certain aspects of security, but never really care if it fits into the organizations information security strategy.

Many organizations do not know how to develop an Information Security Management System (ISMS) or an information security strategy. I see this in an important gap in the market.

Try these suggestions I’ve heard over the years:

  1. Spend as little as possible. We sell “x” and you just take away from our profits. You’re nothing more than an insurance policy and we want “state minimum coverage”.
  2. Our appetite for risk is enormous as long as the risk never happens. if it happens, it’s your fault because you did not adequately explain it to me, even if you did.
  3. If you can’t point to a law requiring “x”, why should we do it? If it is a legal issue, all we need is to show we do the minimum required by law.
  4. If it’s a contract issue, what exposure do we have in the contract if we don’t do “x”? If there is no penalty in the contract, there is no risk.
  5. What are you doing about “x”? I read about it in the Wall Street Journal today.
  6. It’s not a risk we need worry about. It’s never happened to us so far and I’m willing to bet it’ll never happen to us yet. ‘Least not on my watch.
  7. You are clearly exaggerating. Prove it. Show me the evidence.
  8. Times are hard. What’s the least expense we can safely/  probably get away with? I’m feeling lucky.
  9. There *must* be a cheaper way of dealing with that. Find it.
  10. There simply is no money. We have to relax our risk profile and go with the flow.
  11. How come nobody else [at my golf club] is spending big on this? Are you telling me they are all wrong?
  12. Projects X, Y and Z all have sound business cases to increase our profits by $$$ whereas all you can tell me is that if we “invest” in security, we *might* avoid a cost of $$$ *if* a whole load of real bad things happen to us. Get real.
  13. “We are not a bank.” (It takes quite a bit to render me speechless, but that statement succeeded…)

All kidding aside, if you can’t address these adequately you need to do some serious thinking.

  • #1 is simply a “best value for the money” statement. I ALWAYS know our company’s most recent quarterly and annual profit margin and actual dollars of profit and I use them in these discussions. If we have a 5% profit margin and I want to spend $5,000, someone else has to sell an additional $100,000 of product to keep the bottom line the same. It works best in the inverse. If I can do something to take out $5,000 of spending, it means we can lose $100,000 in sales and the bottom line stays the same. A lot of process improvement programs got accepted this way. The first year was a loss but years 2 and 3 more than made up for it. I ALWAYS use a multi-year time period because it smooth out the cost and demonstrates that you considered what’s going to happen down the road.
  • #2 says to retain all documentation that you use to keep everyone apprised of risks and proposed mitigations AND the responses you received. If you don’t receive a response, do a proactive follow-up that you can document. A.K.A. CYA. It’s just a fact of life.
  • #3 and #4 test your salesmanship and credibility with management. You had better be able to justify them in accordance with #1 and #2.

If you ever get hit with a #5 and can’t answer it immediately, spend less time on the golf course and more time in local professional chapters and staying up on things. By the time it gets into the papers it’s a day or more old and you had better be able to immediately say what you already did to mitigate it or why it’s not a risk. It’s that credibility thing again.

A local CISO got his credibility raised to the point where he was invited to go on sales calls to major clients and potential clients. He briefly explained the steps his company took to protect the client’s information. He became part of the solution (increased sales) instead of part of the problem (increased cost).

Yes, I am suggesting you ask to go on sales calls. But you had better be able to explain what you do briefly, non-technically and why your company is different and better from the competition. This is how you get the funding to go above “state minimum coverage”.

To me, that CISO’s reaction is the sure sign of an immature organization – one that is certainly in need of a new CISO and very likely, several other C-level leaders as well.

An “information security strategy” cannot be considered as a standalone policy. It is far more effective to consider information security as a subset of a general business risk management policy. A mature, well-managed organization has typically integrated information security considerations into their planning activities related to foreseeable / predictable risks to the business itself, including risks to intellectual property, risks of non-compliance, disaster recovery, continuity of business, etc.

The people writing the ISMS standards aren’t necessarily clear about what an information security strategy might be.

They seem confused about “ISMS policy” and “information security policy”: are these the same, and if not what are the differences?

I suspect a large part of the problem is that terms such as strategy and policy are context-dependent. In some situations and organizations, ‘information security strategy’ might mean a long-term outline/high-level vision for the development of information security. In others, maybe a medium-term view with some key objectives. Otherwise, perhaps a set of short to medium-term plans for improving information security or something else entirely. Who knows?

Likewise with ‘policy’: most of us here are probably familiar with the confusion created by ‘acceptable use policies’ which, to my mind at least, are much more like guidelines than policies, but in other contexts policy may indeed be the appropriate term.

So the real question should be:

“What is the Risk Management Policy of this Business? “

The discussion also talk about Bird Flu amazing program (where sponsor was the Management).

Fun :

Great alternative is using this tool: http://whatthefuckismyinformationsecuritystrategy.com/

Be the first to comment

Leave a Reply

Your email address will not be published.