It's clear to me that from discussions in real life, and on the social media that the role of "Information Security" is far from clearly defined.
Recently I found myself attempting to explain my thoughts on the role of Information Security in yet another BYOD discussion - only to find that my thinking had changed over time and is perhaps misaligned with some of my peers.
This wasn't possible to explain in 140 characters (actually we were down to 91 due to the number of @ replies) so I thought it makes sense to explain my position here, in the hopes that we can have a more clear dialogue, on the record, to define what and who Information Security is as an entity with the enterprise environment.
Let's take a look at this pragmatically. First and foremost I believe, as I've said before, that the Information Security function is actually two separate groups lumped into one. On top of that there is also a classic mis-understanding of what Infosec actually should be responsible for and why... so let's start there.
In far too many organizations I hear leaders and practitioners alike tell me that the role of Information Security is to protect the organization. Accepting this thinking got us into the predicament where many of us are today... where security isn't everyone's job, and only Infosec is thinking about security. This couldn't be more wrong.
If you've ever had that discussion with a developer or project manager about the poor security posture of their project, program or application only to hear them tell you that "Well that's your job!"... you're there. Security simply cannot be successful if it is the "problem" of just one very small group of people.
I believe the reason for this situation is when security first became something the enterprise thought about no one else got it, and in order to set ourselves apart from the rest of IT, security formed a niche. I'll readily admit that I contributed to this in the first few Infosec jobs I worked... it was a mistake then but i can only look back on it now.
So what is the role of Information Security within the enterprise?
I feel that the role of Information Security is two-fold. The first part is Operational Security, or rather, enforcement of controls designed to protect the business interests while enabling business goals. In short, it's the do part of Information Security teams. Pushing patches, monitoring dashboards, incident response, knowledge services (education) and so on.
These are not strategic functions and many of them are incorporate (or should be) back into the core functions which they came from. The Information Security Operations team should have representatives on each of the major IT groups - systems, networking, applications, development, user-management and so on.
As Dan Conroy (then my manager and CISO at GE Consumer Finance) speculated rightly - this is the optimum model for efficiency.
The second group is what we rightly start to term strategic. This is Information Risk Management or what ever you choose to call it. This group is made up of architects, business-savvy security analysts and people who are senior enough to understand technology and threat applications to a business model.
The trick with this group is to not get too far disconnected from the technology... but I think that can be overcome with a rotation schedule between the operational security group and the IRM function.
Information Risk Management is all about working with, in, and through the business to define strategic goals for the protection of the business. How will your enterprise tackle cloud computing? What is your strategy for BYOD, those types of questions are best answered here in this group, then given to the individual operational teams to enforce.
Let's take a peek at the BYOD issue from this viewpoint. IRM would engage with the business in the following aspects (non-exhaustive list)...
- work with business leaders to define data classifications and strategic goals for each of those classifications
- work with business leaders to define a minimal set of 'roles' and responsibilities based on job role and necessary access to technology and data
- define a strategic policy for what constitutes BYOD, what is allowed, when, and how
- create a technical implementation plan for the management of risks associated with BYOD; to be approved in line with the business leadership
- set policy for secure software development lifecycle
- define a monitoring strategy for events and incidents
- define an incident response strategy for incidents and issues resolution
- hold responsibility for incident resolution and response root-cause analysis
- periodically audit the environment to ensure policy is being followed
- regularly update policies to adjust for technology advancements, etc
The operations team would essentially be the implementers and "doers" of the items set out above except where explicitly defined. Creating a definite separation between risk management and operations keeps both groups focused on serving their respective goals - because as we all have come to accept - Information Security serves two masters.
While the IRM team is focused on serving the business through strategy and alignment to the business, the Operations team can focus on serving the needs of 'security' and working with technology.
If you're pursuing this type of arrangement in your Information Security organization you'll need a strong CISO or security leader who not only is technically savvy, but also has the business understanding and relationships with the leadership of the company.
In my various years and experiences in the corporate world, from companies small to large, I would argue this arrangement is optimal for protecting the company ... both from itself and external forces.
Your mileage may vary... and I would love to hear your experiences, ideas and strategy!
Cross-posted from Following the White Rabbit