managing a security function: diagnostic version 1 · the background drivers to the effective...
TRANSCRIPT
Published byInformation Security Forum
Tel: +44 (0)20 7213 1745Fax: +44 (0)20 7213 4318E-mail: [email protected]: www.securityforum.org
Project teamAdrian DavisMartin TullyGary Wood
Review and quality assuranceAndy JonesSteve Thorne Andrew Wilson
DesignLouise LiuSnehal Rabadia
WARNING
This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected].
Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.
Classification: Restricted to ISF Members and ISF Service Providers
Information Security Forum • Managing a security function www.securityforum.org
www.securityforum.org
Preface
Being effective, in the business world, is doing the right things: the things that customers value; and matching products or services to the needs of the consumer. Traditionally, information security leaders and functions have delivered effective but often technically-oriented security products and services to the business. However, as the commercial environment and the threats and risks to business and its information alter, information security may have to change and adapt to the new conditions.
To assist information security leaders in understanding the requirements of their business and how best to align the function and its activities, the ISF has developed a diagnostic, which is split into two parts: the first covers the function; and the second the characteristics of the information security leader. By completing the diagnostic, a ‘profile’ of the function and leader is generated. Asking a third party (either a business manager or someone on the leader’s immediate reporting line) to complete the diagnostic provides an instant comparison which the leader can use as part of a toolkit to more closely align the information security function to the business.
Contents The diagnostic .............................................................................................................................................................3
Interpreting the results ...............................................................................................................................................8
This diagnostic is intended to be used by:
• leaders of information security functions, such as information security managers, Chief Information Security Officers (CISO) and heads of information security departments or functions
• business managers and executives (non-information security leaders)
• people aspiring to be information security leaders.
The background drivers to the Effective approaches to managing a security function project were to help ISF Members investigate how to lead a security function, explore how to sell security and an associated vision and examine how to deliver information security in an organisation. Accordingly, a series of highly interactive Member Special Interest Group meetings were held in Amsterdam, London (twice), Johannesburg, Singapore, Melbourne, San Francisco, Ottawa, Boston, Munich and Oslo between May and July 2007.
Information Security Forum • Managing a security function 1
www.securityforum.org
The diagnostic
The purpose of the diagnostic is to stimulate thought and debate about information security in an organisation by:
• facilitating communication with business people• understanding how an information security function and its
leader are perceived by the business• ‘kick starting’ a programme to close any gap between what
the information security function provides and what the business wants.
The diagnostic is designed as a simple, easy to complete tool, which provides a common language and terminology and which is capable of enhancement over time via feedback and the use of metrics.
The diagnostic has been split into two parts; one examining the information security function, the other the information security leader. In both parts, the characteristics are described ranging from an IT / technology orientation to a business / risk orientation. The two parts of the diagnostic are presented on the following pages, with instructions on their completion.
Further uses for the diagnostic
The diagnostic can be used in other ways, apart from providing a baseline or comparison tool. Several uses are highlighted below:
1. A development and appraisal tool for information security leaders and individual members of staff.
2. A component of a strategy toolbox; used in conjunction with the value chain, the diagnostic can be used to identify gaps, value-adding activities and drive change.
3. An analysis tool for the creation of an information security strategy, capturing the current position of the function (the mission) and the desired position (the vision).
4. A tool to review the information security strategy in the light of changes in the environment, business and market.
5. A framework for prioritisation; each project, programme, initiative and business case can be reviewed against the diagnostic.
6. An educational tool to raise awareness of information security activities and explain to the business why and how certain activities are performed.
7. Input into a ‘90-day plan’ for a new information security leader; the results of the comparison can be used to identify quick wins and longer-term activities.
Basis for the diagnostic
The diagnostic has been developed using the combined input of senior information security professionals from across the globe, captured: in 11 facilitated meetings, through the use of business simulations and interactive data-gathering sessions; from written questionnaires and surveys completed at the meetings by attendees; and from the analysis and the results of 15 in-depth interviews with Member representatives (including non-information security executives) to explore the project topic and validate the diagnostic. The analysis of this material, combined with desk-based research and previous ISF work, were used in the development process.
Information Security Forum • Managing a security function 3
To what extent is the function…Place an F in the most suitable
cell for each rowLike this Mostly
like thisElements of both
Mostly like this
Like this
Purp
ose
Focused on... Focused on...
Purp
ose
understanding the risks facing technology understanding the risks facing the business
securing the individual elements of the infrastructure and related software
securing the business through a security architecture
delivering 100% secure operations (ie without assessing risks)
helping the business balance risk and reward
helping the business meet compliance requirements for each law and regulation individually
helping the business meet all its compliance obligations through an integrated approach
Peop
le
Staffed by people who… Staffed by people who…
Peop
le
are technical experts (eg have primarily technical qualifications: MSCE, CNA)
are business advisors (eg have a mix of technical and business qualifications eg MBA)
primarily have deep and narrow technical expertise and experience
primarily have broad expertise and experience in a business context
fulfil an internal, security-focused, role are sought out by business people
develop deeper, technical, expertise actively look to develop their skills in new, business and technical, areas
Activ
ities
Organised to deliver… Organised to deliver…
Activ
ities
technology-based security solutions security solutions which address people, process and technology holistically
‘tick box’ implementation of standards and compliance controls
‘tailored’ activities driven by business risk and assurance requirements
security operations and management an advisory service which provides security solutions for the business to implement and own
a reactive ‘one off’ approach to every incident an incident management and response capability integrated within the business
Com
mun
icat
ions
Communicate using... Communicate using...
Com
mun
icat
ions
the potential impact of security incidents tangible business benefits (eg ROI / value) offered by information security
generic messages regardless of the audience targeted responses to specific groups of stakeholders (eg dashboards)
technical language business language
generic awareness messages regardless of the audience
an awareness programme, supported by a behaviour change process
Mea
sure
men
ts
Assessed by... Assessed by...
Mea
sure
men
ts
overhead costs a balanced scorecard of key performance indicators
technical parameters (eg port scans, incidents, spam blocked)
trends, business impact and cost
process outcomes generally (eg number of systems patched)
process outcomes in the context of business risk (eg percentage of business critical systems patched)
Diagnostic part one: Function
Part one addresses five areas associated with the function, namely: purpose; people; activities; communications; and measurements.
Each of the areas has four questions associated with it, except the measurements area which has three. The questions examine the degree of technical and business alignment for that area. Part one is shown below:
The diagnostic
www.securityforum.org4 Managing a security function • Information Security Forum
To what extent is the leader…Place a C in the most suitable
cell for each rowLike this Mostly
like thisElements of both
Mostly like this
Like this
Pers
onal
Building… Building...
Pers
onal
a tactical / operational view, focused on problem solving
a strategic view of information security in the business, focused on possibilities
knowledge in technical fields; may hold technical qualifications (eg BSc, CISSP)
learning and development in both technical and business fields; may hold business (eg MBA) and advanced technical (eg MSc, CISM, CISA) qualifications
networks within technical communities; credibility as a technical expert
rapport and relationships within technical and business communities; credibility as a trusted advisor
an understanding of the organisational culture
knowledge to influence organisational culture to promote security across the organisation
Purp
ose
Focusing on… Focusing on…
Purp
ose
understanding the risks facing technology understanding the risks facing the business
securing the individual elements of the infrastructure and related software
securing the business through a security architecture
delivering 100% secure operations (ie without assessing risks)
helping the business balance risk and reward
helping the business meet compliance requirements for each law and regulation individually
helping the business meet all its compliance obligations through an integrated approach
Peop
le
Selecting people who… Selecting people who…
Peop
le
are technical experts (eg have primarily technical qualifications: MSCE, CNA)
are business advisors (eg have a mix of technical and business qualifications eg MBA)
primarily have deep and narrow technical expertise and experience
primarily have broad expertise and experience in a business context
fulfil an internal, security-focused, role are sought out by business people
develop deeper, technical, expertise actively look to develop their skills in new, business and technical, areas
Activ
ities
Organising delivery of… Organising delivery of…
Activ
ities
technology-based security solutions security solutions which address people, process and technology holistically
‘tick box’ implementation of standards and compliance controls
‘tailored’ activities driven by business risk and assurance requirements
security operations and management an advisory service which provides security solutions for the business to implement and own
a reactive ‘one off’ approach to every incident
an incident management and response capability integrated within the business
Com
mun
icat
ions
Communicating with... Communicating with...
Com
mun
icat
ions
the potential impact of security incidents tangible business benefits (eg ROI / value) offered by information security
generic messages regardless of the audience
targeted responses to specific groups of stakeholders (eg dashboards)
technical language business language
generic awareness messages regardless of the audience
an awareness programme, supported by a behaviour change process
Mea
sure
men
ts Assessing performance by… Assessing performance by…
Mea
sure
men
ts
overhead costs a balanced scorecard of key performance indicators
technical parameters (eg port scans, incidents, spam blocked)
trends, business impact and cost
process outcomes generally (eg number of systems patched)
process outcomes in the context of business risk (eg percentage of business critical systems patched)
Information Security Forum • Managing a security function 5 www.securityforum.org
The diagnostic
Diagnostic part two: Leader
Part two addresses six areas associated with the leader: personal; purpose; people; activities; communications; and measurements. Each of the areas has four questions associated with it, except the measurements area which has three. The questions examine the degree of technical and business alignment for that area. Part two is shown below:
Completing the diagnostic
Each part of the diagnostic is designed to be completed in a reasonably short time-frame, either electronically or on paper. The person completing the diagnostic should select the option which best describes the function or the leader; if two options seem appropriate, select the one closest and make a note of the reasoning behind that selection.
There is no ‘right answer’ as the diagnostic does not assign a score to any of the options presented. The best answer is one that is most appropriate to the organisation. Selecting the best answer will result in a scatter of responses across the five response frames, rather than a ‘straight line’ response. Completing the diagnostic in a rigorous, objective, manner will maximise benefit from the exercise.
2
2
2
2
2
2
2
2
2
2
Example respondents Determines
Information security leader
1. Current profile of function2. Current profile of leader3. Desired profile of function4. Desired profile of leader
Third party (eg senior executive)
Information security team
Outsourcers 1. The division of activities carried by the function and the outsourcer
2. The manner in which the relationship between the function and the outsourcer will be conducted
The diagnostic can be completed by various respondents, as shown by the table below:
Completing each part of the diagnostic on a regular basis will allow a picture of the function and the leader to be built over time, review and track enhancements and changes and provide an on-going picture of how the function and the leader are developing to meet agreed targets.
The diagnostic
www.securityforum.org Information Security Forum • Managing a security function 7
To what extent is the function…Place an F in the most suitable
cell for each rowLike this Mostly
like thisElements of both
Mostly like this
Like this
Purp
ose
Focused on... Focused on...
Purp
ose
understanding the risks facing technology F understanding the risks facing the business
securing the individual elements of the infrastructure and related software F securing the business through a security
architecture
delivering 100% secure operations (ie without assessing risks) F helping the business balance risk and
reward
helping the business meet compliance requirements for each law and regulation individually
Fhelping the business meet all its compliance obligations through an integrated approach
Peop
le
Staffed by people who… Staffed by people who…
Peop
le
are technical experts (eg have primarily technical qualifications: MSCE, CNA) F
are business advisors (eg have a mix of technical and business qualifications eg MBA)
primarily have deep and narrow technical expertise and experience F
primarily have broad expertise and experience in a business context
fulfil an internal, security-focused, role F are sought out by business people
develop deeper, technical, expertiseF
actively look to develop their skills in new, business and technical, areas
Activ
ities
Organised to deliver… Organised to deliver…
Activ
ities
technology-based security solutionsF
security solutions which address people, process and technology holistically
‘tick box’ implementation of standards and compliance controls F ‘tailored’ activities driven by business
risk and assurance requirements
security operations and managementF
an advisory service which provides security solutions for the business to implement and own
a reactive ‘one off’ approach to every incidentF
an incident management and response capability integrated within the business
Com
mun
icat
ions
Communicate using... Communicate using...
Com
mun
icat
ions
the potential impact of security incidentsF
tangible business benefits (eg ROI / value) offered by information security
generic messages regardless of the audience F targeted responses to specific groups of stakeholders (eg dashboards)
technical language F business language
generic awareness messages regardless of the audience F
an awareness programme, supported by a behaviour change process
Mea
sure
men
ts Assessed by... Assessed by...
Mea
sure
men
ts
overhead costs F a balanced scorecard of key performance indicators
technical parameters (eg port scans, incidents, spam blocked) F trends, business impact and cost
process outcomes generally (eg number of systems patched) F
process outcomes in the context of business risk (eg percentage of business critical systems patched)
8 Managing a security function • Information Security Forum www.securityforum.org
Interpreting the results
The diagnostic is designed to stimulate thought and debate and provide a broad picture of the function and leader. Each part of the diagnostic produces a profile, which indicates the business / technical orientation of the function or the leader, as shown in the figure below.
Completed in this manner, the diagnostic provides a snapshot, useful for setting a baseline, reviewing progress or outlining the desired or future profile of the function or the leader.
Information Security Forum • Managing a security function 9
To what extent is the function…F = leader’s view
X = non-leader’s viewLike this Mostly
like thisElements of both
Mostly like this
Like this
Purp
ose
Focused on… Focused on…
Purp
ose
understanding the risks facing technology X F understanding the risks facing the business
securing the individual elements of the infrastructure and related software FX securing the business through a security
architecture
delivering 100% secure operations (ie without assessing risks) X F helping the business balance risk and
reward
helping the business meet compliance requirements for each law and regulation individually
FXhelping the business meet all its compliance obligations through an integrated approach
Peop
le
Staffed by people who… Staffed by people who…
Peop
le
are technical experts (eg have primarily technical qualifications: MSCE, CNA) FX
are business advisors (eg have a mix of technical and business qualifications eg MBA)
primarily have deep and narrow technical expertise and experience FX primarily have broad expertise and
experience in a business context
fulfil an internal, security-focused, role X F are sought out by business people
develop deeper, technical, expertiseF X
actively look to develop their skills in new, business and technical, areas
Activ
ities
Organised to deliver... Organised to deliver...Ac
tiviti
estechnology-based security solutions F X security solutions which address people,
process and technology holistically
‘tick box’ implementation of standards and compliance controls X F ‘tailored’ activities driven by business
risk and assurance requirements
security operations and managementF X
an advisory service which provides security solutions for the business to implement and own
a reactive ‘one off’ approach to every incident X F an incident management and response capability integrated within the business
Com
mun
icat
ions
Communicate using... Communicate using...
Com
mun
icat
ionsthe potential impact of security incidents
X Ftangible business benefits (eg ROI / value) offered by information security
generic messages regardless of the audience F X targeted responses to specific groups of stakeholders (eg dashboards)
technical language FX business language
generic awareness messages regardless of the audience X F
an awareness programme, supported by a behaviour change process
Mea
sure
men
ts Assessed by… Assessed by…
Mea
sure
men
ts
overhead costs X F a balanced scorecard of key performance indicators
technical parameters (eg port scans, incidents, spam blocked) F X trends, business impact and cost
process outcomes generally (eg number of systems patched) FX
process outcomes in the context of business risk (eg percentage of business critical systems patched)
Non-leader’s view Leader’s view
The diagnostic as a comparison tool
To gain further insight, the diagnostic should be completed by another person (eg a senior executive) or members of a team (eg the systems administration team). In this way, the third party’s view on the function or the leader can be captured and then compared to the leader’s view, highlighting the degree of organisational alignment.
The two, completed, diagnostics can be compared by ‘joining the dots’ and comparing the two profiles. An example ‘joining the dots’ comparison is shown below, highlighting where the differences lie, providing a basis for discussion. At the detailed level, each party can question how the differences show themselves and how they can be reconciled.
Interpreting the results
www.securityforum.org
10 Managing a security function • Information Security Forum www.securityforum.org
To what extent is the function… Action PlanningF = leader’s view
X = non-leader’s viewLike this Mostly
like thisElements of both
Mostly like this
Like this Actions Responsibility Timescale Completed?
Purp
ose
Focused on… Focused on…
Purp
ose
understanding the risks facing technology
X F
understanding the risks facing the business Introduce risk management in function
1. Deploy IRAM
2. Collate IRAM results into risk register
3. Initiate regular risk review meetings
IS Manager
CIO
CRO
1. Deploy IRAM − end Q2
2. Collate IRAM results into risk register − end Q3
3. Initiate regular risk review meetings − end Q1
1.
2.
3.
securing the individual elements of the infrastructure and related software FX
securing the business through a security architecture
No action
delivering 100% secure operations (ie without assessing risks) X F
helping the business balance risk and reward
Review with CRO IS Manager CRO
Q1
helping the business meet compliance requirements for each law and regulation individually
FXhelping the business meet all its compliance obligations through an integrated approach
No action
Peop
le
Staffed by people who… Staffed by people who…
Peop
le
are technical experts (eg have primarily technical qualifications: MSCE, CNA) FX
are business advisors (eg have a mix of technical and business qualifications eg MBA)
No action
primarily have deep and narrow technical expertise and experience FX
primarily have broad expertise and experience in a business context
No action
fulfil a internal, security-focused, role X F are sought out by business people
develop deeper, technical, expertiseF X
actively look to develop their skills in new, business and technical, areas
Alternatively, a radar diagram can be used, which allows the simultaneous examination, at a high-level, of differences or similarities in the perception across each of the five or six areas. An example radar diagram, shown at right, can be constructed by assigning weights to the responses for each row and then combining them into the five (or six) areas.
In this example, which looks at the function, a smaller shape on the radar plot indicates that the function has a more technical orientation; a larger shape indicates a more business focused function.
The differences between the completed diagnostics can be used to generate an action plan, agreed by the senior executive and the information security leader, with timescales and clear objectives, as shown in the diagram below.
Radar Chart: Comparison of leader and non-leader views of the function
Purpose
People
ActivitiesCommunications
Measurements
Non-leader perception Leader perception
Increasing businessorientation
Differences in the profiles are used to drive objectives and actions for the information security function and other components of the business, along with agreed timescales and responsibilities.
Interpreting the results
ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.
FOR FURTHER INFORMATION CONTACT:Information Security Forum Tel: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 Email: [email protected] Web: www.securityforum.org
REFERENCE: ISF 07 10 03 Copyright © 2015 Information Security Forum Limited. All rights reserved.