It’s important to note that change is inevitable. The implementation of security policies is just one of a vast array of changes employees must absorb. Understanding this is important when creating security policy roles, responsibilities, and accountability. The closer you can align employees’ current roles with their current job responsibilities, the easier it will be to implement. For example, assume a security policy requires a certified security trainer for a specific team. Now assume that team already has a trainer for a nonsecurity purpose such as office safety. Combining these roles and responsibilities could create the opportunity to combine training requirements and make it easier for the business to accept the security policy.
Many players are involved in the process of security policy implementation. The roles and responsibilities are different depending on where you are in the life cycle of a security policy. The term life cycle in this chapter refers to the creation, implementation, awareness, and enforcement of security policies. These different tasks require different roles and responsibilities.
There are many theories on how to approach change and an individual’s role in the change process. The key point is to understand everyone’s role from the perspective of a change model. You need to clearly define everyone’s role when developing and changing policies. You also need to recognize different roles when it comes to enforcing policies after they have been implemented.
When you implement security policies, you are implementing change. This can include implementing business perspectives and organizational values. This means sometimes you are implementing culture change as much as security controls. Be sure to select a change management model that speaks to the need to influence leaders as much as to technical implementation of controls.
There are many change models to choose from. You may be able to adapt some when implementing security policies. This section focuses on Kotter’s Eight-Step Change Model. John Kotter, a professor at Harvard Business School, developed the model and introduced it in 1995 in a book titled Leading Change. The model has been widely adapted for a number of purposes. It addresses the need to create executive support for implementing change. This is a critical success factor in implementing security policies.
Professor Kotter states that to be successful in implementing change in a company, at least 75 percent of management needs to “buy into” it. The early stages of creating vision and urgency around the need for security policies will be critical later to build the coalition of executives needed to make change happen.
Let’s examine the model in relation to implementing security policies. The model divides an effective change process into eight steps:
FIGURE 5-6 shows how this model can be adapted to implementing security policies. You would cycle through this model each time you add a new security policy or make a major change to an existing policy. This model ensures that before you start a formal implementation, you have the leadership support needed to succeed. It also highlights the separation between informal and formal tasks. When we adapted Kotter’s model for the purposes of this chapter, we created a separation between informal and formal implementation tasks. This is to emphasize the importance of preparing for policy implementation through informal discussions versus starting a formal project approach right away. There are two major benefits to having these informal tasks. First, you gain executive support. Having a formal project before you have executive support is presumptuous and will create unnecessary resistance. Second, it establishes a collaborative setup that allows you to change and modify your approach. It also builds ownership into the process for the executive giving you advice.
Implementing security policies is easier if you manage it from a change model perspective. It helps you establish a collaborative style that allows business leaders to understand and buy into what you are trying to accomplish. The process starts with an informal set of steps that builds awareness and understanding. With a clear purpose beyond your security policies, you can build the executive support needed to succeed.
Using the steps in Kotter’s Eight-Step Change Model, the following sections explain the roles and responsibilities involved in the change process.
Be candid and transparent with leaders. Explain clearly what information security policies can and cannot achieve. Equally important, be upfront about the impact on the business; otherwise, you risk losing credibility.
It is the responsibility of the CISO, who may simply be called the information security officer (ISO), to convey urgency to business leaders. This is selling the need for information security. An effective way of doing this is to understand the business risk the security policy addresses and convey the need in business terms. The greater the business risk reduction, the greater the urgency perceived by the business.
It’s important to get executive support. Leaders are responsible for reducing risk to their organization. It’s the responsibility of the ISO to know who the key stakeholders are. It’s also the responsibility of the ISO to reach out to stakeholders, explain the policy change, and listen to concerns. Many organizations have what are called control partners. It’s the responsibility of a control partner to offer an opinion on the soundness and impact of the security policy. Many organizations require control partners’ input before a policy change can be made. The following are examples of control partners found in many large organizations:
The size of the stakeholder group varies depending on the scope of the policy change and the size of the organization. When the number of stakeholders in any group is too large, the ISO can take a sampling approach. For example, assume a policy change affects the entire organization, which is composed of more than 1000 managers. It’s not practical to ask each manager how the policy would affect every team. Therefore, the ISO would sample a population of managers. The ISO can target those types of managers who would be more affected than others.
The security policy must be understandable. It is the ISO’s responsibility to write the policy in terms the business understands. The ISO can tune the message so the value of implementing the policy makes sense. After compiling everyone’s input, the ISO creates a coherent security message and policy. The message should include high-level explanations of the policy to sell the vision. It is the responsibility of the stakeholder to validate the ISO’s assumptions and raise objections.
It’s not appropriate for a stakeholder to wait until just before a security policy is implemented to object. The ISO is responsible for ensuring all objections are transparent and either resolved or escalated. The ISO must make every effort to resolve an objection. The objection could be pointing out a legitimate problem that requires a change to the security policy or control.
It might not be possible to make everyone happy; however, everyone needs to have a say. Remember, success depends on a genuine effort to implement the spirit of the policies. Everyone reports to someone in an organization. It is the ISO’s role to escalate conflicts to some authority who can resolve them. In the end, you are trying to get the majority of leaders on your side.
Find a leader in your organization who can be an agent of change. These are leaders who don’t always follow the pack and can think outside of the box. They can guide you through the organizational politics involved in implementing change.
The policy change must be widely communicated. It is the ISO’s responsibility to create the message. The ISO must also formally lay out communication plans. A communication plan outlines the messages to be conveyed, how they will be conveyed, and to whom they are conveyed. Communication starts before the policy is published. For example, establishing a comment period for a new or changed policy can generate awareness. The ISO also needs to transition the implementation of security policies from informal discussions to a formal project plan. The project plan needs to outline dates, timelines, resources, and organizational support needed to be successful.
Stakeholders, particularly executive leaders, are responsible for communicating the change with their endorsement. Whether a leader raised an objection or not, leaders have an obligation to communicate and endorse any approved policy. This tone at the top is an important responsibility for an executive to perform. Executives are also responsible for setting team priorities to implement security policies.
The collateral created to sell the policy vision should be used in security awareness training. It will express the business need for the policy as well as the technical security components.
Obstacles to implementation must be identified and removed. It is the ISO’s responsibility to be the central point of contact and to track implementation problems. It is the stakeholder’s responsibility to collect and report problems with the implementation. It is everyone’s responsibility to report problems with security policies to their leadership. Many information security teams set up intranet sites so security issues can be reported directly to the security team.
It’s important to demonstrate value as early as possible. The ISO is responsible for identifying how success is measured. The ISO works with line management to collect metrics for assessing the policies’ effectiveness. It is usually the responsibility of these line managers to make sure such metrics are captured and are meaningful.
It takes time to change an organization’s culture. The ISO must continually monitor security policy compliance. The ISO reports to leadership on the current effectiveness of the security policies. The ISO will also have to ask the business to accept any residual risk or come up with a way to reduce it. Residual risk is the amount of risk that remains after you implement security controls. For example, let’s assume a virus scanner can catch 99 percent of all known viruses. That leaves 1 percent of the viruses undetected. The business needs to know about this risk. The business leaders are then responsible for accepting this risk or paying for more technology to stop the remaining 1 percent.
Make the values in the security policies part of the culture. This takes time and is achieved by changing employees’ attitudes. The ISO needs to be a strong communicator. It is his or her responsibility to come up with ways to reinforce the security message without creating a distraction for the business.
The organization is ultimately accountable for information security. When something catastrophic occurs, with lawyers and regulators engaged, the organization’s leaders have to explain what happened. In fact, officers of the organization may be held personally liable. They may pull the top technology executive (the CIO) along for the ride. But executives are the ones who fund technology and determine how much risk they are willing to pay to reduce.
Setting expectations for leaders quickly becomes a matter of budget. If there aren’t dollars to spend to implement controls, then it’s hard to hold executives accountable. IT spending varies greatly by industry. Deloitte found that on average, companies spend 3.28 percent of their revenue on IT. This percentage changes if you focus on specific industries. Banks tend to spend around 7.16 percent and construction 1.51 percent. Of those companies that consistently outperform the S&P 500, 57 percent increased their IT budget from 2016 to 2017.1 Companies that spend more on IT have more resources to deploy for information security. Thus, the expectations for information security in a financial services company may be different from those in a manufacturing company.
Although business leaders may be ultimately responsible, they rely on key technology roles to keep them out of trouble. These roles are accountable for implementing security policies, monitoring their adherence, and managing day-to-day activities. Although their titles may vary within an organization, typically you find different individuals accountable for each of the following roles:
ISOs need to make sure they build security policies collaboratively. The key is to create an open and candid conversation on risk. If the discussions on risk are perceived as valuable, executives are more willing to commit their time. This means the ISO needs to hold stakeholders accountable to participate. No one should be able to opt out. Accountability changes once the security policies are implemented. End users are accountable for following policies. The ISO’s central role is to coordinate these activities.