CHAPTER 6: SELF-PREPARATION: BUILD
A TRACK RECORD
All information security practitioners know, intellectually, that confidentiality, integrity and availability (C, I and A) are the three key principles of information security management. However, most practitioners actually concentrate more, in their day-to-day environments, on protecting confidentiality and integrity. The concept of ‘security’ doesn’t seem to contain the idea of availability.
However, to the business manager, ‘availability’ is the most important attribute of information. Line managers want to be sure that they, and their people, can access the information they need to do their job, as and when they need it. This business desire for availability often clashes with the practitioner’s desire to secure confidentiality and availability, with the result that new information security solutions are often automatically seen, by management, as new ways of making it harder for people in the business to actually do their job: creating sales.
If you want the board to be really open to your trusted advice on information security, you need to be perceived as someone who not only understands that availability is critical, but who consistently delivers improvements in information availability, while ensuring that the necessary security activities take place unobtrusively in the background.
Your mission, in a sense, is to remove barriers to the organisation successfully pursuing its business objectives, while simultaneously ensuring that the confidentiality and integrity of valuable information is appropriately protected.
In order to deliver ‘enabling’ information security, you do have to understand both the process of risk assessment and management, and your own organisation’s risk appetite.
There are extensive guides to risk assessment.1 The principles though are simple. It starts with an identified, valuable information asset, and then it considers the threats that might attack that asset, and the specific vulnerabilities that those threats might exploit in order to attack the asset. Foreign hackers, for instance, are only a danger to your local network if there is an Internet access point they could attack, and if that Internet access point has open ports.
It is not enough simply to identify a threat and vulnerability; there must also be a likelihood of the attack occurring and a meaningful impact on the organisation if it were to be successful. An attack with a low likelihood of occurrence, or one which would have only a minor impact, may not be worth worrying about. Risk assessment is a core skill of information security risk management and it is worth getting, to be good at it.
Understanding your organisation’s risk appetite is the next most important thing in this context. Once you can do an effective and useful risk assessment in relation to a specific asset (or assets), you need to be able to determine what your organisation’s likely response to the risk would be and, if the response is likely to be ‘accept but control’, then you need to be able to assess what kind of control is worth putting in place.
Classically, organisations can accept risks (i.e. live with the risk, take no action in respect of it), reject them (i.e. refuse to expose the asset to the threat), transfer them (usually by insurance), or accept but control them. ‘Accept but control’ means that you select and apply one or more controls in order to reduce either the potential impact or the likelihood to a level that the organisation can tolerate.
A ‘control’ is simply a countermeasure for a risk; it could be technical, administrative or behavioural in nature. Most controls usually contain all three aspects: an effective firewall, for instance, is a technical implementation, to a documented standard, by an appropriately trained firewall engineer.
It is essential that you understand your organisation’s risk acceptance criteria, or their tolerance for risk. All managements know that a certain element of risk is attached to their undertakings, and as long as the risk doesn’t become too great, they can live with that risk. This tolerance level varies from organisation to organisation. An information security professional who understands the organisation’s risk tolerance, will know whether or not it is worth addressing specific issues. All too often, the information security practitioner gets hung up about controlling a risk that management simply doesn’t care about; trusted advisers don’t go on about stuff that management doesn’t care about. If you think management misunderstand a risk, and you believe that if they did they would not be so tolerant of it, then you have a duty to educate them. Unless that is the case, don’t even talk to the Board about risks that won’t matter to them, that are within their range of risk tolerance.
Finally, delivery: be sure that you consistently deliver technical and security projects on time, to budget and to specification. Every time you fail on one or more of these, you reduce the likelihood of management signing off on another project; it doesn’t matter what reasons you offer for failure, however much some third party might be to blame, management will see you as accountable, and will hold you to account.
If, on the basis of your track record, they believe that you simply can’t deliver your proposals, you’re not likely to get many approved and, worse, you may sooner or later find yourself looking for employment elsewhere.
1 See, for instance, Information Security Risk Management for ISO27001/ISO27002, Alan Calder and Steve Watkins, ITGP (2010).