Go home
Infosec strategy

A 6-step strategy for
Information Security Management

Updated: Jan 2004

 

Introduction

Whilst information security management professionals implicitly understand the link between improving information security controls and reducing risks, to senior managers with limited funds, information security is often 'just another cost'. Information security does not have an absolute right to a certain level of funding but has to compete for resources alongside other company functions and initiatives. This white paper elaborates a structured way of justifying and initiating a programme to improve information security controls in six straightforward steps or phases. Our main aim is to help you persuade your company (most likely through the Board of Directors) to spend its limited funds wisely by building and selling the business case for investing in information security management.

The guidance presented in this paper is the culmination of our practical experience managing information security and IT audit functions for various clients. Having worked for organizations at various levels of maturity in these functions, we recognise and adopt patterns that led to success and, of course, seek to avoid those which foundered.

This paper does not purport to be the definitive solution to every organization’s information security woes, but rather a source of ideas and inspiration. It is certainly not the only way to improve information security (see for example this three month plan). Please contact IsecT if you wish to comment on, or contribute to, the paper.

 

A strategic approach that works

Whether you are implementing information security management from scratch or improving an existing function, it is worth considering and planning actions over both the short- and long-term because these are complementary approaches. Short-term (tactical) activities can achieve significant improvement in certain narrow areas and, most importantly, can generate the impetus and information to address broader and deeper-seated problems. However, failure to address the long-term root causes of poor information security is one of the the most widespread and serious management issues today.

The six-step approach documented in this paper incorporates the concept that strategic investment in managing information security is both necessary and valuable. There are several references to building a business case to justify the investment, implying that information security managers need to develop competencies in fields such as investment appraisal/financial assessment/cost-benefit analysis.

As with risk management in general, justifying substantial investment in information security is no mean feat where success means 'reducing the risk of something terrible happening' (i.e. cost avoidance, an intangible or hypothetical benefit) rather than 'making more profit'. organizations with limited funds (is there any other kind?!) inevitably have to choose how they will spend their cash: executives typically struggle to compare intangible cost-avoidance projects against more conventional investments (such as building new factories or systems).

We have not specified a timescale for the implementation of this strategy since organizations vary markedly in their appetite and capacity for change. A large/ponderous organization might take several months just to agree to initiate such a scheme and perhaps years to implement it, whereas a smaller/more agile peer might complete the whole thing within a few months.

 

Step 1: Implement baseline controls

  • This step comes first because without solid foundation, the rest will totter and fall. There is little point in seeking investment for information security if the basics have been neglected. If information security is not being actively managed at present, your organization will undoubtedly have built-up a legacy of information security issues.
  • Making a serious effort to tackle the backlog of outstanding security issues is a double-winner:
    • The backlog can normally be significantly reduced simply through concerted effort to address the most obvious issues, and
    • making significant progress is the best way to demonstrate to management that your new approach actually works - it establishes a level of trust in your capabilities and thereby makes further investment more likely
  • Basic commonplace security measures (also known as baseline or key controls) are relatively cheap. Don't be ‘the only house on the street without a burglar alarm’, in other words aim to at least match the information security stance of your peers. Standards such as ISO/IEC 27002 (formerly BS7799 and ISO/IEC 17799) provide useful generic guidance on baseline/best practice information security controls, such as:
    • Information security policy, endorsed by senior management
    • A discrete Information Security function staffed by competent people and also supported by senior management
    • Physically secure working environment e.g. good door locks, strong walls etc.
    • Data backups stored securely and restore-ability regularly tested
    • Information security obligations specifically included in contracts
    • Personal usernames and good passwords (absolute minimum is 6 characters changed every 90 days; username=password and similar weak choices are forbidden)
    • Effective antivirus scanners on all platforms with regular ‘virus signature’ updates
    • Security aspects included in operations procedures
    • Widespread information security awareness program, planned and actively managed on an ongoing basis to reach all employees (see www.NoticeBored.com)
    • Information security systematically included in systems development and testing processes
  • Review current status and implement necessary improvements as soon as practicable - don't await the full outcome of a laborious risk assessment, make a start today (you can always curtail controls later in the unlikely event that they turn out to be unwarranted!)
  • Progress subsequent steps in parallel
  • Measure information security to help justify the expense:
    • Measuring the costs and benefits is key to demonstrating that information security adds value to the organization
    • Absolutely precision is less important than measurement breadth and integrity – the aim is to persuade the organization that information security is definitely worthwhile, not to determine exactly how much it is worth. Better to know you are more-or-less right overall than to know the absolute value on a narrow and largely irrelevant measure.
    • Historical data on actual breaches (prior to the implementation of controls) can provide convincing evidence of the need to improve, especially if you can estimate the cost of those breaches (e.g. direct losses incurred plus cleanup costs and costs of improving controls to prevent recurrence)
  • Establish and actively participate in cross-departmental liaison with those having complementary responsibilities (e.g. Information Security, Physical Security/Facilities, Human Resources, Internal Audit, Risk Management)
  • Keep management informed - partly to raise their awareness of the importance of information security, partly to allay their fears and become a focus for concerted action

    •  

Step 2: Analyse information security risks

  • Be systematic - preferably use an accepted information security risk assessment method (e.g. the Information Security Forum's ‘SPRINT’), and information security specialists (such as IsecT!) as facilitators
  • Analyse broadly at first then home-in on any particularly worrisome aspects
  • Force the business to accept its responsibility for information security - the controls are to protect the business, not for the benefit of the Information Security function!
  • Review effectiveness of security measures in place e.g. by penetration testing that includes social engineering attacks
  • Identify approximate costs of maintaining existing security measures
  • Identify and characterise any recognised information security breaches (e.g. roughly how many virus infections have there been in the past year? How expensive were they in terms of downtime, data loss etc.? Again, being roughly right across the board is better than being precisely right on little pieces).

 

Step 3: Prepare business case to improve controls

  • Set the scene using background data from risk assessment, including examples of actual breaches
  • Assess broad costs of proposed controls vs. their effectiveness and benefits, primarily in terms of risk reduction - note: procedural improvements are generally highly effective and very cheap, an unbeatable combination (technical controls, including automated elements such as system login processes, data access controls, PKI systems etc., are generally expensive to implement and can be laborious to maintain effectively; procedural controls include information security tasks integrated within routine work e.g. checking that payment details entered into the system match the corresponding invoices, as well as specific additional tasks e.g. changing passwords. Simple, common procedural controls eventually become second-nature by frequent repetition, whereas more complex activities require training and written guidelines )
  • Prioritise control improvements according to net benefits: all the 'cheap' controls (including most of the procedural improvements) should generally be included, but also select more expensive controls if they have definite benefits or will simultaneously address multiple risks
  • Seek out an information security champion on the Board - someone who has a lot to lose if information security breaches were to continue as a result of their inaction - and work on them to raise their understanding of the issues
  • Don't [always] be alarmist: shock tactics might work once or twice but Directors will soon tire of “the end is nigh” diatribes - use reason and persuasion rather than threats or FUD

 

Step 4: Initiate an overall information security improvement programme

  • Using the business case, seek management approval for an overall information security improvement programme containing specific sub-projects to address certain aspects or secure individual systems (note: in modern organizations, the programme is synonymous with the 'Information Security Function annual plan'!)
  • Secure sufficient funding for the programme - separate-out the specification, building and implementation of controls (one-off expenses) from operating and maintaining them (ongoing expenses)
  • If necessary, seek funding in phases with management review points prior to successive budget approvals

 

Step 5: Manage and deliver the programme

  • The improvement programme should be competently managed just like any other business initiative e.g. good project plans, budgetary controls, high quality deliverables and measured progress
  • Put good managers in charge of building and delivering the programme, and reinforce them with clear management support (note: building a strong information security team and installing best practice information security management techniques are valuable byproducts of a good information security improvement programme, with long-lasting organizational benefits)
  • Build or strengthen your general information security infrastructure in parallel with specific activities (e.g. there should be a clear focal point within the department for information relating to viruses: no-one else should normally disseminate virus warnings etc. without their authority, and staff should naturally turn to them for advice)
  • Measure and promote the benefits of information security controls (e.g. demonstrate reduced disruption and data losses from virus infections resulting from improved antivirus controls)

 

Step 6: Review progress

  • Continually review the information security aspects of the business environment to identify and respond effectively and at the earliest opportunity to new/increased risks (e.g. increasing use of network connections to third-parties places greater reliance on trust and network security; all new IT projects should undertake information security risk assessments as a rule during the design phase)
  • If necessary, seek further funding to address other/lower-risk issues and/or re-prioritise the sub-projects to match justified business requirements
  • Maintain the plan on a rolling basis i.e. turn the programme into business-as-usual
  • Continue the division between one-off and routine activities through separate infosec policy/consultancy and infosec admin staff, but ensure these are closely aligned.

 

Conclusion

This paper explains a structured, rational approach that helps justify information security to the Board as an investment. Try it - it works! If, even after trying this approach, your Board still does not provide sufficient resources for information security management, it is surely only a matter of time before their luck runs out and a serious breach occurs. Even if it doesn't save the company from serious damage, this approach may save your career!

 

Further information

Please contact IsecT for access to consultants with experience of implementing the approach documented in this paper.

Copyright © 2008 IsecT Ltd.