What is information security management and how can you benefit from it? Andy Taylor tells all.
Information has been a valuable currency for many centuries, since the very earliest civilizations. Its importance has only continued to grow in the intervening millennia. Today it is the lifeblood of most, if not all, companies and organizations who thrive in the modern world.
Whilst your business may be plumbing, manufacturing, logistics, financial services or retail, and whether you realize it or not, the information you have and use on a regular basis is critical to your business and must be looked after just as you would any other asset. It is not too trite to say that information is now probably your most valuable asset.
Risk to your business is an everyday management issue. You would be failing in your job as a business leader if you were not considering risks to your business. Information has the capacity to become a major risk to your business. Unfortunately the risk is not directly related to the size, type, location or makeup of the organization. There is every likelihood that the smallest organization will be attacked for the information they hold, as a major multinational one.
Some of the most serious data breaches in recent months have come about because of the inadequate security measures taken by suppliers. This works both ways: suppliers to you might be a problem and those to whom you supply goods and services might be at risk from your poor security practices. In either case the end result is likely to be the same – damage to both companies with the potential for serious consequences including bankruptcy. If information security risk management is not a standing agenda item on your management board’s meetings, you are likely to be failing to do what is required.
What should you do?
You do not need to be a security expert to start the process of ensuring you are taking the necessary precautions to look after your information. The basic principles are little more than common sense.
You need to know what information assets you have, where and by whom they are held. This is not necessarily an easy step but it is crucial to understand what you are trying to protect.
This should automatically lead into why it is important to look after the information you hold. Some information may need very careful protection such as:
- Identifiable personal data
- Financial data (such as bank account details of suppliers or customers)
- Intellectual property with copyright, trade secrets and the like
Other information like marketing materials, routine administration or simple names and addresses may need less protection because it has less value. It is not necessary (nor cost effective) to try and protect all information to the same level. Do watch out though for dependencies that might not be quite so obvious. One piece of seemingly insignificant information might be the key to a whole range of other information which, if removed from the system, could result in catastrophic failure of the whole information service. Creating a topology of the way information flows around an organization can help to identify weak points, hot spots, bottle necks and critical dependencies that need to be addressed more carefully.
Once you know what you are trying to look after, where it is held and by whom (it could be outsourced for example) then you can take a measured approach, a risk strategy, to the management of the risks faced. A business impact analysis will help you decide which information is going to cause you most damage if it were lost, unavailable, corrupted or misappropriated. It will be closely linked to money and the amount you as an organization are prepared to spend on protecting your information assets. Clearly spending to look after the most critical assets, the ones with the potential to cause most damage or financial loss, is likely to be higher than for the more general information.
It is important to understand that information like any other product has a lifecycle. Information is created (perhaps from raw data for example) then stored and processed (often repeatedly), and finally destroyed. Your risk management strategy must address all stages of this life cycle.
It might be useful to break down the requirements for each stage of the lifecycle into constituent parts each of which will need careful consideration. These elements must be present at all times, for all information and for all stages of the lifecycle if the asset is to be managed and protected appropriately.
Here are some questions you should be asking, although it is not an exhaustive list:
- Training – do the people know what to do and how to do it correctly?
- Equipment – do you have the right type of equipment/process to ensure the secure creation, storage, processing, transfer and deletion of information?
- Personnel – do you have the appropriately skilled people available to you to advise on security, to design secure systems and to manage security on a day-to-day basis?
- Information – are you collecting the appropriate information on threats and weaknesses (vulnerabilities) in and about your systems to make the right assessment of the risk?
- Policy – do you have the right set of policies that make it clear to everyone what they must, can and should do with regards to information security?
- Organization – do you have the right people making the key decisions in a timely manner based on good information, experience and advice?
- Infrastructure – do your IT systems facilitate best practice security management because they have been designed with security as a basic principle?
- Logistics – do you have the appropriate money, resources and related logistical requirements to manage and maintain your systems?
The risk from a cyber-attack is best managed if a formal systems engineering approach to design, development, maintenance and disposal of system is used. It has to be a cradle-to-grave approach and, as ever, the weakest link in the security chain will always be the place where the successful attack will be targeted. Well implemented service management should deliver security as part of their everyday activities.
Once you have the basic principles of security in place, the ongoing maintenance is critical. The people in an organization are still widely accepted as the primary weak point in cyber security as it is often staff members that cause major problems when they do something they shouldn’t through ignorance, accident or deliberate act.
It is often an excellent idea to train up and appoint “champions” who are workers throughout the organization to whom questions can be posed by staff, who can be seen as the first port of call with regards to security and who can help to spread the key security messages to the entire workforce. They should not be technical people necessarily. They need to speak plain language not “techno-garble” and must be regularly trained and updated on the current threats and events to which staff might be exposed. They should be given ownership of information assets, processes and/or the defensive measures to be taken ensuring, of course, that there is no conflict of interest.
How good do we need to be?
The simple answer is good enough but of course that should not lead to complacency. There are many ways of assessing how well your organization looks after its information. The UK government has developed Cyber Essentials as a guideline for what businesses should do. This can lead into the government’s “10 steps to cyber security” designed for the larger and more security aware businesses. Then the international standard ISO/IEC:27001:2013 certification can be used as a higher level measure of assurance. Penetration testing of your systems both internally and externally can also be undertaken and should be considered as mandatory for any system that is internet-facing.
These certifications all have their place (and there are plenty more of them) but they should also be considered with some care. They are all really little more than a snapshot of the security in place on the day the assessment was done. If the system changes, the threats change, the staff change or indeed virtually anything changes in relation to the information system, there is a risk that the overall security will not be as effective as it was thought to be.
True cyber defense must be a proactive process if real threats are to be stopped or at least have their impact minimized effectively. To be proactive, there must be continual improvement in the way all security controls are implemented and operated. Only if that is happening will the defenses continue to work effectively against the newest and latest threats and vulnerabilities. So a measure of the maturity of the implementation of the controls is paramount. If this is done appropriately and the results passed to the relevant board members, they should then be able to see where they need to reconsider their security defenses, where there is need for more (or perhaps less) expenditure and what the company is facing in terms of the real potential financial impact risk.
Once this is understood a proper plan of action, appropriately resourced in all respects, can be put in place to provide the level of protection the board feel is appropriate. This is likely to include some transfer of risk to an appropriate insurance policy. The cost and coverage of the policy is likely to reflect the degree to which the organization has taken measures to protect itself.
Once the maturity has been bench-marked, changes in policy, technology, risk or anything else can be considered with a repeat of the assessment either carried out by internal staff or by external independent assessors. This is then the hall-mark of a mature organization that is least likely to be attacked successfully from the internet or anywhere else!
The ten top tips on cyber defense management:
- Know your business and the digital assets upon which it depends
- Agree an overall risk strategy that you intend to manage
- Include cyber defense management as an equal stakeholder in the strategy
- Quantify and evaluate the financial impact of data loss or business outage for your business
- Break your strategy into the operational risk management of lifecycles covering training, equipment, personnel, information, policy, organization, infrastructure, logistics
- Assign the responsible “champions” to each business asset and defensive strategy (threats c.f. control list), de-conflict these!
- Create the topology of what you are protecting and the dependencies of each business component
- Benchmark against known cyber security outcomes of how well you currently perform against each of these controls and publish the findings to the risk board and non-executive directors
- Agree plans that include the cost to remediate problems, to transfer risk to insurance or decide what you are prepared to self-insure
- Repeat the quantification and business strategy assessment whenever the business, the systems, the threats or the vulnerabilities change
Andy Taylor is the lead assessor for APMG International in several cyber security disciplines. You can find him on LinkedIn here.