I must confess this worries me. Management teams should not be relying on luck for their security.
In many cases the plethora of best practice, conflicting priorities and technical complexity exacerbates the problem as it obscures common operational sense. Security Managers and executives alike become reliant on unwieldy security architectures underpinned by short term technical patches or outdated technical strategies which have been outmaneuvered by the threat landscape. These complex and unwieldy architectures often obfuscate the real issues and their causes, making a pragmatic solution harder to achieve and coherent priorities harder to manage.
Sometimes it is important to ground our Information Picture. Decision makers must continually ask themselves some simple questions:
- Does the risk picture I am seeing ring true – and do I understand it?
- Does it gel with my view of the wider operational context?
- Can I act on the information I am receiving in a clear, timely and effective manner?
If the answer to any of these is “no” – then the next step is simple – establish an effective and coherent risk picture and ensure it is reviewed regularly. Whilst the step is simple, this does require effort.
As managers, we accept that information risk is increasingly a fact of life and manage it. When information security is compromised through lack of resource, this should (normally) be a conscious risk decision by management teams. When organisations do “breach” standards and compliance systems, or identify a breach of security then the incident shouldn’t be a surprise to anyone – though the actual event may be unexpected. Understanding this difference is vital to the effective management of risk.
Once an incident does occur, rather than reacting in a panic, urged on by baying media and consumers, organisations should be able to change posture in a controlled and practiced manner, manage the incidents as a part of planned incident response process and move on, learning and evolving as they move forward.
This is only possible if organisations have effective management systems in place, and if these management systems are integrated with normal operational structures, and supported from the top down.
Where do we go from here? Before rushing into specifying detailed security architectures, we all need to step back. There is a lesson for all of us.
- As Information Security Professionals we must ensure that we understand the operational context of the organisations with whom we are working and ensure that security management activity and structures are coherent.
- As management teams or executives, we should clearly understand our information risk pictures, including organisational appetites and tolerances in the wider context of business.
- As consumers and bystanders, we shouldn’t expect a risk free environment, instead we should embrace risk, applaud effective management and take some responsibility for managing our own risk.
Management teams should not be embarrassed by security breaches – but they should be embarrassed by being unprepared for them.