Issue link: https://securitytechnologyexecutive.epubxp.com/i/557126
38 SECURITY TECHNOLOGY EXECUTIVE • July/August 2015 www.SecurityInfoWatch.com B y J o hn M c Cu m b er COOL AS MCCUMBER John McCumber is a security and risk professional, and author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@ cygnusb2b.com. Practical Theory? I nformation systems security is pretty simple – except when it's not. There are some long-accepted shibboleths that are slowly being dis- lodged from our industry best practices. One appears wholly logi- cal on its face. In fact, it was so commonly accepted, it was never even questioned until a decade ago: the information security dis- cipline is a defined subset of information technology. This perception led directly to the related organizational practice of placing the InfoSec function within information technology operations. It makes sense on one level. Since IT operations owns the infrastructure, shouldn't they also be responsible for the security of the data they transmit, store, and process? That's the theory. The practice however, and not the theory, is where the conflicts arise. Information technology operations are most often judged by their ability to keep systems up and running. The "avail- ability" element of the confidentiality, integ- rity, availability triad quickly becomes pre- eminent. Additional security-relevant activi- ties are then addressed only as resources and competing priorities allow. The senior secu- rity manager is placed in the untenable role of Doctor No. "We shouldn't open those ports." " You shouldn't provision pr ivileged accounts outside our control." "We need to interrupt production systems for critical system patches." Instead of being seen as a critical risk management partner helping ensure the protection of critical corporate information assets, the security manager is relegated to the position of an annoying security gad- fly, always seemingly standing in the way of progress and efficient customer support. Recently, there have attempts to draw metrics out of various surveys and studies to support both reporting to the CIO/IT direc- tor versus the CEO or a high-level risk committee. I've reviewed several such studies, and overall, the bases for the conclusions are suspect. That said, an organizational perspective demands we consider the impact of conflicts of interest on the InfoSec function. Rather than debate the esoteric nuances of theory, I think it's easier for security professionals to evaluate observable activities. Here's a quick checklist for you to use to see if these conflicts exist in your organization: • Security leaders consistently fall into the 'Dr. No' role • Security incidents become exercises in "I told you so…" • The C-suite has little/no insight into important risk decisions • IT leaders talk in terms of security management, and not in terms of risk management If you see any of these telltale signs, it is safe to assume you have the InfoSec leadership position misaligned within your organization, no mat- ter who reports to whom. When your availability function overrides integ- rity and confidentiality, it's likely an organizational and people problem, not a technology problem. You may have to disorganize the security func- tion for security's sake. ■ EDITORIAL Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Editorial Director/Editor-in-Chief .....................................Steve Lasky 800.547.7377 ext. 2221 • slasky@southcomm.com CONTRIBUTING EDITORS David G. Aggleton, CPP Kevin Beaver, CISSP Ray Bernard, PSP, CHS-III Ray Coulombe Robert Lang, CPP John R. McCumber Robert Pearson, CPP George Campbell EDITORIAL ADVISORY BOARD Christopher B. Berry, CPP, VP Global Security & Safety, Henry Schein Inc. George Campbell, Emeritus Faculty Advisor, Security Executive Council Eric W. Cowperthwaite, CSO, Providence Health & Services Elizabeth Lancaster Carver, Member Services and Projects Manager, Security Executive Council Richard L. Duncan, CPP, Dir. Security, Hartsfield-Jackson Atlanta Int'l Airport John B. Leavey, Director of Corporate Security, AIG Karl Perman, Director of Security, North American Transmission Forum Art Director .....................................................................Bruce Zedler Production Manager ..................................................Jane Pothlanski 800-547-7377 ext. 6296 • jpothlanski@southcomm.com Audience Development Manager. ................................... Sue Hanson 800-547-7377 ext. 1448 • shanson@southcomm.com SUBSCRIPTIONS CUSTOMER SERVICE Toll-Free (877) 382-9187; Local (847) 559-7598 Email: Circ.SecTechExec@omeda.com SALES CONTACTS Midwest Sales Brian Lowy 800.547.7377 ext. 2724 blowy@southcomm.com West Coast Sales Bobbie Ferraro 310.545.1811 bferraro@southcomm.com East Coast Sales Janice Welch 800.547.7377 ext. 6288 jwelch@southcomm.com Display Sales Kristy Dziukala 800.547.7377 ext. 1324 kdzlukala@southcomm.com LIST RENTAL Elizabeth Jackson 847-492-1350 x18 • ejackson@meritdirect.com CYGNUS REPRINT SERVICES To purchase article reprints please contact Brett Petillo at Wright's Media 1-877-652-5295 x118 or e-mail bpetillo@wrightsmedia.com SECURITYINFOWATCH.COM Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Managing Editor ................................................................Joel Griffin 800.547.7377 ext. 2228 • jgriffin@southcomm.com CYGNUS BUSINESS MEDIA CEO, Chris Ferrell CFO, Ed Tearman COO, Blair Johnson EVP Public Safety & Security, Scott Bieda VP Events- Public Safety & Security, Ed Nichols VP Production Operations, Curt Pordes VP Technology, Eric Kammerzelt VP Human Resources, Ed Wood Published by Cygnus Business Media, Inc. www.SecurityInfoWatch.com