Why Infosec Languishes, Part II

Wednesday, October 28, 2009

Jim Anderson


In part one, we discussed why so many information security programs today are languishing in a state of "flat or down" in budget terms -- carrying a large number of unrealized plans and projects over several budget cycles.  Although external forces including economic downturn and market specific slowdowns do have their impact, these external forces alone often cannot explain why information security makes so little progress.   This phenomenon is often true even in situations where senior infosec leadership is experienced, holds multiple certifications, and otherwise commands an excellent grasp of the multiple disciplines of information security.

What is often missing is alignment with the business.  Good organizational alignment with the business has two major components.  First infosec leadership must understand the business in terms of how information is used, the various types of customers, the products, transactions and costs associated with the businesses.  But infosec must also understand how information security participates in the value proposition for the customers of the company's products.  Does security matter?  How do you know security matters?  Is it in your contracts?  Do external laws and regulations require you to touch certain bases when it comes to information security?  The answers to these questions are essential to understanding how security participates in the success of the company beyond merely avoiding "something bad happening."

There are two places to start when considering how to increase alignment of information security with the business.  The first place is with an inventory of existing security controls.  Everything from authentication to access control to network protections to desktop and server configuration must appear in that inventory.  Next is a thorough understanding of the product development processes of the company.  Especially important as a key subset within product development is the information component of the product.  In businesses such as financial services information is as much as 90% or more of the tangible content of any given product.  In a consumer products company, the information content of the product is a little bit more subtle.  For example you may make laundry detergent and toothpaste but information about who buys laundry detergent and toothpaste, how much product has been ordered and sold in various parts of the world, how much product still resides on retailer shelves, etc. etc. are all questions that get to the information content of the product.  Anytime information is involved as an important part of the product, the security of that information -- whether competitive confidentiality or information integrity or other security value -- becomes an important part of the value proposition.  In a basic industry such as steel manufacture, key information components include such things as the specification of the product, quality testing regimes, etc.  And almost all businesses have as a major information product component the customer list, all types of information about orders, account balances, terms, history and plans.

Once you've developed an understanding of the product cycle including a detailed understanding of the information content of the product, you are ready to think about how to establish and increase the alignment of your information security program with the business.  A good place to start is by understanding the software development lifecycle within your company.  Is security a required part of the software development lifecycle?  Are you able to say for any given project, what are the detailed security requirements?  If not, find ways to partner with your counterparts in systems development to get security requirements thoroughly integrated at the specification and design stage.  The result will be a detailed list of security requirements that can be traced back to the components that are developed as a part of the project.  You can now get a fairly good insight into the security controls and the costs of those controls and how they relate directly to specific products sold to end customers.

Do your customers ask about information security?  Is security a part of the contracts between your company and its customers?  The answers to these questions provide your next major step in achieving alignment with the business.  In my consulting practice I often find that the process of fielding and answering customer's questions about security is handled very informally.  Some sales reps feel very comfortable answering in detail others ask for assistance from headquarters or specific subject matter experts within the infosec Department.  One of the key elements in achieving the alignment between information security and the business is establishing personal relationships with the sales organization and with individual customers.  In regulated industries customers often ask to speak with the information security leadership providing ready-made opportunities to establish those relationships.  Be in a position to summarize the impact information security has had on the business in terms of which key customers and how much revenue is directly related to information security.  Don't get trapped into the thinking that security alone was or was not responsible for any given sale.  Most products are a mix of product values that include information related, other brand equity elements, and other intangible factors.  However, when the information security spends time with customers as a part of the product sell cycle or renewal process, information security owns a share of the win or the loss of that business.  A well aligned information security function will be able to state precisely those wins and losses which communicates to the sales organization that information security is involved and focused on the primary functions of the organization.

The next step in the maturity progression of understanding the importance of information security as a product value is specifically identifying the security components within the product.  Then it is possible to say which components are being added or enhanced with the new release or the new product.  If security is a major cost factor, then controlling costs by innovating and improving the cost effectiveness of the operation of security controls becomes a key part of product value.

Of course underlying all of this discussion is the key assumption that information security leaders understand the business and can participate with the leaders of the other functions of the business as different strategies and implementations are considered.  Many information security leaders have come up through the technical route and may not feel comfortable interacting with sales or production professionals on these subjects my advice is: get the knowledge.  Become an expert in the production, marketing and delivery of the products of your company's and apply that expertise in a way that enhances and focuses the value you bring through information security as a part of the overall product value proposition.  In this way, you will have maximized the alignment of information security and will be in the best position to provide the correct amount of information security regardless of overall business of funding.

Possibly Related Articles:
Budgets Enterprise Security Security Awareness
Enterprise Security Management Budgets Economy
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.