Another commonly held view across Information Security communities is that, given the current level of cyber threats, business protection is primarily driven by the implementation of the latest technical Information Security products (in order to “keep up with the hackers”).
Given the complexity of the cyber landscape – and the speed at which both technologies and the related threats are evolving – it is clear that technical Information Security products are essential to assisting in the protection of information assets. However, it is often easy to forget that information assets do not have a single digital dimension and that, ultimately, it is the combination of digital controls and people’s actions – coupled with the right physical and functional processes – that form the strongest line of defence.
Therefore, to create an effective protection framework for information assets, it is critical for solution architecture and design to focus on people, process, and a clear definition of roles and responsibilities amongst all stakeholders – before looking for specific technical Information Security products.
It is all too easy to believe that the latest Information Security technology is always a “silver bullet” to protect the business. The key to not falling into this trap is to properly understand the threats that you are trying to protect your business against and to focus always on the most appropriate controls to be implemented. What is it a particular new line of technology will achieve? Can it be practically deployed across the organisation? And will it actually improve the protection of the business, or is it just somebody’s “pet project”? Not all controls need to be technical in nature and sometimes procedural controls will be both more effective and efficient to implement.
Technology vendors are all too keen to sell their products and highlight the benefits that may be derived – but this often ignores the complexities of actually implementing the product across the complete scope of a large organisation.
This all too frequently leads to a situation where a product only ever gets partially implemented and can have a number of potentially damaging consequences:
- The business may be unaware that the complete implementation has failed so will falsely believe that it is better protected than it actually is.
- When made aware (and in particular if this is a recurring event), the business may question the value of the Information Security function which could erode the CISO’s credibility or their ability to secure future budgets.
- The Information Security team is likely to be frustrated that they have not completed the implementation and don’t have visibility or control across the entire organisation.
- The vendor is unlikely to be happy in the longer term because the customer may question recurring charges or the purchase of additional products.
Always following the latest Information Security technical trends can be dangerous for CISOs. It may assist in putting ticks in audit and compliance boxes but it also detracts resources from the implementation of essential controls. As mentioned in an earlier article in this series, these essential controls can prevent approximately 80% of cyber-attacks according to the UK GCHQ (“Countering Cyber Threats to Business” – Institute of Directors Big Picture – Spring 2013). Technical solutions have existed for many years to enable the essential controls – and the CISO’s priority must be to ensure that they are properly put in place in support of the right processes.
This article is the final part of the series “The CIO Guide to a successful Information Security practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.