Information Security is still broadly perceived as an IT discipline built around technical products and projects – you just have to open any industry magazine or publication to see it. The InfoSec Europe exhibition in London in June 2015 would have attracted around 350 vendors and tens of thousands of technologists, and there are several similar shows around the world every year.
The “three lines of defence” models promoted in some form or another by various standards such as COSO or ISO31000 are poorly understood and poorly applied. Information Security is often arbitrarily kept in a technical first line, in spite of its complex nature, requiring a true implementation across the three lines of defence – and across many corporate silos.
In practice, this excessive technical focus, which spans the entire industry history, is failing for most large organisations. In fact, many of these organisations claim to spend in excess of 3% of their total IT spend on cyber security, but in spite of the amounts invested over the years – 79% have not yet achieved an acceptable level of cyber security maturity (‘Risk and Responsibility in a Hyper-connected World’ – World Economic Forum, in collaboration with McKinsey & Company – January 2014).
In our opinion, this failing situation is rooted in the lack of cultural fit between Security and IT mind-sets; technologists are trained and incentivised to deliver functionality, not controls – and this fundamental mismatch has two critical consequences:
Firstly, it deprives Information Security of the raw talents it deserves. Information Security is rarely seen as a career path to the top – and IT executives with potential look elsewhere for development. As a result, Information Security leaders are often good technologists – but lack the management experience, personal gravitas or political acumen they would need to be truly successful in such a complex role.
Secondly, it drives adverse prioritisation and focuses Information Security towards ad-hoc tactical point solutions. At best, the CISO becomes a ‘fire-fighter’, at worse an IT Programme Manager amongst many others – or a hobbyist playing around with ‘pet projects’ and changing jobs every couple of years as soon as the going gets tougher.
This tactical and technical focus rarely delivers true results in large organisations. They have become increasingly dependent on a larger and larger number of third-parties, their Information Security problems are often global and complex in nature, and the threats they face continue to evolve at a faster and faster pace. The geographical, operational and technical complexity of large organisations requires a proper governance framework – that is rarely in place – to enable the true delivery of Information Security solutions on a global scale.
This lack of results can drive middle-management frustration and budgetary tensions around Information Security internally, which in turn brews demotivation and further talent alienation away from InfoSec functions. It is often also the lack of results (or insufficient or slow progress) which attracts the attention of auditors and regulators on these matters; those are often ‘low hanging fruits’ in absence of any strategic vision around Information Security.
This, in turn, is effective at drawing the attention of Executive Management towards the topic, but for all the wrong reasons. And when coupled with the increasing media and political attention around cyber security, it simply aggravates the tactical dynamics around InfoSec. Driven by endemic fears of negligence claims and short-termist compliance obsessions, money which wasn’t there yesterday suddenly appears out of nowhere just to fix audit or compliance issues. Senior executives can go to the media or claim between themselves that “cyber is on our agenda and money is there”, but in practice, the lines haven’t really moved at all – and the same old mistakes are being perpetuated.
Over time, Information Security becomes an overhead and a problem, instead of a necessary barrier against real and active threats to the business. And in practice, money is often simply wasted to put ticks in boxes. A large number of technology companies make a good living in that space, but this eco-system is inherently un-healthy. This results in stagnating protection levels and low cyber security maturity, which is what the World Economic Forum report highlighted last year.
Organisations which find themselves in such a situation – and want to break these dynamics of failure – must rethink their approach and rewire their Information Security practice by acting at 3 levels:
- The profile of the CISO needs to be right in order to drive change. Look without complacency at the Information Security history across the firm, and at the barriers that have prevented progress. The CISO needs to have the right amount of management experience, personal gravitas and political acumen to be credible with all stakeholders across corporate silos (not just technologists) – these are attributes of seniority. Information Security is not just a technical discipline. Information exists in physical as well as digital form – and is constantly manipulated by people as part of business processes. It needs to be protected at digital, physical and functional levels. Only with the right attitude and experience will the CISO be able to reach out of IT to all stakeholders and drive success. Of course, the reporting line of the CISO is of paramount importance in that context and we have commented several times about that in earlier articles. It should be to the CIO or the COO in most cases and delegating down must be avoided at all costs, as it would simply confuse objectives, create opportunities for political tensions with stakeholders – and destroy any credibility around the real desire of Executive Management to drive change.
- The CISO needs to structure their relationship with all stakeholders as part of an Information Security Governance Framework, positioning roles, responsibilities and accountabilities across the Information Security space and across the whole organisation from the top down. The CISO must also define a proper Target Operating Model for the Information Security team itself, which would give it a strong backbone, a clear structure and an un-ambiguous sense of purpose internally. All this is key to driving success. For example, you cannot imagine delivering a successful Identity & Access management programme of work without the involvement of HR (and the business units if they are allowed to hire & fire directly) – and without clear demarcation lines around what gets done within the InfoSec team and what remains outside of it. The whole Governance model should also address, without complacency, the full geographical spectrum of the business – and its true nature in terms of dependencies on third-parties.
- The CISO needs to build a long-term Information Security Strategic Roadmap and be prepared to stay in charge for the time it will take to deliver it. Real and long-lasting change in the Information Security space will involve a cultural shift for most large organisations – and the embedding of a structured practice and a controls mind-set in the way the organisation works. It will not happen quickly. It could typically involve an initial transformation cycle of several years, followed by a consolidation cycle of several years. The CISO and key team members may have to consider their tenure over a 5 to 7 year horizon to genuinely drive change through. During the period, all actions (technical or not) must be pinned against a consistent long-term backdrop, including any unavoidable short-term tactical initiatives (typically driven by incidents, audit observations or compliance requirements). Inconsistencies and a constant reshuffling of priorities would simply kill the change momentum, so would the untimely removal of key personnel.
Raising the profile of the CISO (and their reporting line where necessary) will break the dynamics of talent alienation around Information Security. Sound Governance coupled with a better management & political acumen at senior level within InfoSec will break the dynamics of failure around delivery. Pinning success against a long-term backdrop and ensuring that the CISO and key personnel remain in place throughout will help Executive Management develop a true sense of purpose around Information Security, beyond short-termism or audit and compliance obsessions.
Over time, Information Security should become a valuable protective function at the heart of the organisation – not just an IT department that deals with audit issues.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.