Blog

I

In my last article, we explored A Simplified Policy Framework to create effective management documents to set direction and measure compliance to control objectives regarding security. The Process was a centerpiece to the discussion. In this article, we’ll take it a step further to see the double dividend in taking a process-centric approach.

Security is all about due diligence – ensuring proper alignment to the depth and breadth of enterprise and business-specific controls managing the confidentiality, integrity, and availability of information, systems, and processing facilities. The analysis can be exhausting – especially if you have to do it all at once while your Agile release train flies by.

In my world, we have help – at three levels of the organization: business process, security sub-process, and security service. A time-driven information risk management approach would quickly assess the impact to change to these three levels and engage the principals assigned to those areas.

At the Initial state of Information Security program development, unacceptable business risk surfaces due to the lack of a security program, causing a designated owner to be assigned and Information Security Management process to be created. A new business process owner arrives at the table.

Lack of frameworks for policy, control, classification, and risk management would also result in this highest level of process impact. Decisions in each of these areas impacts all business processes equally. Strategies for all must be done in the initial phase of Information Security program development. Senior managers should be appointed to an Information Security Steering Committee and tasked with dealing with this change in strategy.

Experts say the Information Security Management process defines sub-processes closely aligned to the Code of Practice for Information Security Management (ISO 27002). Each would have a manager assigned. Security practices include: Information Security Policies, Organization of Information Security, Human Resource Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operation Security, Communication Security, System Development, Supplier Information Security Incident Management Business Continuity Management, and Compliance. If a single owner is not possible, allow for several to partner in the stewardship of the sub-process.

At an early stage of maturity, security services may not be defined and service levels enforced. A risk assessment may trigger the need for service formalization and measurement as part of the action plan, or ad-hoc service design and construction may persist.

In summary, new rapid development, Agile methodologies create a greater dependency on a top-down, process-centric, multi-layered methodology to identify, assess, treat, and manage risk to information, systems, and processing facilities. Security due diligence becomes a cross-functional, organizational strategy, empowering direct and in-direct resources to work together to manage change.

I have seen a variety of approaches to policy and control over my 35 plus years working in IT and Information Security. Few common design patterns have emerged. Some don’t want to over think it, while others see no organizational value in having it. Practically all end up having a library of conflicting and ineffective documents which must be regularly reviewed and acknowledged. There must be a better way.

I view policies as management’s intent and measures for effective business Processes. It starts and ends with Process – policies are just a means to get there. Unlike most policy infrastructure, Processes are what we actually do. They are functional, and define the context to which controls are inserted. Start by defining your process model and the catalog/repository where users can go to find them. If done right, from an audit/compliance perspective, Processes are management’s assertions of proper security. Specific to Information Security, I start by writing an Information Security Management Process during the Initial phase of the program.

At the same time, everyone needs to know that the institution intends to organize “programs” such as Information Security, Privacy, and Business Continuity. These are the Policies that define the key roles and responsibilities, and framework for planning, developing, operating, and evaluating the associated “program” controls. Program policies often support and demonstrate interdependence with other programs. All programs should have at least one Policy. For my program responsibility, I start by writing an Information Security Policy during the Initial phase of the program.

The true measures to any program are Standards. Standards describe the control characteristics that must exist and how deviations must be governed. Unlike Process and Policy, Standards are written for those responsible for the controls. Every control environment has a set of custodians. Standards allow custodians to develop, operate, and continuously evaluate the controls in their area of responsibility. For Information Security, I model my Standards to the practice domains of ISO27002 and evolve the documents over time during the Developing phase of the program.

Last but not least are Procedures. Procedures are the administrative steps to achieve control. For Information Security, they prevent, detect, and react to adverse events and incidents. Not every method needs to be formalized and written into a Procedure. Unacceptable risk and compliance factors often trigger their creation. Procedures detail a sub-process so it can be independently verified.

Donald Borsay is the owner and principal consultant of Securitybeat Advisors LLC.

Today’s job market for Cyber Security professionals reminds me of my days as a coach and organizer of youth basketball. Few athletes had the “exposure” by playing at High School powerhouses or national AAU Clubs. Most were relative unknowns regardless of their abilities. The Division 1 colleges and universities had little to go on besides what their recruiting department could pull together. Lesser talent with the right “exposure” got the opportunities. Many unknown talent were left wanting.

The cyber security job market certainly suffers from more demand than they can handle. A year ago, Forbes pointed out that over 209k jobs went unfilled in 2015 entering a year predicted to chase one million cyber practitioners. CSO Magazine projects that 1.5 job openings will be available by 2019.

So what will the cyber security job market do when demand keeps increasing?

One consequence is the recruiting of talent from existing organizations-the chase for talent is definitely fueling the revolving door. The national brands offering the titles, resources, and control are winning the battle. How will the others compete?

All too many are chasing the top talent and loosing out by not filling their positions. I also think that few look for commitment and stability from their candidates. They instead pursue candidates on the fast track only to see them come and go with little lasting value left behind.

With the supply/demand ratio widening, it may be time to rethink this approach. So will this madness continue? Time will tell.

References:

1. https://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#3bf5be257d27
2. http://www.csoonline.com/article/3132722/security/cybersecurity-industry-outlook-2017-to-2021.html