NEWS AT SEI
This article was originally published in News at SEI on: February 1, 2005
Enterprise security is crucial to almost all organizations. But with so many other topics vying for your attention, what priority should you assign to enterprise security? What constitutes adequate security and thus adequate governance? How much security governance is enough and how can you use governance to sustain adequate security in a constantly changing business, risk, and technology environment?
A recent Business Roundtable report, Securing Cyberspace: Business Roundtable's Framework for the Future [BRT 04] asserted that
Governance involves careful oversight and well-informed decision making. The resulting actions set expectations for an organization's conduct. Governing for enterprise security (GES) means that security is viewed as a requirement of being in business. GES must be addressed at the leadership level and not be relegated to a technical specialty within the IT department. The role of boards of directors, executives, and senior managers must be to establish and reinforce the business need for effective enterprise security. Otherwise, the organization's desired state of security will not be articulated and thus cannot be achieved or sustained. If the responsibility for enterprise security is relegated to a role in the organization that lacks the authority, accountability, and resources to act and enforce, the enterprise security state will reflect this and remain far below an optimum level.
Leaders need to understand that business objectives must guide and drive actions needed to govern for enterprise security. The connection is clear when you examine a list of organizational "assets" that can be negatively affected if GES is performed poorly:
Leaders need to evaluate how much their enterprises depend on Internet connectivity, information technology (IT) infrastructure, and electronic assets for business continuity. Then, they can better determine the degree to which governance decisions need to account for the security of such assets. Factors that can aid in making this determination are described below.1 Together with a good risk assessment, an aggregation of these factors can inform your security-investment decisions.2
Organizations will be far ahead if their leaders treat the governance of enterprise security as essential to their businesses and are aware and knowledgeable about the issues. Ultimately, nations as a whole benefit: "The critical information infrastructures comprising cyberspace provide the backbone for many activities essential to the transaction of domestic and international business, the operation of government, and the security of a nation." [BRT 04]
Dan Geer, in his Cutter Consortium Business-IT Strategies article titled "Why Information Security Matters" [Geer 04] states:
"The central truth is that information security is a means, not an end. Information security serves the end of trust. Trust is efficient, both in business and in life; and misplaced trust is ruinous, both in business and in life. Trust makes it possible to proceed where proof is lacking. As an end, trust is worth the price. Without trust, information is largely useless."
The next article in this series will discuss the shifts in perspective that are required for leaders to achieve and sustain enterprise-wide security.
Business Roundtable. "Securing Cyberspace: Business Roundtable's Framework for the Future." May 2004.
Corporate Governance Task Force. "Information Security Governance: A Call to Action." National Cyber Security Partnership, April 2004.
Julia Allen is a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. The CERT Coordination Center is also a part of this program.
Allen is engaged in developing and transitioning enterprise security frameworks and executive outreach programs in enterprise security and governance. Prior to this technical assignment, Allen served as acting Director of the SEI for an interim period of 6 months as well as Deputy Director/Chief Operating Officer for 3 years. Her degrees include a B. Sci. in Computer Science (University of Michigan) and an MS in Electrical Engineering (University of Southern California). She is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley, June 2001).
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.