NEWS AT SEI
This article was originally published in News at SEI on: February 1, 2005
Enterprise security is crucial to almost all organizations. But with so many other topics vying for your attention, what priority should you assign to enterprise security? What constitutes adequate security and thus adequate governance? How much security governance is enough and how can you use governance to sustain adequate security in a constantly changing business, risk, and technology environment?
A recent Business Roundtable report, Securing Cyberspace: Business Roundtable's Framework for the Future [BRT 04] asserted that
- Information security requires the CEO attention within individual companies as business leaders seeking collectively to promote the development of standards for secure technology.
- Boards of directors should consider information security an essential element of corporate governance and a top priority for board review.
Governance involves careful oversight and well-informed decision making. The resulting actions set expectations for an organization's conduct. Governing for enterprise security (GES) means that security is viewed as a requirement of being in business. GES must be addressed at the leadership level and not be relegated to a technical specialty within the IT department. The role of boards of directors, executives, and senior managers must be to establish and reinforce the business need for effective enterprise security. Otherwise, the organization's desired state of security will not be articulated and thus cannot be achieved or sustained. If the responsibility for enterprise security is relegated to a role in the organization that lacks the authority, accountability, and resources to act and enforce, the enterprise security state will reflect this and remain far below an optimum level.
Leaders need to understand that business objectives must guide and drive actions needed to govern for enterprise security. The connection is clear when you examine a list of organizational "assets" that can be negatively affected if GES is performed poorly:
- shareholder/stakeholder value
- marketplace and stock market confidence
- customer retention and growth
- customer and partner identity and privacy
- ability to offer and fulfill electronic transactions
Leaders need to evaluate how much their enterprises depend on Internet connectivity, information technology (IT) infrastructure, and electronic assets for business continuity. Then, they can better determine the degree to which governance decisions need to account for the security of such assets. Factors that can aid in making this determination are described below.1 Together with a good risk assessment, an aggregation of these factors can inform your security-investment decisions.2
- size (number of physical locations, employees, and customers; level of revenue)
- complexity (organizational units, products, services, processes, systems, partnerships, structure—e.g., centralized or decentralized)
- value/criticality of the organization's intellectual property stored or transmitted in electronic form
- dependence on IT systems and the Internet to offer products and services to customers
- impact of major system downtime or an Internet outage on the organization
- degree of change within the organization (expansions, mergers, acquisitions, divestitures, new markets, etc.
- dependence on multinational operations
- plans for multinational operations (internal functions outsourced to offshore locations, moving into geographical areas representing increased portions of overall revenue)
Market Sector Characteristics
- potential impact to national, international, or critical infrastructures as a result of outages or interruptions in organizational systems
- customer sensitivity to security and privacy
- level of sector regulation that addresses security [e.g., Gramm-Leach Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley3, other applicable international, national, state, or local regulations]
- potential brand and reputation impact of a publicly disclosed security incident
- extent of enterprise operations dependent on third parties (partners, contractors, suppliers, vendors) and connectivity with third-party networks
- customers' ability to quickly switch to a competitor, based on competitor's ability to offer more secure, reliable services
- extent to which the organization does business in a politically sensitive area where it could be a likely target of violent physical or cyber attack
Organizations will be far ahead if their leaders treat the governance of enterprise security as essential to their businesses and are aware and knowledgeable about the issues. Ultimately, nations as a whole benefit: "The critical information infrastructures comprising cyberspace provide the backbone for many activities essential to the transaction of domestic and international business, the operation of government, and the security of a nation." [BRT 04]
Dan Geer, in his Cutter Consortium Business-IT Strategies article titled "Why Information Security Matters" [Geer 04] states:
"The central truth is that information security is a means, not an end. Information security serves the end of trust. Trust is efficient, both in business and in life; and misplaced trust is ruinous, both in business and in life. Trust makes it possible to proceed where proof is lacking. As an end, trust is worth the price. Without trust, information is largely useless."
The next article in this series will discuss the shifts in perspective that are required for leaders to achieve and sustain enterprise-wide security.
Business Roundtable. "Securing Cyberspace: Business Roundtable's Framework for the Future." May 2004.
Corporate Governance Task Force. "Information Security Governance: A Call to Action." National Cyber Security Partnership, April 2004.
Geer, Daniel E. "Why Information Security Matters." Cutter Consortium Business-IT Strategies Vol. 7, No. 3, 2004.
TechNet. "Corporate Information Security Evaluation for CEOs—Preview Draft." December, 2003.
1 These factors are derived from [CTGF 04], based on original work reflected in [TechNet 03]. Refer to the TechNet evaluation to see one application of these factors.
2 The terms "enterprise," "organization," and "business" are used interchangeably. "Agency" or "institution" can be easily substituted.
3 Also known as the Public Company Accounting and Investor Protection Act of 2002.
About the Author
Julia Allen is a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. The CERT Coordination Center is also a part of this program.
Allen is engaged in developing and transitioning enterprise security frameworks and executive outreach programs in enterprise security and governance. Prior to this technical assignment, Allen served as acting Director of the SEI for an interim period of 6 months as well as Deputy Director/Chief Operating Officer for 3 years. Her degrees include a B. Sci. in Computer Science (University of Michigan) and an MS in Electrical Engineering (University of Southern California). She is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley, June 2001).
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.