Executive and Board Roles in Information Security
By Paul Williams, FCA, MBCS
orporate information in all its forms is a business asset and needs to be recognised as such. This implies that the ultimate responsibility for security must be accepted by the business and not merely delegated to a chief information security officer (CISO) or an equivalent role. The CISO may have delegated responsibility for establishing and managing many of the technical solutions that contribute to information security, but overall governance and assurance of the security’s effectiveness must reside with business management. It is with the chief executive officer (CEO) and the board that the buck stops and, in today’s IT-enabled and ITdependent world, ignorance and denial are no longer options. This article explores the different roles and responsibilities that contribute to effective information security. It acknowledges that there are many different forms of information that need to be protected, ranging from bits and bytes on digital media to verbal conversations. All such information, if compromised in any way, can lead to corporate embarrassment, regulatory failure or financial loss.
Professional associations are also recognising this with, for example, the founding of the Alliance for Enterprise Security Risk Management™ (AESRM™).1 This new alliance has been established to help provide a holistic view of how enterprises are facing the risks that arise when physical and IT security risks need to be considered collectively.
Responsibilities at All Levels
Taking into account interdependent supply chains and outsourcing partners, there are now myriad people at different levels within and outside of an organisation who have a responsibility for information security. Everyone has a security responsibility. Office workers may be inadvertently shouldersurfed whilst reading confidential or otherwise sensitive documents on a train, for example, and they must be constantly aware of this risk. The CEO is responsible for ensuring that the organisation’s information security risk is properly understood and appropriately mitigated. At the centre of this essential mitigation are the security and risk management specialists who have responsibility for The Move to Integration designing, implementing and managing the specific security Amongst security professionals there is a consensus that the measures that any entity requires. These range from the traditional, IT-led security function is no longer appropriate. articulation of policy to the establishment of staff security There is an increased need to integrate different functions awareness programmes. previously responsible for specific aspects of security into one Those with responsibility for information security, therefore, holistic entity capable of recognising, preventing and reacting hold many diverse roles, including the chair and CEO, other to any threats to corporate information or assets, wherever or board members, line-of-business (LoB) management, the chief however they may arise within the information officer (CIO) and his/her team, organisation. risk managers, audit committee members, Amongst security professionals security committee members, auditors, and This trend is exemplified by the move announced by BP in June 2007 to bring compliance officers. The larger and more there is a consensus that the together more than 530 employees in the information-intensive an organisation is, traditional IT-led security function the more roles it will have with a direct next two years from its IT, corporate and physical security divisions worldwide, to involvement in security. is no longer appropriate. devise plans to protect the business Ultimately, it is the responsibility of globally. According to reports, the each and every employee to help ensure company aims to roll out best practices linking physical information security. For example, as companies enable more security to IT security across the company, checking, for of their employees to access data remotely from home, airports example, if people are logged on to their workstations against and Wi-Fi spots using mobile devices, continued vigilance whether they are physically in the building. becomes increasingly required at all levels This is just one example of the way the information security world is changing in response to 21st century pressures, The Security Imperative including increased regulation, greater consumer choice, It is a given that information security is of paramount enhanced globalisation and terrorism in all its forms. This importance to global commerce. Consumers’ trust in the trend is also supported by a Gartner prediction that, by 2008, protection of their sensitive information is essential in the 35 percent of Global 2000 enterprises will have a risk building of long-term customer relationships in all areas of management function integrating information security and business, with particular emphasis within, for example, business continuity activities into the companywide profile of healthcare and financial services. Therefore, it is puzzling that strategic, financial and operational risks. the Gartner EXP CIO survey of 2007 indicated that security
has dropped out of the top 10 business priorities for the first aspects are a part of a far larger picture, and that essential time in many years, and has dropped from number two to elements of security, such as the development of policy and number six in the top 10 technology investments.2 Is this incident response, have implications far beyond IT and the CIO. Similarly, it is essential to recognise that different lines of because CIOs believe that it is now finally under control and business or geographically dispersed business units may have that sufficient investments have already been made? specific needs, albeit within the centrally established There is no denying that many organisations have invested parameters. significantly in security in recent years, particularly in This typical structure recognises the existence of a response to legislation and regulatory requirements such as centralised corporate risk function, which is an increasingly Sarbanes-Oxley and Basel II. However, should this mean that common feature of many regulated and highly informationsecurity now becomes a lesser priority than it has been in the dependent businesses. Most important, however, is the need for past? governance that will be essential to: Enlightened boards understand that security is not • Establish clear responsibilities and decision rights something that can be a major focus at one point in time and • Provide an assurance framework to enable transparency of then placed on the back burner until the next piece of activity together with appropriate metrics legislation or crisis comes along. Such boards realise that • Ensure that regulatory requirements are security is a continuing process and, Different lines of business or met although the level of investment may • Provide assurance that that the business change from year to year, the level of geographically dispersed business requirements for security are being met focus and commitment must remain a • Ensure that resources are used high priority at all times. This is why it is units may have specific needs, appropriately and prudently and that essential for roles and responsibilities to albeit within the centrally value for money is being obtained be defined, and organisational structures In many ways the governance element to be designed and implemented, to established parameters. is the ‘glue’ that binds together all other ensure that security does indeed remain elements of security and ensures appropriate interaction centre stage. among them. Through its publication Information Security Governance—Guidance for Boards of Directors and Executive Organisational Structures for Security Management, 2nd Edition, the IT Governance Institute (ITGI) is The optimum organisational structure for security varies able to provide a comprehensive primer on the governance of from entity to entity depending upon, amongst other things, security for those with a responsibility for it.3 This publication organisation size, industry and culture. Figure 1 illustrates in a is available for download at no cost from www.itgi.org. very simplistic form how a typical structure might be established in a larger, multinational, risk-aware organisation. Whilst the structure and reporting lines may differ from one The Audit Committee entity to another, there are some features that should be Central to the effectiveness of governance (both corporate generally applicable. For example an emphasis on overall and IT) in an increasing number of organisations is the audit corporate information security recognises that the IT-related committee. Whilst most large organisations in the private and Figure 1—Sample Organisational Structure for Security
Shareholders and Industry Regulators
Corporate Information Security • Risk management • Policy management • Business continuity • Incident response
Corporate Risk Manager
CEO and Board Governance
IT Information Security • Risk assessment • Design and implementation • Continuity management • Security operations • Incident response
Business Unit Info Security • Business continuity • Awareness • Local policy management
public sectors have had audit committees for many years, Sarbanes-Oxley established this as a statutory requirement within organisations affected by the legislation. Traditionally the audit committee has been a subcommittee of the board. Usually chaired by a non-executive director, the audit committee is responsible for working with the external and internal auditors to help ensure the integrity of financial reporting. It must also ensure that an internal control structure has been established and is working effectively. These responsibilities have been extended through recent legislative and regulatory moves to embrace other nonfinancial aspects of the business. Whilst information security within many organisations has been long regarded as a key aspect of internal control, new audit committee responsibilities make it difficult to argue that it should be excluded from their realm of responsibility. Therefore, an increasingly broader group of members of risk management (and often the CISO specifically) also have formal reporting lines to the audit committee. Concerns remain about an audit committee’s ability to fully understand this broader spectrum of responsibility. Nevertheless, there is little doubt that these committees are becoming better able to ask the right questions and properly challenge the answers. These competencies are largely due to better-focused committee members and an increased reliance on external advisors, such as independent risk management consultants and auditors. A constructive relationship among the CISO, the chair of the audit committee and other risk management professionals is seen as an essential requirement for the future.
Whilst many of these new ideas may never take root, the ambitious and visionary CISO would be well advised to keep on top of these developments, so that he/she can support any operational, technical or cultural changes that will be required. Working with business leaders and gaining commitment from the board will be an essential part of the security professional’s role. Signing up for business courses, reading business publications, training in financial metrics and spending time working within the business are all suggestions that security specialists would be wise to consider if they want more than a purely technically focused career.
As already stated, the responsibility for recognising and mitigating all business risk rests with the CEO and the board. A basic tenet of corporate governance is the need for the board to protect the interests of all stakeholders within the business. Therefore, although no individual board member is likely to have all of the skills needed to ensure that this happens, it is essential that they do so collectively. These skills need not be deeply technical, but board members must know what questions to ask and how to challenge those tasked with risk management. The board has to gain explicit assurance that the risks have been managed and continue to be managed. This will not happen by accident. Formal and regular reporting from relevant functions, including the audit committee, internal audit, external audit and the information security function, is likely to form part of this assurance process—supported by appropriate metrics. The following sections describe information security roles and their responsibilities.
The Role of the CISO
The CISO’s domain has traditionally been the IT function, usually reporting to the CIO or another senior IT manager. The The CEO broadened focus on information security The CEO leads the management team. has begun to alter this reporting line. The A basic tenet of corporate He/she will have a direct influence on the CISO now often reports to a business governance is the need for control culture within the entity and is function such as the chief financial officer likely to set the agenda for the level of or chief operating officer, or occasionally the board to protect the risk that is acceptable to the business. directly to the CEO. Another increasingly Every CEO must balance the need for common line of reporting is to the chief interests of all stakeholders individual empowerment and risk officer. So will the CISO role within the business. diminish? entrepreneurship against the need for IT-related information security will checks and balances in all their forms, remain a prime requirement. After all, most corporate including security. However, the enlightened CEO should information now resides within the digital domain, so recognise the reputational and fiduciary importance of security protection of this information will remain a critical and should ensure that appropriate resources are dedicated to requirement. security initiatives. As technology changes, becoming perhaps more complex, and corporate information (and the forms within which it is The CIO held) becomes more diverse, the need for strong technical The CIO may or may not have a direct seat on the main security skills will grow. However, the new emphasis will be board, but he/she should have an effective reporting line into the on an understanding of the broader business risks and the boardroom. The CIO has a direct responsibility for information context within which IT-related security has to co-exist. security insofar as it can be managed from within IT. Although What, for example, are the security implications for the this is changing, for now the probability is still that the CISO digital economy and its new business models, based upon will report directly to the CIO. The CIO is also responsible for openness, collaboration and integration? These models and the ensuring that the board members and other senior business Web 2.0 phenomenon associated with some of them may have managers understand IT enough to discharge their IT a profound impact on the way information security operates in governance responsibilities, including those for security. the future.
Other Line-of-business Directors Other business managers must be responsible for the security of business information, albeit with the support and active involvement of security specialists. Only the business managers know what information is sensitive or confidential. Consequently, to avoid excess cost and to balance security with appropriate access, it is essential for business managers to be directly involved in the security governance process. To ensure that this happens, the right level of business training is needed for the technical specialists, along with IT training for the business managers. HR Director Security problems are largely caused by people and not by the technical infrastructure. Therefore, it is helpful for the human resources (HR) function to be fully conversant with the need for security. The HR function can help ensure that appropriate personnel policies are established and maintained. For example, induction training for new staff members should include information security. Non-executive Directors Non-executive directors have a key role to play in all aspects of the governance of IT, including security. They can be appointed to boards to fill knowledge gaps amongst executive board members. However, the 2006 Ernst & Young survey of non-executive directors highlighted that, specifically in relation to information security, ‘this is an area where few, if any, of our sample would have personal expertise to bring to bear’.4 This has to be of concern to corporate governance generally and is undoubtedly a weakness in current board structures. The Risk Director/Manager This relatively new role is a response to the need for a holistic review of risk. It is a key role in ensuring that all corporate risks are properly recognised and managed. The key concern with this perceived centralisation of responsibility is that it could diminish the responsibilities that individual business managers have for managing risk within their own domains. Therefore, whilst the risk management function can provide a skill base for dealing with risk, business managers need to understand that the buck still stops with them.
Threats to corporate information are changing at a time when businesses are relying more heavily upon information technology. The CISO can no longer expect to bear the sole responsibility for information security. Instead, many individuals and many roles within an organisation must share this responsibility. Success comes to organisations that recognise these roles, establish clear accountability and provide the appropriate governance structure. This structure not only enables other employees to be more responsible for security, but also ensures that security is not being compromised and that information assets continue to be properly protected.
Tapscott, Dan; Anthony D. Williams; Wikinomics, Portfolio Press, 2007
ISACA (which supports and provides certifications for information security professionals) supports and is a founding member of AESRM. 2 Gartner Group, EXP CIO Survey 2007, 2007 3 IT Governance Institute, Information Security Governance— Guidance for Boards of Directors and Executive Management, 2nd Edition, USA, 2006, www.itgi.org/ContentManagement/ContentDisplay.cfm? ContentID=33553 4 Ernst & Young, Non-Executive Director Survey, 2006
Paul Williams, FCA, MBCS is a past international president of ISACA and ITGI. He chairs the ISACA Strategic Advisory Council and consults to organisations such as SeaQuation and Protiviti (UK).
This article was originally published in Network Security, volume 2007, issue 8, August 2007, p. 11-14, www.networksecuritynewsletter.com.