Executive and Board Roles in Information Security By Paul Williams, FCA, MBCS
orporate in all its is a business asset and needsinformation to be recognised as forms such. This implies that implies the ultimate responsibility for security must be accepted by the business and not merely delegated to a chief information security officer (CISO) or an equivalent role. The CISO may have delegated responsibility for establishing and managing many of the technical solutions that contribute to information security, but overall governance and assurance of the security’s effectiveness must reside with business management. It is with the chief executive executive officer (CEO) and the board that the buck stops and, in today’s IT-enabled and ITdependent world, world, ignorance and denial are no longer options. This article explores the different roles and responsibilities that contribute to effective information security. It acknowledges acknowl edges that there are many different forms of
Professional associations also recognising this Security with, for example, the founding of theare Alliance for Enterprise 1 Risk Management™ (AESRM™). This new alliance has been established to help provide a holistic view of how enterprises are facing the risks that arise when physical and IT security risks need to be considered collectively.
trend is also supported by a Gartner prediction that, by 2008, 35 percent of Global 2000 enterprises will have a risk management function integrating information security and business continuity activities activities into the companywide profile of strategic, financial and operational risks.
protection of their sensitive sensitive information is essential in the building of long-term customer relationships relationships in all areas of business, with particular emphasis emphasis within, for example, healthcare and financial services. Therefore, it is puzzling that the Gartner EXP CIO survey of 2007 indicated that security
C
Responsibilities Responsibili ties at All Levels
Taking into account interdependent supply chains and outsourcing partners, there are now myriad people at different levels within and outside of an organisation who have a responsibility for information security. Everyone has a security responsibility. Office workers may be inadvertently shouldersurfed whilst reading confidential or otherwise sensitive sensitive documents on a train, for example, and they must be information that need to be protected, ranging from bits and constantly aware of this risk. The CEO is responsible for bytes on digital media to verbal conversations. conversations. All such ensuring that the organisation’s information security risk is information, if compromised in any way, can lead to corporate properly understood understood and appropriately mitigated. mitigated. embarrassment, regulatory failure or financial loss. At the centre of this essential mitigation are the security and risk management specialists who have responsibility for The Move to Integration designing, implementing implementing and managing the specif ic security Amongst security professionals there is a consensus that the measures that any entity requires. These range from the traditional, IT-led security function is no longer appropriate. articulation of policy to the establishm establishment ent of staff security There is an increased need to integrate different functions awareness programmes. previously previousl y responsible for specific aspects of security into one Those with responsibility for information security, therefore, holistic entity capable of recognising, preventing preventing and reacting hold many diverse roles, including the chair and CEO, other to any threats to corporate information or assets, wherever or board member members, s, line-of-b line-of-busines usinesss (LoB) (LoB) management, management, the chief chief however they may arise within the information officer (CIO) and his/her team, organisation. risk managers, audit committee members, Amongst security security professionals professionals security committee members, auditors, and This trend is exemplified by the move announced by BP in June 2007 to bring compliance officers. The larger and more there is a consensus that the together more than 530 employees in the information-intensive an organisation is, traditional IT-led security function the more roles it will have with a direct next two years from its IT, corporate and physical security security divisions worldwide, worldwide, to involvement in security. is no longer appropriate. devise plans to protect the business Ultimately, it is the responsibility of globally. According to reports, the each and every employee to help ensure company aims to roll out best practices linking physical information security. For example, as companies enable more security to IT security across the company, company, checking, for of their employees to access data remotely from home, airports example, if people are logged on to their workstations against and Wi-Fi spots using mobile devices, continued vigilance whether they are physically in the building. becomes increasingly increasingly required at all levels This is just one example of the wa way y the information security world is changing in response to 21st century pressures, The Security Imperative including increased regulation, greater consumer choice, It is a given that information security is of paramount enhanced globalisation and terrorism in all its forms. This importance to global commerce. commerce. Consumers’ trust in the
J O U R N A L O N L I N E
1
aspects are a part of a far larger picture, and that essential has dropped out of the top 10 business priorities for the first time in many years, and has dropped from number two to elements of security, such as the development of policy and 2 number six in the top 10 technology investments. investments. Is this incident response, have implications far beyond IT and the because CIOs believe believe that it is now finally under control and CIO. Similarly, it is essential to recognise that different lines of that sufficient investments have already been made? business or geographically geographically dispersed business units may have have There is no denying that many organisations have invested specific needs, albeit within the centrally established significantly in security in recent years, particularly in parameters. response to legislation and regulatory requirements such as This typical structure recognises the existence of a Sarbanes-Oxley and Basel II. However, should this mean that centralised corporate risk function, which is an increasingly security now becomes a lesser priority than it has been in the common feature of many regulated and highly information past? dependent businesses. Most important, however, is the need for Enlightened boards understand that security is not governance that will be essential to: something that can be a major focus at one point in time and • Establish clear responsibilities and decision rights then placed on the back burner until the next piece of • Provide an assurance framework to enable transparency of legislation or crisis comes along. Such boards realise that activity together with appropriate metrics security is a continuing process and, • Ensure that regulatory requirements are Different Differ ent lines of business or although the level of investment may met change from year to year, the level of • Provide assurance that that the business geographically dispersed business focus and commitment must remain a requirements for security are being met high priority at all times. This is why it is • Ensure that resources are used units may have specific needs, essential for roles and responsibilities to appropriately appropriatel y and prudently and that albeit within the centrally be defined, and organisational structures structures value for money is being obtained to be designed and implemented, implemented, to In many ways the governance element established parameters. ensure that security does indeed remain is the ‘glue’ that binds together together all other centre stage. elements of security and ensures appropriate interaction among them. Through itsfor publication Information publication Securi Security ty Governance—Guidance Boards of Information Directors and Executive Management,, 2nd Edition Management Edition,, the IT Governance Institute (ITGI) is able to provide a comprehensive primer on the governance of security for those with a responsibility for it.3 This publication is available for download at no cost from www.itgi.org .
Organisational Organisation al Structures for Security The optimum organisational structure for security varies from entity to entity depending upon, amongst other things, organisation size, industry and culture. Figure 1 illustrates in a very simplistic form how a typical structure might be established in a larger, multinational, risk-aware organisation. Whilst the structure and reporting lines may differ from one entity to another, there are some features that should be generally applicable. For example an emphasis on overall corporate information security recognises that the IT-related IT-related
The Audit Committee Central to the effectiveness of governance (both corporate and IT) in an increasing number of organisations is the audit committee. Whilst most large organisations in the private and
Figure 1—Sample Organisational Structure for Security
public sectors have many years, have had audit committees for many Sarbanes-Oxley Sarbanes-Oxle y established this as a statutory requirement within organisations affected by the legislation. Traditionally Traditi onally the audit committee has been a subcommittee of the board. Usually chaired by a non-executive director, the audit committee is responsible for working with the external and internal auditors to help ensure the integrity of financial reporting. It must also ensure that an internal control structure has been established and is working effectively. These responsibilities have been extended through recent legislative legislati ve and regulatory moves to embrace other nonfinancial aspects of the business. Whilst Whilst information security within many organisations has been long regarded as a key aspect of internal control, new audit committee responsibilities make it difficult to argue that it should be excluded from their realm of responsibility. Therefore, an increasingly broader group of members of risk management (and often the CISO specifically) also have formal reporting lines to the audit committee. Concerns remain about an audit committee’s ability to fully understand this broader spectrum of responsibility. Nevertheless, there is little doubt that these committees are becoming better able to ask the right questions and properly challenge the answers. These competencies are largely due to better-focused committee members and an increased reliance on external
Whilst many of these new ideas may never take root, the ambitious and visionary CISO would be well advised to keep on top of these developments, so that he/she can support any operational, technical or cultural changes that will be required. Working with business leaders and gaining commitment from the board will be an essential part of the security professional’s role. Signing up for business courses, reading business publications, training training in financial metrics and spending time working within the business are all suggestions that security specialists would would be wise to consider if they want more than a purely technically technically focused career. career.
advisors, such as independent risk management consultants and auditors. A constructive relationship among the CISO, the chair of the audit committee and other risk management professionals is seen as an essential requirement for the future.
happen by accident. Formal and regular reporting from relevant relev ant functions, including the audit committee, internal audit, external audit and the information security function, is likely to form part of this assurance process—supported by appropriate metrics. The following sections describe information security roles and their responsibilitie responsibilities. s.
The Role of the CISO
Boardroom Roles As already stated, the responsibility for recognising and mitigating all business risk rests with the CEO and the board. A basic tenet of corporate governance is the need for the board to protect the interests of all stakeholders within the business. Therefore, although no individual board member is likely to have all of the skills needed to ensure that this happens, it is essential that they do so collectively. These skills need not be deeply technical, but board members must know what questions to ask and how to challenge those tasked with risk management. The board has to gain explicit assurance that the risks have been managed and continue to be managed. This This will not
The CISO’s domain has traditionally been the IT function, usually reporting to the CIO or another senior IT manager. The The The CEO broadened focus on information security has begun to alter this reporting line. The The CEO leads the management team. A basic tenet of corporate corporate CISO now often reports to a business He/she will have a direct influence on the governance is the need for function such as the chief financial officer control culture within the entity and is or chief operating officer, off icer, or occasionally likely to set the agenda for the level of the board to protect the directly to the CEO. Another increasingly risk that is acceptable to the business. common line of reporting is to the chief Every CEO must balance the need for interests of all stakeholders risk officer. So will the CISO role individual empowerment and within the business. diminish? entrepreneurship against the need for IT-related information security will checks and balances in all their forms, remain a prime requirement. After all, most corporate including security. However, the enlightened CEO should information now resides within the digital domain, so recognise the reputational and fiduciary importance of security protection of this information will remain remain a critical and should ensure that appropriate resources are dedicated to requirement. security initiatives. As technology changes, becoming perhaps more complex, and corporate information (and the forms for ms within which it is The CIO held) becomes more diverse, the need for strong technical The CIO may or may not have a direct seat on the main security skills will grow. However, the new emphasis will be board,, but he/she board he/she should should have have an effecti effective ve reporting reporting line line into the the on an understanding of the broader business risks and the boardroom. boardr oom. The CIO CIO has a direct direct responsi responsibilit bility y for informati information on context within which IT-related security has to co-exist. security insofar as it can be managed from within IT. Although Although What, for example, are the security implications for the this is changing, for now the probability is still that the CISO digital economy and its new business models, upon openness, collaboration and integration? Thesebased models and the Web 2.0 phenomenon associated with some of them may have a profound impact on the way information security operates in the future. J O U R N A L O N L I N E
will report directly to the CIO. The CIO is also responsible ensuring that the board members and other senior business for managers understand IT enough to discharge their IT governance responsibilities, including those for security.
3
Other Line-of-business Directors Other business managers must be responsible for the security of business information, albeit with the support and active involvement of security specialists. Only the business managers know what information is sensitive or confidential. conf idential. Consequently, to avoid excess cost and to balance security with appropriate access, it is essential for business managers to be directly involved in the security governance process. To ensure that this happens, the right level of business training is needed for the technical specialists, along with IT training for the business managers. HR Director Security problems are largely caused by people and not by the technical infrastructure. Therefore, Therefore, it is helpful for the human resources (HR) function to be fully conversant with the need for security. The HR function can help ensure that appropriate personnel policies are established and maintained. For example, induction training for new staff members should include information security. Non-executive Directors Non-executive Non-exec utive directors directors have a key role to play play in all aspects of the governance of IT, including security. They can be appointed to boards to fill knowledge gaps amongst
executive board members.directors However, the 2006 Ernst & Young survey of non-executive highlighted that, specifically specif ically in relation to information security, ‘this is an area where few, if any, of our sample would have personal expertise to bring to bear’.4 This has to be of concern to corporate governance generally and is undoubtedly a weakness in current board structures. The Risk Director/Manager This relatively new role is a response to the need for a holistic review review of risk. It is a key role in ensuring that all corporate risks are properly recognised and managed. The key concern with this perceive perceived d centralisation of responsibility is that it could diminish the responsibilities that individual business managers have have for managing risk within their own own
Conclusions Threats to corporate information are changing at a time when businesses are relying more heavily upon information technology. The CISO can no longer expect to bear the sole responsibility for information security. Instead, many individuals and many roles within an organisation must share this responsibility. Success comes to organisations that recognise these roles, establish clear accountability and provide the appropriate appropriate governance structure. structure. This structure not only enables other employees to be more responsible for security,, but also ensures that security is not being security compromised and that information assets continue to be properly protected. protected.
References Tapscott, Dan; Anthony D. Williams; Wikinomics Wikinomics,, Portfolio Press, 2007
Endnotes 1
ISACA (which supports and provides certifications for ISACA information security professionals) supports and is a founding member of AESRM. 2 Gartner Group, EXP CIO Survey 2007, 2007 3 IT Governance Institute, Informati Institute, Information on Security Governance— Guidance for Boards of Directors and Executive Management, 2nd Edition Edition,, USA, 2006, www.itgi.org/ContentManagement/ContentDisplay.cfm? ContentID=33553 4 Ernst & Young, Non-Executive Director Survey, 2006 Paul Williams, FCA, MBCS
is a past international president of ISACA and ITGI. He chairs the ISACA Strategic Advisory Advisory Council and consults to organisationss such as SeaQuation and Protivit organisation Protivitii (UK).
Note: This article was originally published in Networ in Networkk Security, Security, volume 2007, issue 8, August 2007, p. 11-14, www.networksecuritynewsletter.com.
domains. Therefore, Therefore, whilst the risk management function can provide a skill base for dealing with with risk, business managers need to understand that the buck still stops with them.
Information Systems Control Journal is published by by ISACA. Membership in the association, association, a voluntary organization serving IT governance professionals, professionals, entitles one to receive an annual subscription subscription to the Information Systems Control Journal.