Making Information Security Pay – Enabling Your Organisation
Over the last few years I have done numerous presentations on the topic of Information Security – both at C level events and more focused information security gatherings. I always start by asking the audience a simple question – which is “Do they view information security as a cost or an “asset” to their business”?
Almost every time the majority seem to classify information security as a necessary “cost” unless the audience is made up of information security professionals or I am briefing executives following the occurrence of a recent information security incident. In these cases, unsurprisingly the majority of people typically cite information security as an “asset” to their business.
As I perform this less than scientific exercise over the years there are two things that continue to strike me:
- The consistently held view, even by some professional in the field that information security is all about prevention and insurance. A necessary cost to try and stop bad things happening.
- How difficult it is for information security professionals to sell information security to their own management and board despite the well-known risks and potential catastrophes that their business could faces as a result of a compromise.
However- things are changing and I do see a gradual but steady increase in the number of people starting to view information security as an asset to their business. In my opinion this turning tide is directly attributable to two significant factors:
Raised Awareness:
First the really obvious reason – raised awareness at every level in the organisation due to the growing number of organisations featured adversely due to some significant customer data breach or service outage. And it’s impacting us all, as a consumer I have received 4 notifications in the last 18 months from companies holding my or my family’s sensitive data about some significant element of loss or compromise of this information.
The traditional approaches for business case justifications for spend on information security are well documented and established. They are typically either a compliance based argument- for example:
“ in order to continue taking on line payments at the volume we are doing – we must be PCI/DSS compliant and therefore requirement 1 states that we must install and maintain a firewall configuration to protect cardholder data – without this we are not compliant and cannot do business” – QED.
Or, alternatively a Return on Investment (ROI) argument – hopefully with some associated qualitative or quantative risk assessment analysis supporting it – for example
”the typical all in cost of a data breach occurring on personal or financial data is €115 per record – we process or hold 70,000 records, if the risk is that all or even a percentage of these e.g. 20% are disclosed or compromised then the potential cost to the organisation is estimated to be €1.61M – the cost of appropriately securing the Information Systems that hold these records is €30,000 capex and €6,000 opex per annum and this implementation reduces the likelihood of breach to very low probability of less than 5%” – QED..
As you can see by default these types of arguments though perfectly valid – still to some degree reinforce the established perception of information security as necessary insurance or a risk mitigation cost.
Positive Leadership:
The second most significant factor in shifting organisations’ perception of information security as a cost is being driven by the positive leadership of information security managers themselves. Traditionally the information security role by virtue of its inherent risk management responsibility was typically risk averse, sometimes overly policy driven and on occasion perceived within the business as the “department of NO”. Thankfully this is a rapidly changing perception.
The successful Information Security Officers or CISO’s that we work with have figured out that the above arguments are the bread and butter of their day job – keeping the business appropriately safe and secure. Where they invest their remaining time is in understanding in detail their organisational needs and challenges. They actively engage with the relevant parts of the business to add value above and beyond insurance and prevention. They look for opportunities for information security to help the business to innovate – to take managed risks, to achieve business goals and contribute to the bottom line.
Practical Examples
Let’s look at some practical examples:
We do a lot of work with Higher Education and Research clients nationally and internationally. The traditional student (customer) processing models have shifted unrecognisably in this sector in the last 10 year from a primarily on campus only, manual, slow, cumbersome, paper and people based education and service delivery model to either a hybrid mix of online/virtual learning plus some on campus education, accreditation and service delivery model. In this model students can register, pay their fees, select their courses, access academic content, submit assessments and attend virtual lectures.
Key to this transformation is the provision, automation and integration of a heady mix of education information systems and conventional line of business systems such as student registration and administration systems, e-Learning systems, financial systems, HR systems for academic and administrative staff, timetabling systems, examination systems, research management systems and so forth. A typical education institution has over 300+ applications, 10,000+ students, 1500+ staff, 4000+ joiners and leavers per annum and turning over €100M+ a year. Providing seamless, secure access to services to students and staff from anywhere in the world whilst protecting personal data, financial integrity, examination and accreditation integrity, intellectual property protection, service availability and so forth is no mean achievement.
From an information security innovation perspective CISO’s in Higher Education institutions are truly enabling partners in this transformation by utilising information security management technology solutions such as:
Identity and Access Management Solutions:
To automate really complex, time sensitive provisioning and de-provisioning of the large volumes of joiners, leavers and the comprehensive change management processes that all of the user in these institutes typically go through. Enabling this transformation in a heavily automated, mobile and highly dynamic environment – with positive or improved end user experiences – whilst removing a lot of previously expensive labour intensive manual, slow, error prone processes with poor user experiences.
Secure Mobile and Remote Access to Services:
Enabling students, staff and researchers to gain appropriate access to services, content and data of widely varying sensitivity ranging from staff or student personal or financial data to high value research intellectual property, to accreditation and examination data and services in a seamless user experience on campus, at collaborating campuses, industry or 3rd parties literally anywhere in the world. Again CISO were instrumental in proposing governance, data handling and classification policies and frameworks to these institutions allowing them to determine who should have access to what data and services and from where. They were also instrumental in proposing secure extranet and intranet technologies, secure wired and wireless solutions, graduated and adaptive authentication, federation and authorisation models and technologies to help enable and control this secure access.
Secure Payment Services:
A lot of money changes hands as part of the education experience. Traditionally at registration students lined up with cheques, cash or credit cards to pay for their annual or term fees. They paid for on campus services such as printing and photocopying facilities as well as food and beverage services with cash. Aside from being a poor user experience from a user’s perspective this also placed a lot of money handing costs and risks to the institution. Once again CISO’s were instrumental in developing and implementing secure “cashless” payment systems for everything from online payments for college fees to pre-paid accounts and tokens for printing and catering services on the institution – solving both the user and the institutions problems.
Indeed so much innovation was required in Higher Education and Research early on to deliver on the business model transformation required that a number of key security technologies were effectively pioneered, developed or piloted in this sector.
The Institutions that were first or most successful in this transformation required the positive and constructive collaboration and innovation of their internal and external IT providers and information security resources.
Success criteria included:
- Increase in students attending the institution not just because of academic or research excellence but also because of the new reach of the institution to a potentially global market, the range of services offered, the service delivery models, the improved user experience and the perception of innovation.
- Reduction in administrative cost through secure automation and integration.
- Improved compliance and risk management through improvements in identity quality, elimination of manual, error prone, non-systemic process
Conclusion
Appropriately protecting your organisations from information security risk is now the minimum requirement of the information security role. To add real business value CISO’s need to become partners in business innovation, constructively helping their organisation to achieve its goals by providing and suggesting solutions and model for the business to identify, manage and control the risks that the organisation needs or want to take. CISOs need to be able to actively contribute to either the top or bottom line. When they do this then then they will have no issues getting C Level airtime.