Mind the security gap

If you had a badly managed security risk in your IT organisation, why wouldn’t you do something about it? Most people would act if they really knew about a risk and understood that it was important.
Almost ten years ago, two Stanford University academics, Jeffrey Pfeffer and Robert Sutton, wrote a popular book titled ‘The knowing-doing gap’1 in which they explored how good companies turn their internal knowledge into effective action. Pfeffer and Sutton also outlined what happened to cause organisations to fail to act on key information they already had within their midst. Much of the problem was due to the information being locked up within organisational ‘silos’ of experts and specialists.

Communication gap
Risk management and security specialist functions often suffer from this communications gap. These are knowledgeable professionals who know about risks and the practical steps that can be taken to manage them, but without the organisational backing and funding provided by their senior management they can do little. A recent (post credit-crunch) survey by recruitment consultants Whitehead Mann found that nearly one in eight risk managers were not influential in their own organisations.
This confirms a theme that has run through private sector information security surveys for a number of years. Despite some improvement, a notable percentage of those surveyed still claim that their management does not understand the issues well and fails to give them necessary support. This does not sound like a good return on investment for security team costs.
As the responsibility for communicating lies with the communicator, just what is happening within security teams so that the message does not get across? Common failings seem to include:

  • Not framing the security risk in credible business terms
  • Not showing an understanding of broader context, including relative priorities of other risks
  • Dealing with point issues and solutions rather then a more strategic vision
  • Not understanding change implications and how to be a change agent
  • General lack of influence skills.  

It is clear that the most successful companies are investing in their security leaders through broader development training, such as encouraging participation in general management programmes. They also ensure that their security professionals are actively networking in peer communities of interest.

The doing-knowing gap

Perhaps even worse than poor use of the information security and risk professionals in an organisation, would be using unskilled staff to do the security job. Under these circumstances critical risks could be missed and inadequate security solutions proposed. Although it sounds far-fetched, the global statistics are quite concerning.
Forrester Research2 estimates there are approximately two million full and part-time IT security roles in private and public sectors, yet, if we look at reported memberships, less than half of these roles are held by people who have formal security knowledge qualifications such as CISSP, CISM, SANS GIAC or a relevant university degree.
Still fewer have formal professional competency accreditation that shows their ability to apply theoretical security knowledge in real practical situations. This would be like someone fresh out of their university medical degree, declaring themselves to be a doctor. Fortunately, in medicine this does not happen. Instead there is a scheme of on the job tutoring and mentoring that leads to assessment of competency and to full qualification.

Competency assessment

The UK government recognised this gap some time ago and in May 2001 instigated the Infosec Training Paths and Competencies (ITPC) scheme to provide competency assessment for those holding information assurance roles in government departments. The private sector followed a little later and, with the encouragement of government, the Institute of Information Security Professionals (www.instisp.org) was set up. During 2008 information security professionals in the private and public sector gained the opportunity for formal professional accreditation to become assessed full members of the Institute (M.Inst.ISP).
This has now come full-circle with the Institute taking over public sector competency accreditation from the Cabinet Office, as ITPC has transferred to the Institute from April 2009. This harmonisation of security professional standards is particularly helpful when looking at managing security across public-private sector partnerships.
It would be unfair, and very wrong, to accuse a security professional of being incompetent just because he or she does not have an independently assessed competency qualification. The information security industry is very young and can only just call itself a profession.
As a result many of its best practitioners are self-taught and learnt at a time before there were even any security training courses. But the truth remains that you cannot prove a negative, and that formal competency assessment by peers – the foundation of other recognised professions such as medicine and engineering – is the only way forward. Having security professionals with recognised qualifications certainly eases security competency conversations between partnering organisations, be they public or private sector.

Gaps in the security system
Many security weaknesses are themselves gaps: an absence of a control, a missing patch, a broken process, or lack of understanding or lack of thought by individuals. Good security requires considerable diligence, as a failure at any stage in the IT process can result in a problem. A good security management system has many components that include the following:

  • Robust governance and risk management processes – so that investment in protection can be focused on where there is greatest business value, and assets valued and classified accordingly.
  • Clear articulation of policy – defining where there need to be mandatory standards and processes and where localised decision-making is appropriate.
  • A strategy and architecture that addresses risk management and security solutions in a holistic way, rather than just point solutions.
  • Management of 3rd parties – and their security responsibilities and access.
  • Trained staff, aware of their role in good security and able to perform the security task required of them.
  • Incident management processes – so that the inevitable security events can be identified early, controlled and any impacts mitigated.
  • Good linkage to physical security – so that the systems themselves can be protected from damage, theft or interference and media properly handled.
  • Good operations processes – for operations of applications, systems and networks so that backdoors are not left open or software weaknesses not patched.
  • Good access management – so that user IDs are created, maintained and demised in a timely manner and access is granted in accordance with policy.
  • Adequate technical controls – including detection and protection against malicious code and systems/network intrusion; encryption and digital signing used appropriately.
  • Robust system development – with a repeatable, managed development lifecycle run by developers trained in secure architecture and secure coding.
  • Planned business continuity – assured by resilient systems design, robust backups and tested continuity plans

Many organisations have devised their own standards for security requirements like these, but increasingly they are being harmonised through the adoption of a standard Information Security Management System (ISMS) based on the internationally recognised BS ISO/IEC 27001:2005 BS 7799-2:2005.

The customer-supplier gap
To achieve a secure supply-chain relationship, both customer and supplier need to speak the same security risk language. Managing risks between organisations needs to bridge the definition of the risk appetite of the customer with a matching security capability of the supplier. Seamless integration of security processes between customer and supplier also needs to happen to cover both day-to-day security and the inevitable incidents. This doesn’t happen by chance, and robust security conversations need to happen from the earliest definition of contract through to regular service management reviews during the contract period.
Experience shows that without clearly defined goals there is a real risk of misunderstanding leading to differences in customer expectation and supplier security delivery.
In the past, speaking the same security ‘language’ across organisations has been difficult and time consuming. Now, with the adoption of common standards for security management systems and for the accreditation of security professionals, the task has become much more straightforward. Standards have indeed become the key tool to bridge the security gap.

IISP in the Public Sector
From May the Institute of Information Security Professionals (www.instisp.org) is setting up a sub-group for professionals working in Information Assurance in and around the public sector to come together for networking and information exchange. This will meet monthly in London with the exception of two meetings per year that will be held around the country. More information can be obtained from info@instisp.org.

About the author
Dr Paul Dorey CISM, M.Inst.ISP is the Chairman of the Institute of Information Security Professionals. He has previously held the positions of Chief Information Security Officer at BP PLC and Barclays Bank and is a co-founder of the training and development company Securityfaculty.com.

1. 1999 Jeffrey Pfeffer and Robert I. Sutton, Harvard Business School Press
2. 2008 Forrester report sponsored by (ISC)2

Please register to comment on this article