Canadian businesses are struggling to meet regulatory and governance demands for enterprise-wide information security. Meeting the challenge requires an effective enterprise security program and management support to implement it.
The difficulty in addressing technology risks is being compounded by regulatory demand and compliance deadlines that are moving ever closer. Rushing an enterprise security initiative into place to meet these deadlines without careful planning can set back the overall effort, as the damage done is first repaired and a new direction is chosen.
The need for enterprise security is driven by increasing compliance requirements, privacy legislation, disclosure laws and industry specific regulations. U.S. companies were the first to be affected by these changes, with Canadian companies next in line. Canadian firms with US-based operations are impacted directly by U.S. legislation, with others subject to new industry-specific security regulations such as the PCI (Payment Card Industry) rules which affect all credit-card merchants. Additionally, Canadian SOX-like legislation, including Ontario’s Bill 198, will soon be a reality.
Companies should understand the need to shift enterprise responsibility for information-related risks from technical management to a senior management role. This is a requirement of many new pieces of legislation and reflects the expanded responsibilities of the information security mandate.
The net result of these changes for many Canadian businesses has been the need to create a new senior management position, the Chief Information Security Officer (CISO), and to implement, often for the first time, a comprehensive enterprise-wide information security management program.
Searching for the right people
The quest to find a qualified CISO has not been an easy one for many firms. Some public examples of companies’ efforts to find a strong CISO include:
- A large transportation firm which continued its quest to find a C-level security executive, and was eventually forced to hire a more junior manager, requiring the company to continue to vest formal security accountability with the CIO
- A U.S. manufacturing company which had three CISOs in two years, due to turnover among these highly sought-after resources — resulting in disjointed security efforts, spiraling costs, and increased organizational skepticism about security as a whole
- A European retailer which, understanding the challenges of recruiting a strong CISO externally, promoted an experienced manager with no security expertise into the senior security role, leading to delays in the development of an adequate security program
These examples are understandable — experienced CISO candidates are rare, with the ideal candidate having a decade of multi-disciplinary security expertise (including governance, security policy, and technology), combined with exceptional leadership, communication and negotiation skills.
There are relatively few CISO candidates in Canada with the rare blend of technical and soft skills needed to operate at the C-level and above in the context of compliance requirements and audit standards.
Many major Canadian companies have searched for years without finding the right individual to fit the CISO position, sometimes choosing to struggle along with the role vacant, or filled on a temporary basis. Mounting compliance and regulatory pressures, as well as the steady increase in prudential risks, means this is no longer an option. A functioning enterprise security program is essential.
Hiring the wrong CISO, who will make wrong assumptions about the enterprise and miscalculate risks, can be quite damaging. Wrong assumptions or decisions at this level may seriously impact all major IT projects. The results can include missed compliance deadlines, regulatory sanctions, the de-coupling of IT and business strategy, and the persistence of security as a technical obstacle, instead of a business enabler.
Hiring do’s and don’ts
As CIOs and their companies struggle to find a capable Chief Information Security Officer, some recommendations should be considered when searching for the right candidate. The assets of your future CISO should include:
- Management mindset. Information security is about communication, sending the right message to executives, and translating technical issues into business risks and vice-versa. Sometimes promoting a highly capable Information Architect, Operations Manager, or IT specialist into the leading security role isn’t the right answer because these individuals will still have technology and operations as a priority. Technologists will often retreat to the comfort zone of solving problems through technical solutions, since this is the area they are most familiar with.
- Ability to negotiate and compromise. Few security professionals view information security as a business enabler, instead focusing on the security fundamentals of protecting the confidentiality, integrity and availability of data. Yet major security decisions must be made together with process owners and stakeholders. Frequently, the perfect security solution does not meet operational requirements, costs constraints or deadlines. A Chief Security Officer must know when to accept a middle ground and when to stand and fight for minimum standards.
- A drive for clarity of mandate and adequate authority. On too many occasions, an enterprise creates a corporate information security function without establishing its mandate. No CISO can deliver and implement an effective security program without clear objectives, authority and budget. The best CISOs will identify and correct this situation early, or refuse the position without it.
- Ability to prioritize. Only practical management experience can provide the prioritization skills a good CISO must have. No certification or academic education will provide the required confidence and skills to effectively prioritize projects. The new CISO is expected to start accruing high visibility wins in short order. Understanding what’s truly important to the organization and its stakeholders is critical when allocating resources to the effort.
- Security and Risk expertise. The CISO might be able to communicate and mitigate risks but first, risks must be measured and compared. Quantifying risk can be an extremely complex task; it requires in-depth knowledge of the business, the impact of potential threats and how existing security controls affect the enterprise.
Organization’s that view security as an IT problem might make the CISO a direct report of the CIO, while those with a risk-centric view, the CFO. An organization with mature IT governance practices may institute the CISO position as a full peer of the other C-level roles. The lower the CISO is positioned in the organization chart, the less visibility, influence and assurance will be provided by information security.
However, if no properly qualified individual can be found to fill the position, the organization might actually be reducing its risk by limiting the CISO’s power and influence.
The ‘build and transfer’ alternative
Some companies have found a solution in ‘build and transfer’ services in which a specialist organization works with the company to build and staff an enterprise security office, eventually transferring it to the company’s control as the learning curve to governance and security reaches maturity.
Many Canadian industry leaders have benefited from this model in the past three years. This approach enables the enterprise to be rapidly equipped with a fully functioning enterprise security program encompassing all the required capabilities, with rapid implementation by a team of senior security professionals leveraging a pre-existing program template and supporting IP.
This model also avoids disengaging senior leaders from existing commitments and plans. By moving a successful leader from programs that are progressing well to the unfamiliar territory of security, compliance and governance, the enterprise could be jeopardizing both fronts. The build and transfer scenario keeps senior leaders on their projects to ensure continuing revenue, while filling a critical gap.
The model is not, however, entirely free of risks. Many of the challenges identified above still exist. However, rather than needing to meet these challenges single-handed, the CIO and the enterprise are supported by an established partner with security management expertise.
In this model, the security team generally reports to a group of senior executives within the organization, such as an Information Security Steering Committee.
By building a solid plan and establishing short-term wins (often related to regulatory deadlines) the security office can overcome initial skepticism and provide leadership with the confidence needed to further advance and commit resources to longer term initiatives.
Regardless of the approach taken to establishing the enterprise security function, short-term and long-term results should be monitored and controlled by the organization. Metrics must be used which reflect the clear and measurable benefits from the security program.
The security maturation process can be tracked through Capability Maturity Models such as the COBIT IT governance framework.
Although the implementation of a complete enterprise information security function able to satisfy the full range of compliance and prudential requirements faced by today’s businesses may seem a large task, with strong leadership and informed planning, it need not be a daunting one, and the enterprise stands to reap the benefits for many years.
–Rafael Etges is a senior advisor for the Assurent Information Security Consulting group, Toronto, serving as a project principal in the information security group. Dr. Richard Reiner (CTO) is an internationally recognized authority on software application security and robustness. He is Practice Leader of the consulting practice at Assurent. Ben Sapiro is Senior Information Security Advisor at Assurent, serving as a principal in the information security group.