All too often information security at the business management level is treated as a simplistic compliance function – just fill in the check lists, make sure the Web sites are ethically hacked each year, complete the entitlement reviews every six months, send out a few awareness fliers, pass the periodic audits and you will do fine. The source of this misconception is pretty obvious. Like Chicken Little, information security officers often find themselves in the unenviable position of telling management they need to spend money on security technology or hire more security personnel for vague risks. Your business may need a more efficient and reliable security patch management system, but when was the last time your business was off-line for several days or suffered a loss because of the failure of the existing system? No business wants its systems to be disrupted for multiple days. But if disasters do not occur that often and you can't show a clear possibility of significant losses, how are you going to convince management to fund a patch management system upgrade? The reaction of management in these situations is often to relegate IS to a compliance, not a risk, function.
The other misconception is that by strictly following policies and procedures an Information Security Officer (ISO) can create a “perfect” environment where the risk of a security breach is nonexistent. This evidences itself in ISO's that pursue compliance with information security with an almost religious zeal. All rules must be strictly followed, regardless of risk or resource demands on the business. All violations are treated as threats to the very existence of the business. The security patch management system must be upgraded, because that is what is required by policy.
The reality is that, as any ISO will find after a few weeks on the job, information security is an extremely complex area. There is no way to guarantee perfection, to eliminate all risks of loss to our information. Security technology is constantly changing and the bad guys are always finding new ways to break in. Most importantly, information security is ultimately dependant on people who, despite their best or worst intentions, do not always follow the rules. The best security technology in the world can be rendered ineffective by an inadvertent programming mistake by a developer or system administrator. The most sensitive information can be unexpectedly revealed on the front page of the New York Times, because a senior executive mistakenly left a laptop behind on a restaurant table. Thousands, even millions, of dollars can be lost because a disgruntled employee abuses their authority and defrauds the company. Therefore, as long as information security is dependent on imperfect measurements of risk, technology that is constantly evolving and fallible humans, we will all have a very challenging job.
©2009 ISRMC, LLC