Symantec CIO Mark Egan on the Essential Components of a Successful Information Security Program

Mark Egan clues in security directors on how to view corporate information security

[About the author: Mark Egan is Chief Information Officer at Symantec Corp. Egan is the author of the newly released book, The Executive Guide to Information Security, available from Symantec Press.]

Developing an information security program is essential in today's dangerous e-business environment. In response, many organizations purchase and install a variety of security products, each of which is targeted at protecting a different level of the network from specific threats. But a point-product, technology-based approach to security is not enough. With blended Internet threats increasing in frequency, complexity, and number, businesses must employ a more layered technology plan, often called defense in depth, and combine it with the right people and processes. These three elements form the foundation of a successful information security program.

The critical elements of people, processes, and technology can be further broken down into the following 10 essential components that help ensure enterprise security. These components highlight the importance of having well-defined information security policies, standards, and procedures, as well as the value of involving key personnel and leveraging appropriate security technologies.

1. The CEO Owns the Information Security Program. It used to be that where information security was concerned, the buck started and stopped with IT administrators. Now, however, with industry and government regulations calling for increased controls and accountability regarding information, and a growing reliance on technology as a business tool, security has become a boardroom issue.

With the CEO assuming overall ownership of the corporate information security program, the tone is set for the rest of the organization. The CEO's staff is involved in developing broad objectives for the program, and regular reviews between IT and the CEO's staff ensures that the program is meeting those objectives. Moreover, as adjustments need to be made to enhance the program, the CEO's involvement becomes crucial in providing the authority to make those changes.

2. Senior-Level Staff Have a Responsibility for Information Security. In an ideal environment, a senior-level staff member who reports directly to the CEO or COO also shares responsibility for information security. In large corporations, this may be his or her primary responsibility; in smaller businesses, it may be one of many duties.

In addition, the complexities of information security make it prudent to establish a full-time information security organization made up of experienced security professionals. In the past, IT security tasks could be relegated to part-time employees. Not any more. Using anything less than a dedicated team of IT professionals who have expertise and hands-on experience in security only increases the likelihood of seeing a security incident negatively affect the organization sooner rather than later.

3. A Cross-Functional Governance Board Is in Place. Information security impacts virtually every organization in an enterprise. For example, setting and enforcing security policies for appropriate computer use by employees involves not just IT but human resources personnel as well. External restrictions such as demonstrating compliance with industry regulations and local laws also signal the need for involvement by groups outside the traditional IT department.

Corporate information security programs will nearly always place restrictions on the way business is conducted. At the same time, each area of operation within an organization likely has its own requirements concerning information security. By ensuring that the information security governance board is comprised of a cross-functional team that represents the interests of the entire corporation, the resulting corporate policy is not only better defined but also more easily enforced as the board is held accountable for the success of its collective information security program.

This content continues onto the next page...