Symantec CIO Mark Egan on the Essential Components of a Successful Information Security Program

Dec. 7, 2004
Mark Egan clues in security directors on how to view corporate information security

[About the author: Mark Egan is Chief Information Officer at Symantec Corp. Egan is the author of the newly released book, The Executive Guide to Information Security, available from Symantec Press.]

Developing an information security program is essential in today's dangerous e-business environment. In response, many organizations purchase and install a variety of security products, each of which is targeted at protecting a different level of the network from specific threats. But a point-product, technology-based approach to security is not enough. With blended Internet threats increasing in frequency, complexity, and number, businesses must employ a more layered technology plan, often called defense in depth, and combine it with the right people and processes. These three elements form the foundation of a successful information security program.

The critical elements of people, processes, and technology can be further broken down into the following 10 essential components that help ensure enterprise security. These components highlight the importance of having well-defined information security policies, standards, and procedures, as well as the value of involving key personnel and leveraging appropriate security technologies.

1. The CEO Owns the Information Security Program. It used to be that where information security was concerned, the buck started and stopped with IT administrators. Now, however, with industry and government regulations calling for increased controls and accountability regarding information, and a growing reliance on technology as a business tool, security has become a boardroom issue.

With the CEO assuming overall ownership of the corporate information security program, the tone is set for the rest of the organization. The CEO's staff is involved in developing broad objectives for the program, and regular reviews between IT and the CEO's staff ensures that the program is meeting those objectives. Moreover, as adjustments need to be made to enhance the program, the CEO's involvement becomes crucial in providing the authority to make those changes.

2. Senior-Level Staff Have a Responsibility for Information Security. In an ideal environment, a senior-level staff member who reports directly to the CEO or COO also shares responsibility for information security. In large corporations, this may be his or her primary responsibility; in smaller businesses, it may be one of many duties.

In addition, the complexities of information security make it prudent to establish a full-time information security organization made up of experienced security professionals. In the past, IT security tasks could be relegated to part-time employees. Not any more. Using anything less than a dedicated team of IT professionals who have expertise and hands-on experience in security only increases the likelihood of seeing a security incident negatively affect the organization sooner rather than later.

3. A Cross-Functional Governance Board Is in Place. Information security impacts virtually every organization in an enterprise. For example, setting and enforcing security policies for appropriate computer use by employees involves not just IT but human resources personnel as well. External restrictions such as demonstrating compliance with industry regulations and local laws also signal the need for involvement by groups outside the traditional IT department.

Corporate information security programs will nearly always place restrictions on the way business is conducted. At the same time, each area of operation within an organization likely has its own requirements concerning information security. By ensuring that the information security governance board is comprised of a cross-functional team that represents the interests of the entire corporation, the resulting corporate policy is not only better defined but also more easily enforced as the board is held accountable for the success of its collective information security program.

4. Metrics Are in Place to Manage the Program. Improvement requires measurement-a way to gauge progress. And quantitative metrics typically enable more meaningful evaluations than do qualitative measures.

The first step in setting metrics is to carefully assess the current security status of the organization, then establish clear goals for future improvement. Benchmarking with similar companies can make it easier, especially for security conscious industries such as financial services that are charged with meeting very stringent criteria for demonstrating compliance.

5. The Information Security Program Is Ongoing. Security is not a destination but a journey. Its lifecycle is a continuous round of measurement, improvement, and management. What's more, the activities within this lifecycle must enable both reactive and proactive response to a rapidly changing Internet threat landscape. Consequently, an effective information security program is not static but adapts to changes both in business needs and security challenges.

6. The Program Is Independently Reviewed. Just as independent financial audits are a sound business practice, an independent information security audit is an invaluable opportunity to have security professionals validate a corporate security program and offer recommendations for improvement. Moreover, regular reviews can uncover trends and, in turn, help identify areas that need additional attention or areas that show noticeable progress.

Also, the findings of a third-party audit are appropriate for review by executive staff, IT personnel, and others responsible for problem resolution. After all, the charge to guard the security of information assets is not just applicable to IT but to every employee of the company.

7. Security Is Layered. It's no longer enough to simply protect the gateway, or the desktop, or the server. The arrival of blended threats changed all that. Blended threats use multiple methods and techniques to spread, and often combine the characteristics of different types of malicious code with the ability to exploit software vulnerabilities.

Because a blended threat attacks more than one component of the computing infrastructure, it can only be defended against by deploying multiple security solutions throughout the network. These include antivirus, firewall, intrusion detection and protection, and content filtering at the gateway, server, and desktop, including the mobile client.

8. The Computing Environment Is Divided into Zones. A typical enterprise is comprised of four zones: the Internet; the extranet, which customers and partners access; the intranet, which is used by employees; and the mission-critical zone, which is reserved for mission-critical applications and limited employee access. An effective information security program ensures that each zone is separated by a firewall that restricts access.

By identifying these zones and keeping them separate, organizations have defined areas for deploying relevant levels of security and information access, with increasing levels of security and associated technology deployed at each successive zone.

9. The Program Is Built on the Basics. Rome wasn't built overnight, and neither is an effective information security program. In fact, many information security programs can take years to implement. Consequently, it is better to start with a solid, basic foundation such as a firewall and antivirus and add technologies as needed than to overlook the fundamentals in favor of more advanced solutions.

To that end, forming a technology roadmap upfront will not only ensure that the correct technology is being implemented at the appropriate time but also that the technologies being deployed achieve the desired results.

10. Information Security Is Considered an Essential Investment. Competition for resources is fierce in today's do-more-with-less operational environment. And information security comes at a significant cost. But lack of security can be even more costly.

A careful review of critical business assets, and an evaluation of the impact to the business should they become unavailable, provides executives with the information they need to determine the appropriate level of investment for a security program.

Developing, maintaining, enforcing, and improving an effective information security program is a key component of a sound business strategy. By using a powerful combination of people, processes, and technology, enterprises can have an information security policy that protects their businesses today and into the future.