Information systems security is pretty simple – except when it’s not. There are some long-accepted shibboleths that are slowly being dislodged from our industry best practices. One appears wholly logical on its face. In fact, it was so commonly accepted, it was never even questioned until a decade ago: the information security discipline is a defined subset of information technology. This perception led directly to the related organizational practice of placing the InfoSec function within information technology operations. It makes sense on one level. Since IT operations owns the infrastructure, shouldn’t they also be responsible for the security of the data they transmit, store, and process? That’s the theory.
The practice however, and not the theory, is where the conflicts arise. Information technology operations are most often judged by their ability to keep systems up and running. The “availability” element of the confidentiality, integrity, availability triad quickly becomes preeminent. Additional security-relevant activities are then addressed only as resources and competing priorities allow. The senior security manager is placed in the untenable role of Doctor No.
“We shouldn’t open those ports.”
“You shouldn’t provision privileged accounts outside our control.”
“We need to interrupt production systems for critical system patches.”
Instead of being seen as a critical risk management partner helping ensure the protection of critical corporate information assets, the security manager is relegated to the position of an annoying security gadfly, always seemingly standing in the way of progress and efficient customer support.
Recently, there have attempts to draw metrics out of various surveys and studies to support both reporting to the CIO/IT director versus the CEO or a high-level risk committee. I’ve reviewed several such studies, and overall, the bases for the conclusions are suspect. That said, an organizational perspective demands we consider the impact of conflicts of interest on the InfoSec function.
Rather than debate the esoteric nuances of theory, I think it’s easier for security professionals to evaluate observable activities. Here’s a quick checklist for you to use to see if these conflicts exist in your organization:
- Security leaders consistently fall into the ‘Dr. No’ role
- Security incidents become exercises in “I told you so…”
- The C-suite has little/no insight into important risk decisions
- IT leaders talk in terms of security management, and not in terms of risk management
If you see any of these telltale signs, it is safe to assume you have the InfoSec leadership position misaligned within your organization, no matter who reports to whom. When your availability function overrides integrity and confidentiality, it’s likely an organizational and people problem, not a technology problem. You may have to disorganize the security function for security’s sake.
