We have all experienced how complexity inhibits efficiency. Be it with government growth, corporate bureaucracy, even the U.S. tax code - the more complex things become, the harder they are to manage. Interestingly, many of these complications do not have to evolve but they do. Be it human complacency, ignorance or a number of other contributing factors, it is just how things work. We are also starting to see such complexities evolve in IT, and specifically, information security. Should we just sit back go with the flow or do something about it? It is deciding time.
Numerous factors contribute to information security complexities: network design, lack of training and knowledge on the part of users and IT staff members, policies, business processes, government interference/compliance, and the growing amount of electronic information we have to deal with. The mere fact that many in management do not understand information security - and therefore ignore it - ends up contributing to the problem as well. I truly believe that most rational business people understand the importance of minimizing these complexities. The outcome is predictable and the payoffs can be huge when we keep information security simple. But how do you do that?
First off, I often see organizations struggle to manage disparate information security requirements. Many manage single policies or compliance regulations as standalone requirements. For instance, they do what they can to become "compliant" with a certain industry or government regulation, then they will move on to meet another set of security restrictions a business partner requires, and so on. Everything is a silo - nothing is streamlined. It is putting out one fire after another. This is not a good approach nor is it a sustainable one.
If you step back and look at information security from a high level, it is all the same stuff regardless of the industry or the regulations. Sure, there will be a few nuances and caveats here and there but, by and large, it is all the same stuff.
Knowing this, one of the best things you can do to minimize information security complexities is to align what you are doing in IT, information security and compliance with a framework such as ISO/IEC 27002:2005 (formerly known as 17799:2005). Adopting a framework such as this will drastically reduce the time and effort it takes to get things established, as well as the costs of managing information security and compliance moving forward. It is also something recognizable to your customers and business partners that will demonstrate that your business takes information security seriously.
Most business problems boil down to people. Information security is no different. If you are going to have an information security program, everyone in the organization needs to know three things: 1) what they need to do (i.e. what management expects); 2) when they need to do it (i.e. specific circumstances or deadlines); and 3) how their actions are going to be measured (i.e. passing awareness tests and notifying others of misuse). The people part is that simple. If you structure your information security program with these three things in mind, you will set everyone up for success.
Even with all the variables, information security does not have to be complex if you focus on what counts. By that, I mean addressing your greatest risks on your most critical systems - not just adding new layers of controls across the board because some vague assumptions or because a vendor told you that's what you need. Dr. Phil McGraw says you do not solve money problems with money. The same goes for information security - you do not fix security problems with (more) security. Additional layers of complexity will only serve to bite you down the road. Sure, there are certain complexities you cannot avoid, such as business politics and organizational culture, but if you have a choice in the matter and can effect change while things are (relatively) simple this early on in the game, why not?Solving problems is often easier when you do not over-think things. As much as I did not understand the value of the K.I.S.S. (keep it simple stupid) approach in my younger years, I have grown to appreciate what it can do for us in business. Simplicity should be your top goal for managing information risk. Information security is complicated enough as it is - we do not need to make things more difficult. If you keep things simple and work toward better - and smarter - security up front and moving forward, I guarantee it will make a positive difference.