In my last article, Information Security and Compliance Explained, we covered what information security is and how it’s fundamentally different than compliance, even though they are often treated as the same. The previous article gave us a good definition of what information security is, and now we will cover what you should do about it.
The questions I get asked almost every time I speak to a group of CEOs are:
- What should I do now?
- What are the top 10 things that I should do?*
*Actually they only want the top 3 or 4, but I’ll share 10 anyway.
We will cover ten fundamental information security practices that should be followed in every organization. Here are the top ten information security things that you should do as the CEO of your organization:
- Think right.
- Get help.
- Get involved.
- Set goals.
Some of these things you can delegate to others, and some of these thing you can’t. As CEO you need to ensure that they are all getting done.
Most people agree with us when we tell them that information security is a business issue, not an IT issue (if you disagree, please read previous article). Although most people will agree, most people don’t act in a way that agrees. We have come to realize that people do what they believe, more than they say what they believe. Thinking right will lead to acting right. Not only do we say that information security is a business issue, we actually ACT like information security is a business issue.
Example: In most companies, information security (as a function) reports to (or through) the information technology (IT) function. A security administrator or team reports to the organization’s head IT person (CIO, Sr. VP of IT, IT Director, etc.). Here are just a couple of issues with this reporting structure reinforcing that information security should not be treated like an IT issue:
- IT and information security are sometimes (or often) competing forces. IT is usually focused on convenience, added functionality, and increased availability. Increases in convenience, functionality, and availability often introduce increases in risk. If the security message to us (as CEOs) is filtered through the IT lens, then how true is the message? Security and IT issues need to be considered together along with finance, sales, and every other issue we deal with.
- IT people are not very good at some foundational security requirements. In general, IT is not very good at writing information security policy, managing information security projects, documentation, physical security, security awareness/training, and social engineering. We know that the greatest risk to your information is people (not technology).
Ask yourself if information security is treated like an IT issue in your organization or not. If you’re not sure, ask around or get help. An objective qualified opinion is almost always a good indicator. Be honest, and start thinking right.
Information security management is a specialized skill, and every organization is different when it comes to what works best. You are not expected to be an expert, but you are expected to be informed. Get help from a trusted information security expert that can help you determine what role (specifically) you should take with respect to information security, and where your organization is with respect to information security management and risk.
Not everyone is “help”.
The million dollar question is how do you know if you’re getting the right help? There are hundreds of information security companies to choose from, and they will all claim to be experts who are the right fit for you. Here’s a tip; information security needs to start with what’s best for you, not your expert. Are they:
- Product agnostic – the motives for organizations that give opinions AND represent products should be questioned. For instance, you should question if an organization tells you that you need to replace your firewall and then recommends that you buy a firewall that they sell.
- Experienced – practical experience from your side of the table, not just consulting experience.
- Culture –speaking your language just security speak.
- Results – at the end of the day, this is what matters. Are there specific examples of how they can help you backed by real-world examples of how they’ve helped others like you?
Getting help from the right resource(s) will help you determine your point A and how to best get to point B over time.
There is nothing more important to the success of information security than active involvement and endorsement from the CEO. We’ve built hundreds of information security programs over the years, and we’ve tried building them with and without active CEO involvement. We’re convinced that the only way to manage security well within an organization is to involve leadership at the top.
State your commitment to information security publicly. State your commitment to information security to your people. Show commitment by participating where it makes sense. People are the greatest risk to your information, and people respond to consistency in commitment when they see that the management is leading the way.
Time and time again we hear that CEOs want to implement (or follow) best practices with respect to information security. Notice the word “follow”.
Best practices are really a collection of practices that an industry or group has generally accepted as good (or “best”). This is the herd mentality, and isn’t leadership at all. Remember when you mother told you “If your friends jump of a bridge, would you too?”
Following the example set by others within your industry is often ineffective for a number of reasons:
- Your organization is set up for the same failures. They don’t know what they’re doing any more than you do.
- If we agree that people are the greatest risk to your information, isn’t it true that you employ different people?
- Your culture is different than theirs. There are things that set your organization apart from any other. If your organization is different, how do we expect the same results from the same controls?
- A significant function of information security is physical security. Your organization isn’t in the same building, in the same geographic area, subject to the same threats.
The “best practices” for your organization are the best practices for your organization. There is nothing wrong with borrowing certain ideas from other organizations to help provide insight into your own, but what you don’t want to do is follow them.
We understand that best practices also establish a level of due care and due diligence, thus providing a level at which a person can fall below and be called negligent. If you establish your own best practices, this is never a problem.
Two things about information security:
- You are never “secure”. At least not in the sense that it’s a destination to arrive at. Information security is relative and requires constant, ongoing attention.
- You can’t change overnight. Many of the practices and processes that are necessary to make your organization more secure require time. Maybe even a long time.
Information security should be part of your regular strategic planning. Planning requires that we start somewhere (a risk assessment), and plan for how we make things better over time. An objective risk assessment will give you and your executive team the insight you need to understand where you are at and plan for where you should go.
All organizations should have an information security strategic plan, and the strategic plan needs to be in alignment with your other strategic plans; sales, revenue, marketing, growth, or whatever strategic plans you have in place.
Setting goals equates to setting annual objectives for information security. The goals help the organization ensure that its (strategic) plan is carried out. Simple question; what are your organization’s information security goals and objectives for the next twelve months? If you don’t have a good answer for this, then you:
- Haven’t been involved to the level that you should.
- Haven’t planned as well as you should.
Goals and objectives for your organization’s information security should be shared with you and your executive team.
It’s hard to manage something that you can’t measure. If your organization has planned well and set goals well, then you should have progress that you can measure.
Example: Our 2014 information security goals are to mitigate the top five risks noted in our information security assessment, which were:
- Removable media (flash drives, CDs, DVDs, etc.) are not controlled
- Employees are not trained or aware of information security in any formal manner
- Laptops and other mobile devices are not encrypted
- Passwords are weak and are not changed on a regular basis
- We have no incident response plan or procedure
Our budget for achieving our goals for 2014 is $300,000, and based upon the metrics used in our security assessment, we would improve our risk score from X to Y.
There is no way that you have time for all of this. It’s not your job to do all of this, but it’s your job to make sure it’s getting done. Delegate it.
Get reports regularly (quarterly?) on the measurable status of your company’s information security program. Implement a reporting structure and process to ensure that you get the right information from the right source(s).
I was once asked by the CEO of a company who is a client of ours; “Evan, I appreciate all you do for us in keeping us secure, but will any of this make us more money?”
This is a great question. After all, we are in business to make money. If we are investing in things that don’t translate into making more money, then it’s pretty hard to justify doing these things. Information security is an investment in your organization, and shouldn’t be treated as just another cost center.
We need to look for opportunities to capitalize on our information security investments. Do any of the five goals mentioned in the previous section translate to more revenue? If possible, they should!
Information security has become so important to your customers, your competitors, and your investors, that it has become a competitive advantage.
Example: A good-sized printing company does custom and direct mail printing services to clients around the world. The printing company has invested well in information security. Due to their strategic thinking, sound information security investments, and good communication (internally to sales staff and externally to customers), they are able to attract new and lucrative customers like big banks and retailers. Their information security investments do make them more money!
Seek opportunities to make more money from your information security investments and seek opportunities to keep more money from your information security investments. Good security often translates into better defined and implemented processes which can translate into more profit too.
Recently, I was asked on the air by a radio show host; “Do you think that people are reluctant to share information security incidents because they are fearful that they will be punished or ridiculed?” She was speaking about employees coming forward to report an incident or potential incident. If people feel compelled for whatever reason to not share what they know, then they probably won’t. It doesn’t matter what the reason is.
Encourage and reward transparency within your organization.
Employees are the best first line of intelligence and defense. If managed properly, they can and should be better than any alerting and monitoring device that we can install.
You need to know that no matter what we do or how much we invest (time, effort, money, etc.), we cannot possibly prevent all incidents and breaches. Regardless of what we do, we will still have a risk for loss. The goal is to minimize risk, and prepare for the inevitable.
Ensure that your organization has planned for what you will do if/when you lose control of important information. The plan needs to be thorough, practical, and tested regularly.
- Do you have an incident response plan?
- Are you involved in the incident response process?
- Have you tested your incident response plan within the last 12 months?
- Has your incident response plan ever been reviewed by an independent expert?
The answer to all of these questions should be “yes”. If not, you should act to make them “yes”.
As the CEO of your organization, you don’t need to do any or all of these 10 things yourself. You do need to be involved enough to ensure that all 10 of these things are being done within your organization and that they are done right; to your satisfaction. CEOs who don’t are more likely to encounter loss, including their jobs.
Stay tuned for my next article called, How to Start a Security Program!