If you’re in charge of your company’s information security or data protection, it’s an interesting time to lay awake in bed at night, to say the least. We guess that only about one in ten security owners are resting easy. On one hand, from a technical standpoint we face lot of the same old problems. On the other hand, things feel really different. Technical problems are one thing – it’s the circumstances surrounding information security management that have drastically changed in the last few years.
Threats are far more common. Hackers have organized into professional business units. We’re not talking about bored teenage kids hacking from the basement. No – today’s hacker works with a team. There are millions, if not billions, of dollars being made on black market clearinghouses that sell stolen credit card numbers and personally identifying information. Nation states sponsor agency-level attackers who dragnet corporate secrets, patents, and intellectual property by the truckload. Every day we hear about another high profile data breech from a Fortune company.
So, in large companies, in every IT organization, we find a Security Manager, a CISO, or some other security ownership role who is responsible for preventing their employer from being the next high-profile victim. They have some authority and perhaps even some staff, and certainly there is some excellent technology to work with. So with these dedicated roles and assets in place, why are massive data breeches and security failures so rampant?
You can learn a lot about security failures by studying security management. When we started doing in-depth research on the world of the security manager, right away we found that most security managers fall into two groups. They are:
- The talented IT professional who has progressed into management. There is a logical path here. Smart IT folks are the number one talent pool from which information security specialists come. At some point, they begin to specialize in security, and if they do well they eventually grow into a management role and become a security owner. Here’s where we run into trouble – like so many technologists who are good enough at IT to be given management authority, they don’t always prove to have good management skills (at least at first). So the technology component is covered for these folks, but the weakest links in information security aren’t the technology pieces: they are people and processes (or lack thereof). And if you’re not good at management, you don’t have these pieces covered.
- The manager who has been placed in charge of information security. Obviously, these folks are a little better at the management role, but they often don’t have technical backgrounds or IT experience, and that’s pretty important. The management professional or business leader often also suffers from an inability to design and maintain effective security processes and policy, not because they don’t appreciate good robust processes, but because they don’t have any experience with the type of technical expertise, IT worker or hardware that make up such important components of this area.
Both groups clearly bring value. But it’s a rare security pro who comes out of the gate good at managing all the ingredients needed for robust protection: the technology, the people, the processes and the interaction between them.
So what to do? Good technologists don’t make good security managers without good management skills. Good managers don’t make good security managers without adequate technical literacy. Both sides of the coin are critical, and the end result of a deficiency in either is inevitably a weakness that can be exploited by ever-watchful hackers on the prowl.
The key, in our view, is all about the right kind of literacy: not just technical literacy or management literacy. We’re talking about literacy of both in an information security context. Managing for security isn’t like other types of management. However, like many other types of management dilemmas, the obstacles boil down to a lack of well-defined business processes which integrate people and technology, and stitch them into alignment with overall management objectives.
That’s a tough situation, but there is good news there. First, because you have to diagnose the illness before you can prescribe the cure. And second, there is a cure, because we’ve made major strides in teaching organizations how to build solid business processes which integrate people with sophisticated technology and complicated business objectives.
But first, you have to understand the dilemma.