Information Security (formatted) · 2019-12-18 · 2 Introduction Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification,

1

Balancing Information Security and Enablement

By

Heather A. Smith James D. McKeen

The IT Forum … Is a focus group of senior IT managers from a variety of different industries convened regularly by the authors to address key management issues in IT. This report highlights a recent discussion.

– See back page for details of the IT Forum and other reports.

2

Introduction Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).

Because the value of an organization lies in its information, its security is critical for business operations. When information is jeopardized or breached, the organization loses credibility with its shareholders and the trust of its clients. Companies live in fear of being hacked and for good reason. Even big-name brands (e.g., Apple, Target, Home Depot and Neiman Marcus) with their considerable resources have fallen prey to hackers who have sniffed out vulnerabilities in their IT systems in order to exploit private customer information. And the expertise of hackers launching threats from both foreign and domestic locales is continually rising. Attacks are now launched via a multitude of channels, such as tablets, smart phones, or IoT devices. It's what keeps CEOs awake at night and CIOs pouring money into information security management efforts. To address these challenges, most large enterprises employ a dedicated security group led by a chief information security officer (CISO) to manage the organization's information security program. The security group is also generally responsible for assessing information risks and determining the appropriate protective controls.

Information security management is a set of strategies for managing the processes, tools/technology, and policies necessary to respond to a rapidly changing cyber threat environment.

However, while information security organizations seek to protect information, applications, and other forms of hardware and software by limiting access to it and providing other types of defenses, their goals can conflict with the work of the rest of IT. In general, today's IT organizations are seeking to become more agile, implement new products more quickly, innovate rapidly, and experiment in real time, thereby enabling their business to become more dynamic and responsive to the marketplace. On one hand, traditional security practices can be inhibitors of these goals, while on the other these new IT practices can leave organizations more vulnerable to security breaches. Therefore, IT organizations are increasingly recognizing the need to reconcile these two sets of goals, that is, to balance information security needs with enabling the business with technology in a more timely fashion. This paper explores the challenges involved for organizations in addressing this conundrum. It first examines the current information security environment and its practices. Then it identifies the challenges that arise from these practices, especially those that inhibit the IT organization's new goal of rapid business enablement. Next it looks at how organizations are trying to address these challenges through modifying policies, practices, and methods. Finally, it makes

3

some recommendations for managers seeking to facilitate both information security and enablement.

Current Information Security Practices The primary goal of information security is to mitigate risk and prevent revenue loss, the focus group agreed, with data losses representing most organizations' biggest concern in this area. As organizations' vulnerabilities have grown, particularly since mobile technologies were introduced, information security has matured and progressed, said the focus group. It has evolved into a significantly complex IT function over the past decade and members predicted security will become even more challenging in the future. Today, all focus group members have a CISO reporting to the head of IT. Within the information security function, they identified several sub-functions, each with their own area of expertise. These include: • Security Governance. This establishes and maintains security processes and practices and

identifies who is responsible for signoffs and security-related decisions.

• Access Management. This manages who is able to access systems, data, and networks and at what levels (e.g., use, update, administration).

• Threat Monitoring. This is a real time function that is continually watching for security

breaches.

• Security Operations. This function is responsible for verifying that an organization's people, systems, and buildings are secure. It covers both physical access and testing (both in-house and by third parties) to ensure that employees are following security procedures and that no unauthorized access is allowed.

• Security Advice. These specialists assess technologies and proposed uses of data to

determine if they are dangerous or risky, often providing a formal vulnerability assessment.

• Security Architecture. This addresses identity management tools and practices and product selection, and setting standards and policies for IT practitioners.

"Security touches everything." said a manager. The group noted that information security is closely related to a number of other organizational activities such as: privacy, which protects personal information; internal audit, which ensures that practices and procedures are properly followed; compliance, which ensures that laws and regulations are followed; legal, which develops and monitors contractual obligations about data; and HR, which oversees security matters related to personnel. "These are really different lenses we apply to the work or

4

different views of the same puzzle," said a manager. "Each of these form part of the larger function of enterprise risk management. Information security typically reports to the Board of Directors through its Enterprise Risk Committee. "Our Board is increasingly interested in information security matters and is constantly requesting updates," said a manager. "Our Board is very worried about security," said another. The relationship of security practices to development and other IT functions is inconsistent, according to the focus group. Members explained that different parts of security should be involved at all phases of IT planning and development. "Ideally, security should work with technology planning and participate in all new solutions and technology acquisitions," explained a manger. However, "engagement with projects is still an emerging activity and needs to develop more discipline," another noted. With more and more off-the-shelf, cloud, and other types of vendor services being used in contemporary IT work, security staff should also be involved in new vendor reviews to ensure that their security practices are adequate for the organization's needs. "There is currently a paradigm shift going on with external applications right now," said a third manager. "No one really knows exactly how security and privacy should best be handled in this area as yet." Security should also be involved at the front end of the development of all processes and projects and with the selection and management of security tools. And finally, it handles investigations into both internal and external data breaches and fraud. All of these activities are designed to assess and mitigate risks and threats to the organization and its revenue streams caused by new types of technology and the increasingly interconnected access to company data and networks. "These are only one type of risk," said a manager. "Other types must be taken into consideration as well in order to protect the organization." As a result, in many member companies, a number of different groups are typically involved in deciding whether or not to take a risk on a new type of technology or application. "Most organizations take a risk approach rather than a security one," said a member. "They ask, Is this a reasonable risk? and What controls and remediation are needed to reduce the risk involved." The result is that security controls are often applied inconsistently and without a clear view of their impact on IT enablement.

Information Security Challenges The dynamic and ever-expanding scope of technology in organizations leaves their information security functions struggling to keep up. It is not surprising therefore, that the focus group reported that they face a number of significant security challenges. "Our leaders say, Be fast! Be Competitive! But follow all our procedures," a member stated. "But these take forever!" "Our risk management practices are so vague," noted another. "They're complicated and antiquated." "Our security current processes create churn and inhibit speed," said a third.

5

A key component of improving information security is therefore understanding and addressing some of the challenges IT organizations face when attempting to marry good information security with speed and agility. One of the biggest challenges involved, said the members, is lack of coordination between security and other IT groups. "There are a lot of missing dots that need to be connected," said a manager. "We have some coordination, but it's iffy and inconsistent," said another. "Our security is baked in inconsistently," added a third. As well, there is a strong need to align security functions with those concerned with privacy (HR, Legal), and internal risk and audit (CFO). "There's no place where these decisions are made," concluded the group.

A second challenge relates to the emphasis companies place on different aspects of security. "There are two views of how security should be addressed in organizations," said a member. "The first is education and the second is mitigation." Too often, less attention is paid to the first. The focus group was adamant that more work needs to be done to create a culture where security is always a consideration. "At present, our culture is at the horse and buggy stage," said a member." "There must be an evolution and a change at the individual level," said another. "We need more trust in our employees," said a third. The group believes that their companies were focusing in the wrong place, i.e., trying to harden controls after things go wrong instead of developing a more security-aware culture. Members stressed the need for an effective code of conduct that would enable employees to use their judgement within certain parameters. "Right now, we just use a 4 page waiver which no one reads because someone in Legal/Compliance says we need it," said a member.

Organizations recognize that there's a tension between sources of threat. On one hand, the majority of breaches are internal -- whether from negligence, stupidity, or criminal activity. On the other, they recognize that there are significant external threats as well. "We need a balance," said a member. "With our employees and with others as well, we must trust, but verify." To this end, many organizations have staff to review logs and monitor employee conduct. "When there's a breach, we need to take swift action," said another. "Some are mistakes; others are shades of grey." Most organizations take the nature of a breach into account in their reactions. "If it is bad, the employee is gone; if it is not so bad, we have them in for a chat and monitor them more closely," said a manager. Some members of the focus group complained that employees are always treated as threats. As a result, "Our company blocks all access to external access apps across the board," complained a member. Members also questioned whether risk is the right lens for companies to take on security. "Understanding our risk appetite and developing risk metrics are very challenging," said a member. Yet IT is constantly being asked to quantify risks for its senior executives. "What does 'medium' risk mean?" asked a manager. "You never get risk below medium because if you say something is unlikely to happen, and it does, you're in very hot water! And there are no good metrics around project risk." "We've moved to a Risk Management Framework," said another.

6

"Now that we're looking at everything together, some of our policies and practices just don't make sense! In the past, it didn't matter, but now it does." (see Figure 1) Another member noted that IT had built a new application for its customers outside of its current operating environment due to risk considerations, but even though it was now mature, it couldn't be brought in-house "because of our current security/risk posture." The group added that as new risks appear, systems and organizations need to become more adaptable. For example, they noted that many senior executives are not comfortable with cloud risk. "Most cloud providers are more secure than our companies because our organizations haven't made the same investments in security," said a manager. "However, with cloud services there's more to lose and this means we have to forge new risk tolerances and practices." The group stressed that security requirements are not static and that context matters. As a result, corporate policies don't always work well in this dynamic environment. "The ideal security position is a world where everything is isolated but unfortunately, everything is connected," said a manager. "Our security issues reflect the whole flux in the economy." Another added, "Often rules are imposed to shut everything off but then if it's important enough, exceptions will be made. And there are tons of exceptions!" Thus, in reality, information security is often very porous in places. For development in particular, security can be especially challenging. "One guy's opinion can derail an entire project," said a manager. "Our security advisors are keeping up, but barely. They often say no about something because haven't looked at it yet." "We can enable a public environment for developers but we aren't allowed to use customer or organizational data to test it." The group agreed that security decisions can often be myopic and project-based. "There's a real need for standards and coordinated security practices across our organization," stated another. In addition to these general issues, the group found that there were some specific security problems that are especially challenging. These include:

Figure 1. A Risk Management Framework

7

• Authentication. How to authenticate users remains a perpetual problem1 that has become

worse with the introduction of mobility, multiple access devices, and the increasing number of external partners in organizations."Right now, almost every application has a different type of authentication," said a manager. "Therefore, there's no easy way to know who I am."

• Access Control. Access controls are currently also embedded in different systems, inhibiting consistency and preventing ease of use.

• Data Access and Use. Now that many companies are doing IT work with external partners

and vendors, they need to figure out how to assess the security of other organizations so they can share data. At present, the common security position is loss prevention, that is, "we don't care what comes in but no data can go out." Many organizations actively sample what data is flowing out of their organizations and shut it down. This is short-term thinking conflicts with the need to work in partnership with a number of third parties. As well, newer views of privacy are pushing toward allowing customers to control their own data and how it is shared, rather than having the company do it. Finally, there is a need to distinguish between viewing and using data, said the group. "These are two different things and are not clearly discriminated in our current security practices and policies," said a manger.

• Physical Access. Surprisingly, the group had many complaints about how physical office space security is handled. "In today's collaborative work environment, we need to allow people to move around – from desk to desk, floor to floor, and building to building," said a member. "At present we need to book our movements with an office assistant. We simply can't work this way!" Others agreed. "These are cultural leftovers. Right now, we need to fight for every privilege. We even need to consult an assistant for booking meeting rooms and to get washroom codes." They noted that automating access is possible but is also expensive.

• Security Tools. Although these have come a long way, as security issues arise, more tools are always needed. Some security tools, like virus checkers, are now pretty straightforward but are needed as deterrents. Others, such as encryption, are still problematic because they continue to cause performance issues. And more tools for monitoring information security in the cloud are also needed. "The real question that needs to be addressed with these tools is, Are we safer?" said a manager. "Right now, we could do nothing and still be safe or have $10 M in security tools. There's no real no way to quantify safety."

The group summed up the current information security situation in their organizations in this way: There are always threats from everywhere so we need systems of control to enable us to

1 See McKeen and Smith, IT Strategy: Issues and Practices (2nd ed.), 2012.

8

prevent breaches, identify them when they occur, and take swift action when necessary. However, our current processes are ineffective because there are gaps and because they create churn that inhibits speed. As a result, our processes must adapt if we are to enable development and innovation with technology.

Improving Information Security "In the past, security was simply a box to check," said a member. "Now we need to be more thoughtful about it." The focus group agreed that expectations of information security are changing as threats become more pervasive, but they also felt that there are also many more options for effectively managing them than in the past. However, at the same time, security issues should not be able to inhibit what an organization does. "IT should not be police but enablement enforcers," said a manager. The group identified several ways their organizations are working to improve their information security practices, including:

Building in Layers. One of the best ways to simplify security is to take access and authentication management out of systems. This allows organizations to layer on new security capabilities in context. For example, one organization is building geo-fencing into its mobile access controls for certain areas. "We want to balance the need for basic access to our environment with rings of defense much like a medieval castle," said a manager. However he added that these will only be as good as the existing controls and can't guard against novel threats. "If a plane decided to attack the 'castle' they would be useless." Layers would also be useful to contain disasters. Protecting Data. All agreed that data protection is the number one security priority but addressing it requires addressing issues that have been problematic for years. "We talk a lot about providing access to data but don't want the responsibility of deciding who can have what data," said a member. There are also second order issues to be resolved related to data ownership and who can sign off on access. Both these require a more rigorous information classification scheme than is currently used in most organizations. They also require companies to actually know where their data is, since much of it has been replicated in different systems over the years. "Data can be managed and kept under control but first we need to know where it is and ban new file-based storage solutions," said a member. To accomplish this, several focus group organizations now have a data group that is gradually "repatriating" and centralizing company data so that it can be more easily protected. Beginning with a Dialogue. Group members agreed that companies need to get comfortable with the shifting risk paradigm and doing this requires having more thoughtful conversations with all the parties involved and developing a widespread understanding of the real risks involved. "In the past, we've had blanket prohibitions, like 'no information can leave the company'," said a member. "Now we need to do our homework, consider context more, and be aware of what's missing." "Our conversations are too security-focused," added another

9

member. "We shouldn't start with a risk view but with enabling our customers and our employees. Our organization now is safe but our staff can't bring up a customer account!" The group stressed that security should never be boiled down to one guy saying No, but based on multiple people saying, "Yes for now, though we could say no in the future." "If you start with a risk view, you don't always incorporate all the dimensions of enablement," said a manager. "Conversations also help to more properly assess and identify risk," said another. One company uses peer reviews for all project security matters. "This promotes really good conversations and means that we must have two guys saying no before we need to change things," said the manager. Finally, the group agreed that security practices and decisions are not always questioned or challenged enough. "We need to push back a bit more to find the right balance," said a member. Understanding Trade-offs. Simply identifying risks is no longer good enough when almost everything an organization does with technology bears many different types of risks. The goal of a dialogue is to try to promote "smart risk" i.e., understanding the trade-offs. "We need to better understand who 'owns' risk," said a manager. "This helps people know what they can do and makes sure that risks are addressed at the right level." Trade-offs involve analysis of the nature and severity of a risk in context and looking at it from different perspectives (e.g., privacy, security, contractual etc.) as well as understanding the functionality that is involved. This enables decisions about risk to be moved to the proper level and adjustments to be made to risk practices as needed. "Our business is terrified if you say something is a risk," said a member. "We need to force a trade-off analysis between risk and enablement and it needs to be done at the right level with full knowledge of the issues involved and their severity." Fixing Processes. Although security processes are important, dialogue should come first, said the group. "An enterprise decision framework is very helpful in redesigning processes to be more effective," explained a manager, "but we should talk first and then follow the process." Such a framework establishes accountability and accountability will change the conversations. All too often, those developing a process don't feel the pain of its constraints. Accountability leads to better decisions and better architectures, the group believes. Processes should also ensure that security functions are involved early and policies are applied consistently. "If we get the right people involved at the beginning, 80% of the work will be done," said a manager. Partnering. Effective security and effective enablement shouldn't be opposed to each other. "Each needs to get to where they care about both sides," said a manager. "For example, we should both care about virus scanning and the time it takes to boot a computer." "We should not have an adversarial relationship," said another. The group noted that security issues should not be simply a check box but a partnership where all stakeholders are involved early in a process. "In the past, security has been able to impose its will on development and this must change," said a third. "But all the groups involved – technology planning, the business, legal, compliance, and development must change as well so that security is engaged early." In short,

10

organizations should adopt a multi-disciplinary, multi-stakeholder approach for all security issues. Collaborative Planning. The best way to ensure that security and development co-evolve is to plan for them collaboratively. "Security standards and policies should be reviewed annually," said a manager. "Our leaders should have a regular discussion about them to see if they are still relevant." One important way to identify if a security policy is ineffective is to review the security waivers that are requested. "If there are too many, this is an indication that something's wrong," said another. A good start to the planning process is to understand how an organization's systems are connected at an enterprise level. Then, security requirements can be built into a roadmap that is reviewed regularly and used to develop a common understanding of security needs. Similarly, a set of security requirements for cloud providers should also be developed collaboratively. Using Prototypes or Agile Development. "Prototypes help us a lot in understanding the security issues of a new application," said a manager. "People can understand them better when they can actually see what's involved. There are fewer what-ifs." New agile development methods also help clarify security issues earlier in development. Their emphasis on iterative development means that everyone can assess events in earlier iterations and make modifications as a project evolves into an enterprise-class initiative. Agile methods also embed security advisors into the development team and their emphasis on peer review builds consistency. In cases where it is not possible to use these methods, the group recommended using tabletop exercises based on actual events to surface important security issues and integrate them into practices.

Recommendations for Managers The focus group also had a number of recommendations for those seeking to improve their information security practices. These incorporate obvious gaps in current practices as well as new areas of endeavor which IT organizations should be researching and preparing to address. • Focus on Education. Becoming smarter about information security and its risks is a big

learning curve for everyone. "We must develop a culture of information security awareness," said a manager. "This includes training programs, metrics, and monitoring of long-term effectiveness." Ideally, all levels of employees, including senior leaders, should participate so there is a clear common understanding about security expectations and behavior.

• Work at a Higher Level. There is still much information security work to be done outside the organization. Companies need to work with regulators and participate in forums to change regulations that are ineffective or overly-complex. Both Canada and the United States have cyber-incident response centres where companies can report threats, hacks, and phishing attempts. Unfortunately, these agencies do not collect information about data breaches

11

because companies are concerned about their liability in this area and will only do so if laws are changed to enable them to report without creating legal problems for themselves. Finally, organizations should support the development of security standards. "We must insist on certification standards for all new products," stated a manager.

• Support Innovation. Innovation is a fact of life in organizations. "You can't say no," said a

member. "We must figure out how to do it safely and find a middle ground with our information security team." This includes balancing short and long term cultures, and allowing some leeway in security controls during the innovation process. "Sometimes you just need to make a mess to see what works," said another.

• Develop Mechanisms of Trust. "The more we trust each other, the more security problems

go away," said a manager. This is true at the individual, functional and at corporate levels. Working together generates trust as does establishing shared goals and common understanding."

• When in Doubt, Escalate. When conflicts between security and enablement arise, the best

way to resolve them is to escalate the conversations. "If Security says something's awful, we take it to the CIO. It works like a charm!," said a member. If a security problem occurs, one of the best ways to modify behavior is a requirement to report it to the Board or a Board committee. "No one wants to have to come back a second time to explain things so you have to fix it," explained another.

• Develop Metrics. You can't manage what you cannot measure and security metrics are still

very poor. Ideally, metrics provide feedback to monitor and improve safety as well as a mechanism to review safety with internal audit. Some organizations have developed a security scorecard which they present regularly to the Board. "Our boards are increasingly interested in security and are always requesting updates," said a manager. "Our scorecard looks at increased risks, the nature of events, security spending, and the impact of events." Metrics also provide a basis for continually monitoring how well security practices are doing and a way to determine if the organization needs to invest more.

• Get Ready for Ecosystems. Increasingly, companies are doing business with third parties

and they are then doing business with others. The security implications of these newer business models are extremely difficult to manage but are only going to get worse. "Right now, we deal with these relationships contractually but as true ecosystems develop to share data and work, we are going to face huge security challenges," said a manager. One group member now has a full-time team to review and approve the security practices of the many facilities that would like to access its data. "We need to equip IT to hold security conversations with our external stakeholders and these organizations must be at the table if our new business models are going to be effective," said another. One approach some

12

companies are looking at is establishing a consortium of trusted providers where, once admitted, data can be shared by the entire group.

Conclusion Balancing information security with enablement is one of the most important challenges of the modern IT organization. No one wants to be on the wrong side of this issue. Both the ability to develop new functionality faster and more flexibly and to protect the organization from risk are within IT's mandate and they pull it in two different directions. The first throws caution to the winds, while the second wants to tightly control everything that is done, ideally without any interconnections or online connections. Neither of these postures is appropriate and it is therefore up to IT leadership to find the right balance between them. There is no right answer regarding the optimal balance. Organizations must therefore decide for themselves based on the nature of their business and the level of risk they are prepared to accept. However it is incumbent on all leaders to make security decisions in a thoughtful, intentional way understanding the trade-offs they are making. To do this, the focus group was clear that it is essential to ensure ongoing conversations about this security-enablement balance are taking place on a regular basis.

13

Concept The purpose is to bring senior IT managers together to examine topics that are of critical concern to them and their organizations. Via the Forum, members share experiences, learn from their peers, establish valuable networks, and develop practical strategies for creating, implementing, and managing IT solutions.

Recent Papers § Improving Customer Experience § Mobile Technology § Redefining IT § Innovation with Technology § Emerging Technology Management § Developing a Data Strategy

§ Developing a Cloud Strategy § IT in 2020 § Transforming to Dev-Ops § Developing Thought Leaders in IT § IT’s Role in a Culture of Experimentation § Managing Disruption in IT

Participating Organizations § Bell Canada § BMO Financial Group § CAA § Cadillac Fairview § Canadian Tire § CIBC § eHealth Ontario

§ Empire Financial Group § LCBO § Ontario Teachers Pension Plan § Ontario Universities’ Application

Centre § Scotiabank § Sun Life

Membership Membership in the IT Forum is by invitation only. The annual fee is $3,000. Please direct inquiries to Dr. James McKeen at [email protected].