Ever tried sitting on a chair that has just two legs? It can be done, but not without a great deal of effort. But adding just one more leg provides the balance that makes the chair functional; with much less effort and much more reliability.
The same holds true for a corporate information security program. Too many companies think that a corporate security policy and loads of security products are all it takes to maintain a secure information infrastructure.
Of course, security policies are vital to protecting an organization. Far more than a bureaucratic hoop to jump through, security policies outline the who, what, when, where, how, and why of a corporation’s information security plan.
They’re like “how-to” guidelines that identify the procedures that must be followed in order to avoid unsafe practices that would jeopardize the confidentiality, integrity, and availability of corporate data.
And trying to protect information assets without using security technologies is virtually impossible in today’s Internet world. With the right solutions implemented at the right places and configured in the right way, security technologies can make a formidable defense against the seemingly unending flood of malicious threats that pop up and circulate day and night.
But policies and products are only two legs of the information security chair.
The third is people.
It’s not just that people make the corporation’s layers of security technologies run. Or that people create and follow the corporation’s well-defined security policies, procedures, and processes.
It’s that people can compensate for deficiencies in processes and technology. Indeed, people can be either the weakest or the strongest link in the security chain.
Ownership and Authority
Information security is no longer simply an IT issue. Now, thanks in part to industry and government regulations, information security has become a priority in boardrooms across the country.
CEOs and COOs recognize how closely security issues are tied to regulatory compliance, corporate brand, business continuity, and customer trust. Consequently, there must be clear information security leader in place who is accountable for the organization’s security program and has the authority to enforce security policies.
Security Expertise
Information security knowledge and expertise are not easy to come by. Nevertheless, because information security issues are critical, complex, and evolving, they remain most effectively and efficiently addressed by experienced, credentialed professionals.
Some organizations choose to develop this expertise in-house. Others find it more cost-effective to outsource some or all of it.
In hiring and developing an in-house team, it is important to build a well-rounded group that has a blend of technical and business skills.
Broadly speaking, information security personnel fall into three major categories: management, technical, and audit staff. An information security team is typically comprised of one manager and one security audit professional, with the remaining personnel filling operational roles.
From an organizational perspective, the information security team can be structured as functional and centralized, or geographic and decentralized. Each has its own advantages and disadvantages.
For example, a functional organization allows for better utilization of resources, however, because it requires cutting across business units and geographies, it also puts the right resources a little farther away from internal customers and users.
A geographic organization fosters closer working relationships with members of customer organizations since security staff must deal with internal customers daily. However, this structure also often encourages security staff to become jacks-of-all-trades rather than much-needed experts in critical functional areas.
Governance Board
Because information security impacts virtually every employee in every department of an organization, an information security program must involve more than the IT security staff.
To that end, an information security governance board must be established to define the overall goals of the company’s information security program, outline policies, and make critical decisions regarding implementation. This board is typically comprised of cross-functional, senior-level leaders from key organizations such as legal, human resources, and facilities and relevant business units.
Threats to information security are not likely to abate anytime soon. If anything, they’ll likely become even more insidious, destructive, and powerful.
But with a balanced information security program in place — one that brings together a strong combination of people, processes, and technology –organizations are better positioned to defend their information assets from whatever tomorrow may bring.
Mark Egan is Symantec’s CIO and vice president of Information Technology. He is responsible for the management of Symantec’s internal business systems, computing infrastructure, and information security program.
Prior to Symantec, he held several senior level positions with companies including Sun, Price Waterhouse, Atlantic Richfield Corp., Martin Marietta Data Systems, and Wells Fargo Bank.