tag:blogger.com,1999:blog-4088979.post2674503974862342884..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: "Security": Whose Responsibility?Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-76647224804717282712008-06-15T19:03:00.000-04:002008-06-15T19:03:00.000-04:00You must have a CIO who is willing to support you ...You must have a CIO who is willing to support you when you step outside the bounds of IT. Being a senior member of the C-level team who interacts with all levels of the company, he/she must promote security internally to the division and within the various peer business groups. By promoting the department, it encourages those departments to be more forthcoming when involving security up front instead of after-the-fact. It also allows security to be better positioned when providing or justifying its business value to the organization. He/she must also support the interaction of IT Security with those groups. IT Security must stay in tune with the needs of those departments and be able to align them with the goals of IT. This is especially paramount given the ever changing regulatory world we live in today – whether it’s due to federal regulations, State privacy laws, credit card standards, discovery requirements, etc.<BR/><BR/>On that same note, the CIO must be willing to hear the news that may go against the operational needs of the division. If he/she cannot accept the fact that there may be legal/privacy/security issues with an existing/new IT product, then the security department is doomed to remain in the back seat and never to be truly integrated within the company. This also brings other issues up though such as the security department ensuring it has a consistent and reasonable method for evaluating these risks. That’s a different topic altogether though.<BR/><BR/>I have heard many arguments through the years that IT Security should fall outside of IT. There are pros and cons to both sides. Personally, if you can have a good relationship with (and the respect of) the CIO and have the business integration within the division, then I feel it is more advantageous to exist within IT. Being within the division enables the team to be closer to the issues at hand and therefore part of the solution. Again though, that is dependant upon many factors but primarily the division’s acceptance of the department and security’s inclusion with ongoing projects. Being outside the division distances you further away with a function (or maybe perception) more like an audit agency. It also strains the ongoing challenge for your technical staff to work with the operational IT teams for the purpose of on-the-job training. That’s a difficult enough task as it is for security.<BR/><BR/>I would find it interesting to know of departments who do fall outside the more common IT division tree to hear how they overcome these issues.C Rayhttps://www.blogger.com/profile/08728190506965668726noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-88082612164725508892008-05-22T11:52:00.000-04:002008-05-22T11:52:00.000-04:00What about the operational and oversight aspects o...What about the operational and oversight aspects of Information Security? The Operational side deals mainly with implementation of access controls and the Oversight function is mostly monitoring. Both functions provide consulting to other groups on architecture, process design, etc. but should they be together under the same management? What management team(s)? IT? Security? Legal?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-41623394656179842802008-05-22T10:01:00.000-04:002008-05-22T10:01:00.000-04:00To try and keep security and IT together, one coul...To try and keep security and IT together, one could make the argument that audit should be set apart. The CIO would then have a reason to satisfy poor audit scores.<BR/><BR/>Interesting dilemma. :) In my own thoughts (but not experiences as of yet), it would seem self-defeating to have security outside of IT. To me, that seems to remove so much technical ability, access, and insight from the security team.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51673903634177900922008-05-22T02:06:00.000-04:002008-05-22T02:06:00.000-04:00You can't divorce security from IT - security has ...You can't divorce security from IT - security has to be a key attribute of architecture and operations. It's nearly impossible to retrofit security after-the-fact, especially when that entails ripping apart networks or applications or other types of systems and starting over, because they're insecure and unsecurable.<BR/><BR/>Systems, applications, and networks must be designed from the start to afford complete visibility, so as to effectuate total control. There is no way that a siloed security group can adequately support these objectives.<BR/><BR/>There's certainly a case to be made for a distinct opsec group who respond in real-time, but again, they can't be divorced from IT operations, else they'll be disbanded the first time they botch a response and end up making things worse.Roland Dobbinshttps://www.blogger.com/profile/06517186494484977438noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82011776591712199372008-05-21T21:45:00.000-04:002008-05-21T21:45:00.000-04:00Richard, not only do I agree with your analysis, I...Richard, not only do I agree with your analysis, I've been making this argument for years now. So long as security is in IT, the CIO has to deal with a conflict of interest (whether or not he/she is aware of it) between his core function (availability) and the desire of security to balance the three.<BR/><BR/>The problem is one of perception. So long as security is not independent of IT, it will never be seen as the arbiter of all three corners of the triangle, capable of balancing the privacy concerns of the lawyers with the availability concerns of IT and the integrity concerns of the audit function.<BR/><BR/>That's what security needs to be. The professionals who bring together the three teams to arrive at an optimal result; in protection from attack, in detection of attacks and in investigation and remediation after successful intrusions.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-60029584571197904952008-05-21T17:07:00.000-04:002008-05-21T17:07:00.000-04:00Part of the problem lies within the use of the C,I...Part of the problem lies within the use of the C,I,A triad. It's nice conceptually, served a purpose, but it's time to retire it:<BR/><BR/>1.) There is usually an assumption of equal value to an organization, i.e. valueofC=valueofI=valueofA. This is generally false.<BR/><BR/>2.) The value of C,I,A to an organization isn't easily quantified, so they end up getting an ordinal scale. What follows can only be described as logical carnage, exercises that make the brain ignore so many fallacies that you'd have to be lobotomized or on prozac to noddingly accept the gross arithmetic sadism.<BR/><BR/>As far as corporate hierarchy is concerned - I can see where the CISO function might be beholden to the CRO or CFO if they are ultimately responsible for ERM. <BR/><BR/>If I had to choose, I would agree that Security (all functions) should be it's own island and not dissected among IT/IRM & ERM/Physical Operations.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-13098132967755537352008-05-21T16:42:00.000-04:002008-05-21T16:42:00.000-04:00Seems like the high-performing CISOs I know of tha...Seems like the high-performing CISOs I know of that deliver on effective risk management across the A.I.C. triad show that ability independent of their position in the corporate hierarchy.<BR/><BR/>I think you are right about the optimal functional placement. You have a sound argument. I just think that capable leaders can find ways to work around obstacles like organizational hierarchy.<BR/><BR/>You've probably looked at other factors that lead to optimal performance for that role. Do you see hierarchical placement as a critical factor or are you just attempting to present a justification for what makes most sense?Anonymousnoreply@blogger.com