Managing a security function: diagnostic version 1 · The background drivers to the Effective...

Digest

Managing a security function: diagnostic version 1

Published byInformation Security Forum

Tel: +44 (0)20 7213 1745Fax: +44 (0)20 7213 4318E-mail: [email protected]: www.securityforum.org

Project teamAdrian DavisMartin TullyGary Wood

Review and quality assuranceAndy JonesSteve Thorne Andrew Wilson

DesignLouise LiuSnehal Rabadia

WARNING

This document is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected].

Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

Classification: Restricted to ISF Members and ISF Service Providers

Information Security Forum • Managing a security function www.securityforum.org

www.securityforum.org

Preface

Being effective, in the business world, is doing the right things: the things that customers value; and matching products or services to the needs of the consumer. Traditionally, information security leaders and functions have delivered effective but often technically-oriented security products and services to the business. However, as the commercial environment and the threats and risks to business and its information alter, information security may have to change and adapt to the new conditions.

To assist information security leaders in understanding the requirements of their business and how best to align the function and its activities, the ISF has developed a diagnostic, which is split into two parts: the first covers the function; and the second the characteristics of the information security leader. By completing the diagnostic, a ‘profile’ of the function and leader is generated. Asking a third party (either a business manager or someone on the leader’s immediate reporting line) to complete the diagnostic provides an instant comparison which the leader can use as part of a toolkit to more closely align the information security function to the business.

Contents The diagnostic .............................................................................................................................................................3

Interpreting the results ...............................................................................................................................................8

This diagnostic is intended to be used by:

• leaders of information security functions, such as information security managers, Chief Information Security Officers (CISO) and heads of information security departments or functions

• business managers and executives (non-information security leaders)

• people aspiring to be information security leaders.

The background drivers to the Effective approaches to managing a security function project were to help ISF Members investigate how to lead a security function, explore how to sell security and an associated vision and examine how to deliver information security in an organisation. Accordingly, a series of highly interactive Member Special Interest Group meetings were held in Amsterdam, London (twice), Johannesburg, Singapore, Melbourne, San Francisco, Ottawa, Boston, Munich and Oslo between May and July 2007.

Information Security Forum • Managing a security function 1

2 Managing a security function • Information Security Forum www.securityforum.org


The diagnostic

The purpose of the diagnostic is to stimulate thought and debate about information security in an organisation by:

• facilitating communication with business people• understanding how an information security function and its

leader are perceived by the business• ‘kick starting’ a programme to close any gap between what

the information security function provides and what the business wants.

The diagnostic is designed as a simple, easy to complete tool, which provides a common language and terminology and which is capable of enhancement over time via feedback and the use of metrics.

The diagnostic has been split into two parts; one examining the information security function, the other the information security leader. In both parts, the characteristics are described ranging from an IT / technology orientation to a business / risk orientation. The two parts of the diagnostic are presented on the following pages, with instructions on their completion.

Further uses for the diagnostic

The diagnostic can be used in other ways, apart from providing a baseline or comparison tool. Several uses are highlighted below:

1. A development and appraisal tool for information security leaders and individual members of staff.

2. A component of a strategy toolbox; used in conjunction with the value chain, the diagnostic can be used to identify gaps, value-adding activities and drive change.

3. An analysis tool for the creation of an information security strategy, capturing the current position of the function (the mission) and the desired position (the vision).

4. A tool to review the information security strategy in the light of changes in the environment, business and market.

5. A framework for prioritisation; each project, programme, initiative and business case can be reviewed against the diagnostic.

6. An educational tool to raise awareness of information security activities and explain to the business why and how certain activities are performed.

7. Input into a ‘90-day plan’ for a new information security leader; the results of the comparison can be used to identify quick wins and longer-term activities.

Basis for the diagnostic

The diagnostic has been developed using the combined input of senior information security professionals from across the globe, captured: in 11 facilitated meetings, through the use of business simulations and interactive data-gathering sessions; from written questionnaires and surveys completed at the meetings by attendees; and from the analysis and the results of 15 in-depth interviews with Member representatives (including non-information security executives) to explore the project topic and validate the diagnostic. The analysis of this material, combined with desk-based research and previous ISF work, were used in the development process.


To what extent is the function…Place an F in the most suitable

cell for each rowLike this Mostly

like thisElements of both

Mostly like this

Like this

Purp

ose

Focused on... Focused on...

Purp

ose

understanding the risks facing technology understanding the risks facing the business

securing the individual elements of the infrastructure and related software

securing the business through a security architecture

delivering 100% secure operations (ie without assessing risks)

helping the business balance risk and reward

helping the business meet compliance requirements for each law and regulation individually

helping the business meet all its compliance obligations through an integrated approach

Peop

le

Staffed by people who… Staffed by people who…

Peop

le

are technical experts (eg have primarily technical qualifications: MSCE, CNA)

are business advisors (eg have a mix of technical and business qualifications eg MBA)

primarily have deep and narrow technical expertise and experience

primarily have broad expertise and experience in a business context

fulfil an internal, security-focused, role are sought out by business people

develop deeper, technical, expertise actively look to develop their skills in new, business and technical, areas

Activ

ities

Organised to deliver… Organised to deliver…

Activ

ities

technology-based security solutions security solutions which address people, process and technology holistically

‘tick box’ implementation of standards and compliance controls

‘tailored’ activities driven by business risk and assurance requirements

security operations and management an advisory service which provides security solutions for the business to implement and own

a reactive ‘one off’ approach to every incident an incident management and response capability integrated within the business

Com

mun

icat

ions

Communicate using... Communicate using...

Com

mun

icat

ions

the potential impact of security incidents tangible business benefits (eg ROI / value) offered by information security

generic messages regardless of the audience targeted responses to specific groups of stakeholders (eg dashboards)

technical language business language

generic awareness messages regardless of the audience

an awareness programme, supported by a behaviour change process

Mea

sure

men

ts

Assessed by... Assessed by...

Mea

sure

men

ts

overhead costs a balanced scorecard of key performance indicators

technical parameters (eg port scans, incidents, spam blocked)

trends, business impact and cost

process outcomes generally (eg number of systems patched)

process outcomes in the context of business risk (eg percentage of business critical systems patched)

Diagnostic part one: Function

Part one addresses five areas associated with the function, namely: purpose; people; activities; communications; and measurements.

Each of the areas has four questions associated with it, except the measurements area which has three. The questions examine the degree of technical and business alignment for that area. Part one is shown below:

The diagnostic

www.securityforum.org4 Managing a security function • Information Security Forum

To what extent is the leader…Place a C in the most suitable



Mostly like this

Like this

Pers

onal

Building… Building...

Pers

onal

a tactical / operational view, focused on problem solving

a strategic view of information security in the business, focused on possibilities

knowledge in technical fields; may hold technical qualifications (eg BSc, CISSP)

learning and development in both technical and business fields; may hold business (eg MBA) and advanced technical (eg MSc, CISM, CISA) qualifications

networks within technical communities; credibility as a technical expert

rapport and relationships within technical and business communities; credibility as a trusted advisor

an understanding of the organisational culture

knowledge to influence organisational culture to promote security across the organisation

Purp

ose

Focusing on… Focusing on…

Purp

ose

understanding the risks facing technology understanding the risks facing the business

securing the individual elements of the infrastructure and related software


delivering 100% secure operations (ie without assessing risks)



helping the business meet all its compliance obligations through an integrated approach

Peop

le

Selecting people who… Selecting people who…

Peop

le

are technical experts (eg have primarily technical qualifications: MSCE, CNA)


primarily have deep and narrow technical expertise and experience


fulfil an internal, security-focused, role are sought out by business people

develop deeper, technical, expertise actively look to develop their skills in new, business and technical, areas

Activ

ities

Organising delivery of… Organising delivery of…

Activ

ities

technology-based security solutions security solutions which address people, process and technology holistically

‘tick box’ implementation of standards and compliance controls

‘tailored’ activities driven by business risk and assurance requirements

security operations and management an advisory service which provides security solutions for the business to implement and own

a reactive ‘one off’ approach to every incident

an incident management and response capability integrated within the business

Com

mun

icat

ions

Communicating with... Communicating with...

Com

mun

icat

ions

the potential impact of security incidents tangible business benefits (eg ROI / value) offered by information security

generic messages regardless of the audience

targeted responses to specific groups of stakeholders (eg dashboards)

technical language business language

generic awareness messages regardless of the audience


Mea

sure

men

ts Assessing performance by… Assessing performance by…

Mea

sure

men

ts

overhead costs a balanced scorecard of key performance indicators

technical parameters (eg port scans, incidents, spam blocked)

trends, business impact and cost

process outcomes generally (eg number of systems patched)


Information Security Forum • Managing a security function 5 www.securityforum.org

The diagnostic

Diagnostic part two: Leader

Part two addresses six areas associated with the leader: personal; purpose; people; activities; communications; and measurements. Each of the areas has four questions associated with it, except the measurements area which has three. The questions examine the degree of technical and business alignment for that area. Part two is shown below:

Completing the diagnostic

Each part of the diagnostic is designed to be completed in a reasonably short time-frame, either electronically or on paper. The person completing the diagnostic should select the option which best describes the function or the leader; if two options seem appropriate, select the one closest and make a note of the reasoning behind that selection.

There is no ‘right answer’ as the diagnostic does not assign a score to any of the options presented. The best answer is one that is most appropriate to the organisation. Selecting the best answer will result in a scatter of responses across the five response frames, rather than a ‘straight line’ response. Completing the diagnostic in a rigorous, objective, manner will maximise benefit from the exercise.

2

2

2

2

2

2

2

2

2

2

Example respondents Determines

Information security leader

1. Current profile of function2. Current profile of leader3. Desired profile of function4. Desired profile of leader

Third party (eg senior executive)

Information security team

Outsourcers 1. The division of activities carried by the function and the outsourcer

2. The manner in which the relationship between the function and the outsourcer will be conducted

The diagnostic can be completed by various respondents, as shown by the table below:

Completing each part of the diagnostic on a regular basis will allow a picture of the function and the leader to be built over time, review and track enhancements and changes and provide an on-going picture of how the function and the leader are developing to meet agreed targets.

The diagnostic

www.securityforum.org Information Security Forum • Managing a security function 7

To what extent is the function…Place an F in the most suitable



Mostly like this

Like this

Purp

ose

Focused on... Focused on...

Purp

ose

understanding the risks facing technology F understanding the risks facing the business

securing the individual elements of the infrastructure and related software F securing the business through a security

architecture

delivering 100% secure operations (ie without assessing risks) F helping the business balance risk and

reward


Fhelping the business meet all its compliance obligations through an integrated approach

Peop

le


Peop

le

are technical experts (eg have primarily technical qualifications: MSCE, CNA) F


primarily have deep and narrow technical expertise and experience F


fulfil an internal, security-focused, role F are sought out by business people

develop deeper, technical, expertiseF

actively look to develop their skills in new, business and technical, areas

Activ

ities

Organised to deliver… Organised to deliver…

Activ

ities

technology-based security solutionsF

security solutions which address people, process and technology holistically

‘tick box’ implementation of standards and compliance controls F ‘tailored’ activities driven by business

risk and assurance requirements

security operations and managementF

an advisory service which provides security solutions for the business to implement and own

a reactive ‘one off’ approach to every incidentF

an incident management and response capability integrated within the business

Com

mun

icat

ions


Com

mun

icat

ions

the potential impact of security incidentsF

tangible business benefits (eg ROI / value) offered by information security

generic messages regardless of the audience F targeted responses to specific groups of stakeholders (eg dashboards)

technical language F business language

generic awareness messages regardless of the audience F


Mea

sure

men

ts Assessed by... Assessed by...

Mea

sure

men

ts

overhead costs F a balanced scorecard of key performance indicators

technical parameters (eg port scans, incidents, spam blocked) F trends, business impact and cost

process outcomes generally (eg number of systems patched) F



Interpreting the results

The diagnostic is designed to stimulate thought and debate and provide a broad picture of the function and leader. Each part of the diagnostic produces a profile, which indicates the business / technical orientation of the function or the leader, as shown in the figure below.

Completed in this manner, the diagnostic provides a snapshot, useful for setting a baseline, reviewing progress or outlining the desired or future profile of the function or the leader.


To what extent is the function…F = leader’s view

X = non-leader’s viewLike this Mostly


Mostly like this

Like this

Purp

ose

Focused on… Focused on…

Purp

ose

understanding the risks facing technology X F understanding the risks facing the business

securing the individual elements of the infrastructure and related software FX securing the business through a security

architecture

delivering 100% secure operations (ie without assessing risks) X F helping the business balance risk and

reward


FXhelping the business meet all its compliance obligations through an integrated approach

Peop

le


Peop

le

are technical experts (eg have primarily technical qualifications: MSCE, CNA) FX


primarily have deep and narrow technical expertise and experience FX primarily have broad expertise and

experience in a business context

fulfil an internal, security-focused, role X F are sought out by business people

develop deeper, technical, expertiseF X


Activ

ities

Organised to deliver... Organised to deliver...Ac

tiviti

estechnology-based security solutions F X security solutions which address people,

process and technology holistically

‘tick box’ implementation of standards and compliance controls X F ‘tailored’ activities driven by business

risk and assurance requirements

security operations and managementF X

an advisory service which provides security solutions for the business to implement and own

a reactive ‘one off’ approach to every incident X F an incident management and response capability integrated within the business

Com

mun

icat

ions


Com

mun

icat

ionsthe potential impact of security incidents

X Ftangible business benefits (eg ROI / value) offered by information security

generic messages regardless of the audience F X targeted responses to specific groups of stakeholders (eg dashboards)

technical language FX business language

generic awareness messages regardless of the audience X F


Mea

sure

men

ts Assessed by… Assessed by…

Mea

sure

men

ts

overhead costs X F a balanced scorecard of key performance indicators

technical parameters (eg port scans, incidents, spam blocked) F X trends, business impact and cost

process outcomes generally (eg number of systems patched) FX


Non-leader’s view Leader’s view

The diagnostic as a comparison tool

To gain further insight, the diagnostic should be completed by another person (eg a senior executive) or members of a team (eg the systems administration team). In this way, the third party’s view on the function or the leader can be captured and then compared to the leader’s view, highlighting the degree of organisational alignment.

The two, completed, diagnostics can be compared by ‘joining the dots’ and comparing the two profiles. An example ‘joining the dots’ comparison is shown below, highlighting where the differences lie, providing a basis for discussion. At the detailed level, each party can question how the differences show themselves and how they can be reconciled.




To what extent is the function… Action PlanningF = leader’s view

X = non-leader’s viewLike this Mostly


Mostly like this

Like this Actions Responsibility Timescale Completed?

Purp

ose

Focused on… Focused on…

Purp

ose

understanding the risks facing technology

X F

understanding the risks facing the business Introduce risk management in function

1. Deploy IRAM

2. Collate IRAM results into risk register

3. Initiate regular risk review meetings

IS Manager

CIO

CRO

1. Deploy IRAM − end Q2

2. Collate IRAM results into risk register − end Q3

3. Initiate regular risk review meetings − end Q1

1.

2.

3.

securing the individual elements of the infrastructure and related software FX


No action

delivering 100% secure operations (ie without assessing risks) X F


Review with CRO IS Manager CRO

Q1


FXhelping the business meet all its compliance obligations through an integrated approach

No action

Peop

le


Peop

le

are technical experts (eg have primarily technical qualifications: MSCE, CNA) FX


No action

primarily have deep and narrow technical expertise and experience FX


No action

fulfil a internal, security-focused, role X F are sought out by business people

develop deeper, technical, expertiseF X


Alternatively, a radar diagram can be used, which allows the simultaneous examination, at a high-level, of differences or similarities in the perception across each of the five or six areas. An example radar diagram, shown at right, can be constructed by assigning weights to the responses for each row and then combining them into the five (or six) areas.

In this example, which looks at the function, a smaller shape on the radar plot indicates that the function has a more technical orientation; a larger shape indicates a more business focused function.

The differences between the completed diagnostics can be used to generate an action plan, agreed by the senior executive and the information security leader, with timescales and clear objectives, as shown in the diagram below.

Radar Chart: Comparison of leader and non-leader views of the function

Purpose

People

ActivitiesCommunications

Measurements

Non-leader perception Leader perception

Increasing businessorientation

Differences in the profiles are used to drive objectives and actions for the information security function and other components of the business, along with agreed timescales and responsibilities.



Section Title


ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

FOR FURTHER INFORMATION CONTACT:Information Security Forum Tel: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 Email: [email protected] Web: www.securityforum.org

REFERENCE: ISF 07 10 03 Copyright © 2015 Information Security Forum Limited. All rights reserved.

Managing a security function: diagnostic version 1 · The background drivers to the Effective...

Documents

Transcript of Managing a security function: diagnostic version 1 · The background drivers to the Effective...