Information Security A Practical Guide: Bridging the gap between IT and management

CHAPTER 1: DAY ONE AS A SECURITY PROFESSIONAL

Chapter Overview

This chapter gives you guidance on bedding yourself into your new role in security. It will help you to get your bearings and explains some of the early tasks you need to carry out to understand your role much better.

The chapter first reinforces the confidentiality, integrity and availability (CIA) mantra, explaining its meaning and how to use it in your role. I then describe the people you should look to meet as soon as possible so that you know what is going on within the organisation and who you will need as allies. The chapter then explores how you can begin to understand the organisation’s security culture in order to realise how much influence you have in your role.

Objectives

In this chapter you will learn the following:

• How to build a foundation for communication using CIA

• How to understand the security culture of the organisation

• Building relationships with key personnel

• Identifying the gaps in the organisation’s security set up.

Your First Day

Your first day in an information security role can be extremely daunting, especially if you are new to the profession. Often information security is seen as a dark art performed by some elite person, and your peers will have a higher expectation of you and your knowledge of information systems. During a security incident even senior managers will look to you for advice and guidance, so you should be prepared to take on this responsibility and lead when needed.

It is important that you have an overall understanding of the organisation’s IT strategy and what systems are being changed and deployed. Remember, in security the attackers only have to win once, whereas you have to win every time. This means there only needs to be one mistake or oversight and a vulnerability could be exploited in your organisation that could have a tremendous impact.

From day one you must get to know the organisation as quickly as possible, its people, its strategy and its culture. You will not be effective in your role until you understand those things.

Confidentiality, Integrity and Availability (CIA)

The CIA mantra is the bread and butter for every information security professional. These three key areas form the foundation of information security. Think of CIA as your weapon when discussing security with IT and business staff alike. Set this foundation for anyone you are going to work with regularly, as it will allow you to develop a mutual understanding. In my experience people pick up the CIA mantra extremely easily.

Confidentiality means that only those who should have access to the data do, and those who do not have a need to access the data cannot. Data is protected from unauthorised access, and this is the traditional view of security.

Integrity means that the data is accurate and that we can rely upon it. Data that is incorrect or suspected of being incorrect has no value as we cannot rely upon it. When discussing integrity ask how much of the data’s integrity would need to be compromised before confidence is lost in its entirety, as this will help you gauge how important integrity is.

Availability relates to the information being available to those who are authorised to access it when they need to access it. Information that is not available for use is of no use to us. You may have heard the anecdote of taking the data, putting it in a safe and then dropping that safe to the bottom of the ocean. If that’s what we have to do to protect the data then why keep it at all? We can’t make any use of the data, and it is a liability not an asset. This is the part people have most difficulty in understanding. Sometimes people think of the data as a physical asset, so for example if the data is stolen, they assume we no longer have access to it. In fact, theft could be a mixture of both availability and confidentiality. It is important to be clear that availability is about whether we can or cannot access the data.

Getting to Know the Business

It is often easy to forget that you and the IT department are there to serve the business; you are a tool and resource to be used for the business to achieve its objectives. This is why it is important to understand the business and what it wants to achieve. In this section I will introduce the different roles and explain their importance.

Senior Managers

When I talk about senior managers in this context I am referring to those who are one level under the Board; typically this will be heads of departments or divisions. Senior managers will often have high-level responsibility in ensuring their department is working to fulfil the organisation’s business objectives. The key for you is to ensure information security is on their radar, that when they are overseeing the implementation of their objectives that they consider security. If you don’t have buy-in from the top, you will find it difficult to prioritise security within the various IT teams.

Explain to them the CIA mantra so that they understand what each of the three points mean, and it will help if you apply CIA to a specific area. They will then be able to conceptualise security at a high level.

Senior managers are important when trying to change the culture of the organisation and the way it works. Unfortunately people are often resistant to change, but by ensuring senior management buy-in you will have high-level backing to get things done when you encounter resistance.

Business Analysts

Building strong working relationships with business analysts will provide a great insight into the views of the wider organisation. They spend most of their time understanding the business and its needs and then translating this into requirements for IT systems. By understanding their findings you can implement more effective security controls. For example, you implement a new password policy that means passwords now have to be at least 15 characters long. People in the organisation have trouble remembering their passwords so they begin writing them down and attaching them to a sticky note under their keyboards. This security control would actually increase the risk to the organisation of a security breach rather than reduce it. However, as the person responsible for security, people are unlikely to volunteer that they are willingly breaking this rule, so this is where your relationship with business analysts is important. By understanding their work you can better understand the security culture of the organisation and improve it over time, as well as ensuring they factor in security concerns.

Senior Information Risk Owner

The senior information risk owner (SIRO) is a role that you may have not come across before. It is often found in UK government. The SIRO is typically a Board member who has overall responsibility for ensuring effective information security and that it remains a priority on the organisation’s agenda. If you are fortunate to work in an organisation that values information security then it may be worth suggesting this role to the Board.

Although the SIRO will champion information security at Board and strategic levels, it is unlikely they will have any in-depth knowledge of information security. Ensure the SIRO understands CIA so that you can develop a common understanding. The SIRO will be key in changing the organisation’s security culture as they can raise your concerns at the highest possible level. The SIRO will often come to you with their concerns and rely on you to understand and explain the wider impact on the organisation.

Lawyers

The lawyers or legal team are often forgotten about, but they can be as much of an asset as an enemy. They have great power within an organisation as it is their job