Expectation is the Mother of all Frustration
Having read this article (Cyber security: Your boss doesn't care and that's not OK anymore) has reminded me of the frustrations that have grown faster than the rate of businesses suffering data breaches. Despite the impact and damage to a company's reputation and share price following a data breach, many businesses still fail to realise the business benefits of having an effective Cyber/Information Security strategy that is aligned into the heart of the business focus. Instead, it becomes an adjunct of the Information Technology (IT) department and being regarded as the Chief Information Officer (CIO)/Head of IT as something that is forced upon them and which is a drain on their budget.
Why does this happen?
There are many potential causes for this:
An external regulator (e.g. PCI DSS, AEO, FCA, etc.) insists that the business needs such a function.
The senior management see their peers have this function.
To reassure their customers.
To meet a 'tick a box' for compliance.
As a result, what tends to happen is that any InfoSec specialist that understands and fully appreciates the ultimate function of their role (to protect the business's reputation, whilst supporting the safety of the business objectives) may have higher expectations than that of the business. Contrary to popular belief, this may not be caused by a lack of board support (Top-Down approach) but by the CIO/Head, acting as a choke point, to filter out anything that may be detrimental to their careers.
Proactive Board Members may reach out to their appointed InfoSec specialist to get their assurances straight from the source. However, this makes things extremely awkward for the specialist who is there trying to do their best to help safeguard the business.
What would you decide to do?
Go with what is right for the business and tell them areas needing improvement/investment (potentially bad for a career).
Go with what is right for the CIO/Head of IT and pretend that everything is just perfect (fine until the business gets breached (More Questions Raised After Equifax CIO, CSO 'Retire')).
Frequently this becomes a case of being 'Damned if you do, Damned if you don't' and the role becomes untenable and either the specialist looks elsewhere, or the business seeks a less proactive specialist (for an easier life).
Could you imagine designing, developing and building a family home with all the architectural advice being filtered through the building contractor? Much like the InfoSec specialist, the Architect has an objective to ensure that the building is not only well-designed and functional, but is safe and meets the owner's goals.
Very few people would ever dream of allowing your dream family home to be built without having any input directly from the Architect. The same should apply to InfoSec operations in business. Much like the building scenario the Building Contractor's goals/viewpoints are likely to differ from that of the Architect and there is a higher chance of there being a conflict of interest.
If you are an organisation who recognises the importance of having an effective Information Assurance (IA) model, within the business need to understand that the InfoSec specialist is not there to prohibit or undermine IT operations. Instead, they provide an independent and objective viewpoint to protect and respond to emerging or ever-present threats, which could expose the business to considerable reputational damage.
To appreciate the increasing cyber threat landscape, you only need to skim read the daily news feeds. Add to this, the increasing costs associated with such breaches and the fact that the targets are not limited to just the 'Big Players', placing sufficient importance to the 'ring fencing' of your most sensitive assets should now be regarded as being as integral as ensuring that your business remains profitable.
Most businesses recognise the importance the CIO/Head of IT role plays within the business to keep your support IT systems functioning., however, they may have had exposure to InfoSec principles but they are not trained and experienced specialists.
Who would you prefer to be drawing up your architectural plans?
The Building Contractor or;
If you have an Architect role, within your business, ensure that you take heed of their advice and make sure that recognise the importance of their contributions to support the success of your business. If you happen to be one of the unlucky few who don't have the luxuries of having a dedicated Architect (35% of Organisations Lack Cybersecurity Expert), consider the benefits of engaging in the service of an external specialist to provide timely advice to new/changing environments or business plans, working to support your future plans.
Anyone can get attempt to build a family home, given the required ingredients and tools (e.g. Sand, Cement, Bricks, etc.). However, making sure that the building will not collapse in the future (especially with more complex structures) becomes all the more difficult to achieve, without the support of a trained and knowledgeable architect.