Security Pie

Lack of clear communications between departments never ceases to amaze me. I have spent considerable time translating security requirements between different groups of the same organization. Security requirements have a propensity for corruption: I have countless examples where the CEO wants are rarely aligned with what the Security team delivers.

Of the different security disciplines, information security and specifically classification is the one requirement that tends to get corrupted the most and might seem almost out of reach to many.

My early career centered around the military. In those days, security was part of the fabric of day to day operations. Documents had to be labelled according to their classification and if you left a classified document on a desk, you risked being fined or thrown in jail for a few days. Security was a well communicated requirement and considered as a necessary cost-of-doing-business. Security operations would throw you in jail. However, it was the ‘business’ that set the goals.

Classification was decided owned by the business owners (operations), who had an acute awareness of just how valuable the information was to the tasks at hand, and to the reference competitors enemies. Classification was based on the level of damage that releasing the information would cause (be it financial, operational, information gathering or other).

(Note: For more information about national security classification practices, visit the Information Security Oversight Office or download their interesting Marking Classified National Security Information booklet.)

Organizations, who now see their competitive edges blunt ever more rapidly, are taking notice. CIOs, CISO and others are being tasked with producing information security practices with similar results within the commercial industry. A CISO colleague remarked that the CEO wanted their company to be “more like Apple”, alluding to the iPod manufacturer’s well know secretive culture. But, he also confided, no-one seemed to agree upon which of the terabytes of information was confidential.

In the best of cases, I work with CISOs who are tasked with figuring out how to effectively carry out a classification exercise. In many cases, however, the work is relegated to a security practitioner, who might have the technical understanding but has yet to understand how exactly the business earns a living. Having little buy-in from the business owners, the latter effort is doomed to fail.

Achieving alignment requires communication and some level of determination

Classification efforts must be owned and led by the business owners and should take into consideration the risk to the business. Security departments can and should assist by creating the nomenclature, infrastructure,  processes and systems required. Systems can and probably should be used to assist, but cannot replace the business owner in assigning risk to data or data types. I will discuss how systems can be used to facilitate faster classification in a seperate post.

Many CISO also find that business owners are reluctant to assist. Business owners have a justification: In many cases communication break down  between the busienss owner and the security team. Language differences, top-down vs. bottom-up viepoints all contribute to this, and some CISO utilize business savvy personnel or consultants to conduct discussions with the business owners. Over time, and with delivery of relevant solutions, business owners will have a reason to participate more freely with security teams.

Some security organizations have come to terms with the importance of maintaing business ownership of security requirements and have implemented a vertical organization that spans senior management (head in the clouds) to security analyser (feet on the ground) that allows full top level access to the business owners as well as direct influence on the technology and operations side of the house. This organization structures allows the security organization to get the real requirements from management and deliver effective solutions that answer corporate needs. For these organizations, the road to classification is much clearer.

-al