In the last couple of years, the role of the information security function in many organizations has achieved recognition as an important component of the organization’s overall risk management strategy.
Forward-thinking companies have taken this a step further by identifying information security as a key enabler for successful IT-based business transformation. Finally, more regulations around the world have established security as a major challenge for organizations.
As a result, the function is no longer seen as a stand-alone organization, surrounded by mystique, and not accountable to anyone; it is expected to operate in a transparent, service organization-like fashion, supporting the business objectives of the organization.
Thus, it is not a surprise to see spending and resource allocation to security to continuously increase. Companies invest heavily in people, software and hardware to address security and data protection needs.
Yet, at the highest level of organizations, C-level executives are frustrated with the lack of impact and effectiveness of their information security function. Despite all the attention and investments in security, viruses and warms are still rampant and disrupting IT operations, compliance with industry and SEC regulations is a problem and reports by the media on lost or disclosed private or sensitive data are increasing at an alarming rate.
One of the reasons behind the appearance of low performance of many information security organizations is the lack of a formal and measurable framework for providing directions as to how the function should operate and interact with the rest of the organization. Without such a framework, companies tend to focus on specific aspects, often the sole technology, without the supporting processes and defined roles and responsibilities, on-point solutions rather than strategic thinking, and reactive event-based rather than performance and compliance-based reporting.
Although recognized information security and service delivery standards have been widely available for a while, their adoption is still low and inconsistent. Over half of a recent survey's respondents said they had no plans to adopt such a standard. Internal audit was reported as the leading evaluation method by nearly three-quarters of survey respondents, followed by formal external audit at 62 percent. Assessment against a widely recognized industry standard, such as ISO17799:2005, was reported by only a third of survey respondents
The most significant advantage of adopting formal information security standards is striking an effective balance between roles, responsibilities, processes and technology in building a sound control framework. For example, ISO17799 specifies implementation guidelines ranging from defining your policies and procedures to operating your infrastructure and deploying new systems. Following the framework helps organizations keep a long-term view on what has to be done, without getting distracted by new technologies or regulations.
Speaking of regulations, ISO17799 and other similar standards can and should be used for reconciling various industry or SEC regulations. Compliance is not always straightforward as regulatory requirements often lack the specificity organizations need to know how to comply. Companies must decide for themselves which security controls are appropriate for their organizations. The good news is that most controls required by such regulations can easily be mapped to the controls defined by the standard and as a result adherence with ISO17799 facilitates compliance with many regulations from varied sources by providing a rationale for the implemented controls. Dealing with new regulations is as easy as performing the mapping exercise and evaluating if gaps exist. The gains in efficiency, particularly for heavily regulated organizations such as in financial services or pharmaceuticals, can be substantial.
Finally, formal frameworks based on standards allow organizations to consistently track and benchmark their progress towards achieving their information security goals over time, or against peers. Investment and other resource allocation decisions can be made based on the areas of the framework that lag in performance.
It is worth noting that applying standards is not limited to your own organization. Evaluating vendor relationships, particularly in an outsourcing scenario, through the lens of a standard or embedding standards-based content in service level agreements is an effective vendor risk management tool. A recent security survey reports that only a fourth of the respondents say that they know their vendors are aligned with a recognized standard.
One of the frequent questions around standards is "Which standard or framework should my organization use?" The reality is that there isn't a single standard that can address all issues facing high-performance information security organizations. For example, while ISO17799 does a good job defining the operational aspects of security, it does little to offer implementation guidelines on setting strategy and alignment with the organization's business objectives. Similarly, ITIL, an IT service delivery standard, has a limited focus on security, but focuses its scope on building transparency and accountability between IT and the rest of the organization. An effective, world-class information security organization is likely to apply a few complementary standards rather than a single one.
So, the appeal and value proposition of standards is evident, but do we have to endure the claimed pain of certification? For many organizations, the answer is a resounding "yes." Certification is an independent acknowledgement that the organization has implemented effective controls and is, therefore, a trustworthy communication partner. The other significance of obtaining a certification is the recognition of continues improvement processes to sustain the effectiveness of the existing controls. Remember, information security will be effective only at a certain point in time unless we have the sustainability processes. As the business, regulatory and risk environments change, so should an organization's information security function.
Compliance with standards is certainly an effort that requires commitment, discipline, and a long-term view on information security. The benefits of compliance, however, far outweigh the pain of compliance and should be considered by any organization striving to build an effective information security organization.
Rudy Bakalov, a senior manage with Ernst & Young, and Stephane Geyres, a principal with Ernst & Young, collaborated on this article.
Note: The opinions in this article are the opinions of the authors and do not represent the opinions of Ernst & Young, its partners, principals, or affiliates.