I don’t have to tell you about the latest data breach, it’s like the evening news we have become numb to all the carnage. Target, Home Depot, Sony, IRS, OPM, Anthem, Experian, Scott Trade, the breach list is endless.
But what is the root cause of these data breaches? Is it people, processes or technology or all of the above?
As we in Audit look at people, processes and technology, we must at some point be able to tell organizations that the IT director can’t also be the chief security officer and the IT manager can’t be the systems admin, security engineer and the security analyst. Also IT should not be procuring all audits, the board and the CEO must be leading this effort. Otherwise it’s not likely to be very balanced or meaningful.
I have worked in IT departments where this was the case, and it’s always a poor performing organization when it comes to security and compliance. I also see it every day as an auditor, it’s the root cause of so many poor audits and eventual data breaches. The question is how to delicately tell the corporation without any strict regulation forcing the issue (that’s not required to be SOX compliant) that this is in their best interest. How do we start a real dialog with boards and CEOs to make this point clear?
Let’s face it, many of these companies that we as auditors visit daily are world-class organizations, they are very good at what they do. Some have over time adopted the Internet and now suddenly find themselves in shark infested waters. They are bombarded with everything from endless data breach news to magic bullet technological solutions and yet audits for compliance. We need to put ourselves in their place and try to realize where they are.
The biggest challenge in audit is to align with the company, its culture and specific people I’m visiting. I easily get caught up in why is this organization performing so poorly on basic compliance? It’s just the minimum, it’s the foundation for proactive and intelligent security.
We as security and compliance professionals must seek to speak the language of the business.
What is Information Security Governance?
“Information security governance is the responsibility of the board of directors and senior executives. It must be an integral and transparent part of enterprise governance and be aligned with the IT governance framework.”
For starters we know that we need to manage assets, threats and vulnerabilities, yet many times we start an audit and can’t get a full up to date list of the assets that we are trying to protect. Then we find that patches are not being applied and vulnerabilities are not managed. Finally threats are not even considered, many organizations think that if they have antivirus and a firewall they are fine.
They understand technology, yet simply don’t understand the attack life cycle or kill chain or the need for threat intelligence. We always tell clients if you’re not doing scans and PEN Test, (penetration testing), then just know that someone else is and they don’t work for you.
Too many clients don’t know that “Information Security Governance is a fundamental responsibility of senior management to protect the interests of the organization’s stakeholders. This includes understanding risks to the business to ensure that they are adequately addressed from a governance perspective. The tone at the top must be conducive to effective security governance. It is unreasonable to expect lower-level personnel to abide by security policies if senior management does not.” IT Governance Institute 2003.
5 questions CEO’s should ask about cyber risks
If an organization has data governance and it’s applying true top-down information security governance, then it’s likely that the CEO will have already asked the following questions.
- How is our executive leadership informed about the current level and business impact of cyber risks to our company?
- What is the current level and business impact of cyber risks to our company?
- How does our cyber security program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
- How comprehensive is our cyber incident response plan? How often is it tested?
So if I’m auditing a mildly regulated entity, I normally see some good organizational structure, not perfect but good. I then see some separation of duties within IT even if the security staff is in IT they try to separate it. If there is not adequate separation between IT and the security staff you will have the fox guarding the chicken’s syndrome. This was pointed out in a KPMG global survey of general counsel when asked about cyber security. I truly believe this is the biggest contribution to poor audit performance and the resulting data breaches. Just look the the latest Verizon data breach investigations reports for more evidence.
To reiterate the importance of IT not being over security the IT Governance institute says this well, “To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department. The security of information, as with other critical organizational resources, must be addressed at the total enterprise level. Information security is not only a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organization’s response to them.” IT Governance Institute 2003
Yet we keep going on audits and still to this day see IT departments in charge of security and compliance, to make matters worse sometimes the IT director is the person solely responsible for security. This does not work as IT and security are incompatible in function. IT delivers technology solutions and fixes problems with it. The very nature of security is proactive and risk based, IT is anything but that!
I came from an IT background so I always start off with I understand your challenges especially as it relates to our current threat landscape. I really respect all our client IT departments, they are all too often being put in the position of security and compliance, when this is a business problem not and IT issue. IT needs to be recognized for all they do and that they can contribute significantly to securing the enterprise. But let’s remember data governance is both the CEO’s and the board’s responsibility.
“71 % of organizations were compromised by a successful cyber attack in 2014″ 2015 cyberthreat Defense Report from CyberEdge Group
In the end, we can spend all our time on processes and technology but as long as the organizational structure is flawed, clients will never achieve real data governance, or risk management. Preventing data breaches and achieving 100 percent compliance has to start with the board and the CEO. After all it’s a business problem, not an issue to be relegated to the IT department.
George Grachis is a Senior Consultant with Maxis360, and MSL Technologies in Orlando Florida. He can be reached at Ggrachis@maxis360.net