For as long as we’ve had a distinct information security profession, people have said security needs to be a “business enabler”. But what exactly does that mean?
How can security professionals advance from their inherently defensive postures, into more strategic positions, and contribute actively to the growth of the business?
Many don’t appreciate that security professionals have been trained up over the years with tools and skills ideally suited to a broader role in information management.
The role of CISO is a difficult one. Security is red hot. Not a week goes by without news of another security breach.
Information now is the lifeblood of most organisations; CISOs and their teams are obviously crucial in safeguarding that. But a purely defensive mission seldom allows for much creativity, or a positive reputation amongst one’s peers.
The good news for CISOs’ job security and satisfaction is they happen to have the right skills and mindset to innovate and build out an enterprise’s most important assets.
Information assets are almost endless: accounts, ledgers and other legal records, sales performance, stock lists, business plans, R&D plans, product designs, market analyses and forecasts, customer data, employee files, audit reports, patent specifications and trade secrets. But what is it about all this information that actually needs protecting? What exactly makes any data valuable? These questions take us into the mind of the CISO.
Security management is formally all about the right balance of confidentiality, integrity and availability in the context of the business. Different businesses have different needs in these three dimensions.
Think of the famous secret recipe for KFC. It demands the utmost confidentiality and integrity but the availability of the information can be low (nay, must be low) because it is accessed as a whole so seldom.
Medical records too have traditionally needed confidentiality more than availability, but that’s changing. Complex modern healthcare creates demand for electronic records. Especially in emergency settings, medical record availability must be high, but at the same time must be qualified by location and personnel type.
For public information like stock prices there is no value in confidentiality at all instead availability and integrity are paramount. On the other hand, market-sensitive information that listed companies periodically report to their stock exchange must have very strict confidentiality for a relatively brief period.
Security professionals routinely compile information asset inventories and plan for the appropriate C, I and A for each type of data held. From there, a threat and risk assessment (TRA) examines the adverse events that might compromise the confidentiality, integrity and/or availability.
The probability and the impact of each adverse event is estimated and multiplied together to gauge the practical risk posed by each known threat. By prioritising counter measures for the identified threats, in line with the organisation’s risk appetite, the TRA helps guide a rational investment in security.
Now this practical framework puts the CISO in a special position to enhance and harden their organisation’s information assets beyond merely negative impacts.
The value of information lies not so much in the data itself as in its qualities. Remember the cynical old saying “it’s not what you know, it’s who you know”. In all seriousness, there is more to success than facts and figures — information has pedigree too.
So the real action is in the metadata; that is, data about data. It’s got a bad rap thanks to surveillance and privacy, but various thinkers have long promoted the importance of metadata. Back in the 1980s, Citibank CEO Walter Wriston famously said “information about money will become almost as important as money itself”.
To bring greater value to the business, CISOs need to start thinking about the pedigree of data and not merely its security qualities. They should spread their wings beyond CIA, to evaluate all sorts of extra dimensions, like completeness, reliability, originality, currency, privacy and regulatory compliance.
The core strategic questions for the modern CISO are these: What is it about your corporate information that gives you competitive advantage? What exactly makes information valuable?
The CISO has the mindset and the analytical tools to surface these questions and positively engage their executive peers in finding the answers.
