"We ended up having a rather frightening week, mostly spent on the phone with the division vice president trying to figure out how to get this done. Eventually, the fear factor of not meeting the auditors' requirement dissipated. We couldn't find the money anywhere and ended up doing nothing. Now we're just waiting until they come around again and ding us."
In this example, there is no clear consequence to not acting. The foundation of a comprehensive security strategy does not exist, in large part because the security organization is too loosely organized. Additionally, the directive to create policy came from within the organization and, in this case, the internal audit team alone was not seen as enough of a threat to force action. The challenge for Security Manager A is to understand the hidden consequences and communicate them to upper management in order to obtain buy-in for a more formal security program.
- Security Manager B: A major financial exchange is faced with changes in its business operations, including the implementation of various Web-based technologies, causing the exchange to become concerned about its IT security. The exchange is also concerned about threats to its business continuity, whether from terrorism, corporate malfeasance or even natural disasters. As an SEC-regulated entity, if trading is halted for more than 15 minutes, it must be reported to the SEC, and if business does not resume within 30 minutes, the exchange is required to close for the day.
In this case, the consequence of inaction is obvious. If the security program requirements are not addressed, there is a very real threat to corporate finances. Action is now mandatory, and money earmarked for other significant projects will be reallocated.
What are the hidden consequences of inaction in Example A that would move the security agenda forward? What sources can security advocates use to make their cases stronger? The obvious place to investigate is the regulatory environment.
Taming the Beast
The proliferation of legislation around security issues will likely get upper management's attention. If you, as a member of the IT department, do not have a strong understanding of the industry in which your organization operates, learn it. It's also important to learn which regulations apply across industries.
For instance, Sarbanes-Oxley requires attestations from the CEO and CFO in relation to all financial information contained in quarterly and annual reports. This includes attesting to their responsibility for the controls surrounding financial data. Non-compliance can force the CEO and/or CFO to forfeit any bonuses or profits.
In the financial exchange example above, the company looked to an IT firm to conduct an extensive assessment of its infrastructure and security policies in order to create a roadmap for achieving security objectives. In this specific instance, the solution was to implement redundant electricity sources, alternative communications paths and security and logistics contingency plans.
Industry standards are good baselines for initial alignment of a security program because they represent a set of security best practices. They can provide a good vehicle to proactively address security strategies before potential legislation makes your organization reactive to another entity's time frame. You may also want to look at other industries that are heavily regulated and investigate the many common elements that are suggested to achieve compliance.
About The Author
As principal consultant, security solutions, Evan Tegethoff manages the information security professionals that make up Forsythe's nationwide security practice. He performs project oversight for security engagements and develops security diagnostic assessments and methodologies. Tegethoff joined Forsythe in 2002.