CNET también está disponible en español.

Ir a español

Don't show this again

Security

Commentary: The incredibly expanding security job

The chief information security officer, or CISO, faces a seemingly impossible task--securing the enterprise and keeping it secure.

    Commentary: The incredibly expanding security job
    By Forrester Research
    Special to CNET News.com
    January 27, 2004, 1:30PM PT

    By Michael Rasmussen, principal analyst

    The chief information security officer, or CISO, faces a seemingly impossible task--securing the enterprise and keeping it secure.

    The past three years have changed top managers' perspective on information security:

    • While they thought that security was merely a technical problem that could be solved with the purchase of a firewall, Code Red, Nimda, Slammer, MSBlast and others have shown that this is not enough.

    • While they thought that the biggest threat to their enterprise was a 15-year-old hacker, Sept. 11, cybercrime, identity theft, intellectual property rights and privacy have shown the threat to be much broader.

    • While they thought that security was merely an information technology issue, the Health Insurance Portability and Accountability Act, Sarbanes-Oxley, the , and the continuing rise of regulatory and legal exposure have shown that governance is key to information security.

    Building from the top
    Today, the CISO is challenged to develop an information security architecture that starts from the top.


    Get Up to Speed on...
    Enterprise security
    Get the latest headlines and
    company-specific news in our
    expanded GUTS section.


    Beginning with governance, the CISO has to establish the principles aimed at aligning information security to the business by defining a common language that executives, the board and business unit managers can all agree on as being the foundational values and goals of information security in the business.

    This then builds out into an information security architecture and a vision aligned with these established principles. Next, to properly align and measure information security to this framework, the detailed specific controls have to be established so that the CISO can manage the gaps, effectiveness, compliance and risk to the organization.

    The CISO is thus challenged with taking information from the depths of the technical weeds, aligning this information with business objectives, policies and compliance requirements, and then reporting to executives on the risk the organization faces. He or she must manage many islands of information not only within the security department but also from many other areas outside the his or her sphere of direct control. In managing the complexity, interrelationship and differentiation of all of these demands, the CISO needs a knowledge management dashboard that supports the synthesis, analysis and reporting of the state of information security in the enterprise.

    The CISO dashboard provides a portal view into the state of information security in its various domains--policy, risk, compliance, asset, incident, threat/vulnerability and configuration management. Building on the technologies already deployed, information is fed into the dashboard to provide the high-level objective analysis and control needed to manage the information security program.

    The view from the top
    Core components for a successful CISO dashboard include these areas:

    • Work flow represents the core component for compliance tracking, incident management, vulnerability remediation and many more security domains. The system needs the ability to track the awareness and acceptance of policies, as they are developed--from writing to legal review to business manager review to final acceptance and publication. Compliance involves a strong work flow that hands off the documentation and adherence to security controls to individual action takers and auditors.

    • Reporting relies on metrics established in the information security architecture and policies. This is to address management questions such as: How many systems are out of compliance with my patch management policies? What percentage of users have not read and accepted the organization's privacy policy? How many security incidents have we had in the past 30 days, and which ones have not been responded to, due to lack of resources? Where is the organization in meeting its compliance requirements?

    • Business process and geographic views must be added. Security in the past was managed purely in the realm of technology, but today's demands force security to be aligned with the business. As a result of Sarbanes-Oxley, executives need to know the status of internal controls of the financial systems. As a result of privacy legislation such as the EU Data Protection Directive and HIPAA, organizations must identify which systems and business processes involve personal information and identify the status of compliance controls on those systems and those with which they interact.

    • Task management looks at remediation and response. The CISO and supporting manager need to be able to assign to-do items to specific individuals. These tasks need to be able to be tracked and integrated into the larger work flow framework.

    • Document/knowledge repository averts the need to create everything from scratch. Organizations are looking for the knowledge the system provides. The dashboard system should organize and define security controls, policies and compliance requirements--giving the organization a foundation to adapt and build upon.

    • Notification is the ability to alert individuals when thresholds are crossed. When a critical vulnerability has just been announced that exposes the financial systems or personal information, the organization needs the action takers to be alerted immediately. For example, a critical security incident that involves California resident information requires under state law that the organization take incident response, containment and disclosure steps right away.

    • Data import and manipulation involves the integration of many sources of data. The ability to take in various document and database formats is critical; a primary focus should be protocol standards such as the Extensible Markup Language. The system should also be able to manipulate/normalize the data into a format it can use with other data.

    © 2004, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.