What are the key features of an effective Information Security strategy? writes Matt Wheatley.
Companies need to establish strong Information Security systems to protect their respective businesses from the leakage, loss, or corruption of sensitive information. There are barriers, however, in establishing and delivering strong information security such as limited budget resources to maintain such a system.
According to Forrester (2009) the majority of business organisations in the United States (US) and the United Kingdom (UK) spend 11 per cent of their IT budgets on information security. He also pointed out the importance of information security in that more than 40pc of companies all over the world pay for the services of at least one Communication and Information Security Officer (CISO). Companies are willing to outlay funds due to the fact that information security is a factor in determining the measure of returned investment.
It is necessary to first discuss what makes for effective information security. According to Pelaez and Wanner (2010), an effective information security system is one that accomplishes the security goals of a business organisation at the minimum amount of expenses. There is no “one size fits all” format for setting up an information security system, therefore, its effectiveness will be relative to the security objectives of the business organisation.
Nevertheless, there are common security issues that concern most modern business organisations. According to the Washington State Department of Information Technology (2001), all modern business organisations want the integrity of their sensitive business information maintained during the transfer and processing of information. This means that no information should be leaked, destroyed, or lost during the conduct of a particular business process. The general requirement for an effective information security system is therefore that it protects company information from leakage, unauthorised destruction, and loss during the conduct of a business process.
Key features
Using that general definition, the company HP Information Security and Software Checkpoint Technologies Ltd. (2010) conducted a study which aimed to determine the key features for the effective delivery of information security systems, or in other words, those major factors that determine the efficiency of information security. As part of their methodology, they conducted a survey to 101 business establishments all over the United Kingdom (UK). The survey made use of the Security Effectiveness Score (SES) survey form, which identifies issues and risks in information security related to the handling and processing of information among the respective businesses surveyed. Using the results of the survey, they were able to identify the top 5 key features of effective information security delivery. These features are: the existence of an appointed organisational leader or a Communication and Information Security Officer (CISO) to oversee information security; the existence of staff awareness programmes and training with regard to data security and protection for end-users; the existence of an organisational culture which respects data protection and privacy; the existence of executive level support for security; and strong and reliable endpoint controls.
An appointed organisational leader
An information security system needs to be managed in order for it to effectively deliver the expected results. In order to do this, a person or people should be appointed for the specific purpose of managing the security system, hence, the inclusion of a Communication and Information Security Officer. According to Danchev (2003), there should be at least one person within the business organisation who understands the intricacies of the company’s security system. This person should oversee their own department and staff, such as a security department within the company. The CISO and the members of the security department shall enforce, maintain, and monitor information security. The CISO should have had relevant and extensive experience in leading security departments, handling security threats, and be familiar with security monitoring tools, equipment, software and hardware.
Awareness programmes, training
SANS Institute (2013) emphasised that an important factor which should be considered in the effective delivery of information security is the existence of end-users who are trained and aware of at least the basics of data security and protection. Note that companies should be responsible for ensuring that their employees receive proper training and awareness programmes which would provide them with this knowledge.
The Defense and Public Safety Technology Consulting Service, (DPSTCS) (2013) explained that companies can make sure that their employees have enough knowledge about data security and protection by creating Information Security Policies. Accordingly, the company shall educate each of its employees in these policies then check that they understand them by conducting mock audits or by giving exams after every teaching session. RSA Security (2000) explained that a regular knowledge check should be performed by the company to make sure the knowledge about data protection and security remains in the minds of every employee and that company procedures are being followed. Indeed, the vulnerability of the company’s overall business system is dependent not only on information security, but on the knowledge and actions of its employees as well. Many companies use the internet for example, therefore, the company will be more vulnerable to security threats if some of its employees perform non-work related tasks using internet browsers with low security protection levels on company computers.
Organisational culture
Security of a company’s information is dependent on the acts and knowledge of employees and further, the actions of employees are affected by organisational cultures. Companies should make efforts to instill in their employees the importance of a culture which respects data protection and privacy. DPSTCS (2013) explained that information security policy should include an entry stating that log-on information, passwords, and all such security information is to be considered confidential and must not be exchanged among employees. Employees must also respect the privacy of other employees’ passwords and log-on information.
Executive level support
Note that the implementation of information security systems needs to consider two factors: the technology used for business operations; and the security personnel retained. In order to optimise these two factors, the security department must have sufficient funding to establish and maintain the required resources. Clinch (2009) explained that budgetary allocations are usually handled and decided in executive levels, hence, information security requires executive level support. Moreover, the implementation of information security will need the cooperation of different organisational branches or committees of the company.
As pointed out in previous discussions, information security involves the creation of information security policies. These policies should be implemented by the company’s executive committee, hence, their support is crucial. The executive leadership will need to work with the leadership of the security department, or the CISO, to formulate plans for the execution of information security policies. In other words, continuous collaboration between these two branches of the company is necessary. Permission to collaborate with different company committees can only be obtained from company executives, which is another reason for the need of executive level support.
Endpoint controls
Security endpoint controls are necessary for businesses which interact with other firms. For example, if the company is engaged in obtaining certain computing services from a technology vendor, then the vendor will need to be provided with access to relevant company information. Such information would usually include sensitive information which should not be leaked or lost, hence, allowing vendors to have access to such company information is a risk that should be considered when establishing information security. Information security controls are security counter measures implemented by companies to limit and monitor vendor access to the company’s sensitive information. According to the study by Nortcutt (2009), security endpoint controls are highly essential features of an effective information security system, because usually, it is during the transfer of information between firms that information loss and leakage take place.
What to avoid
HP Information Security and Software Checkpoint Technologies Ltd (2010) also listed four features which result in the poor delivery of information security. These features include insufficient resources or budget; lack of strong security controls; inability to attract or retain competent and experienced security staff such as a CISO; and inconsistency of security rules and policies among different committees and departments within the company.
As pointed out in the previous discussions, no business organisation will be able to establish strong information security if an insufficient budget is allocated. However, the study also highlighted the fact that it is not necessarily the absence of resources or budget alone that impacts on information security, but also the lack of prioritisation to information security at the executive level which results in the scarcity of resources allocated for information security. Intel (2010) pointed out that other companies also give complete trust to vendors, so they do not consider the importance of establishing security controls. Some companies cannot engage a suitably competent CISO to oversee the implementation or delivery of information security and this can also contribute to a poor quality system. Lastly, inconsistent security rules hinder the creation of a positive organisational culture for data protection and respect among employees. It is also a major factor contributing to the difficulties of tracking violations to information security policies.
Conclusions and recommendations
From the previous discussions, it can be concluded that, for a business organisation to continuously expand or grow, it must establish and maintain a strong information security system to protect it from the threats of information leakage, loss, or destruction. A company’s ability to be competitive relies on its capacity to maintain the integrity of its sensitive information. With this in mind, it is recommended that companies adapt a strong security system that incorporates the following key features to optimise its delivery: the appointment of a person such as a Communication and Information Security Officer (CISO) to be responsible for the implementation and maintenance of information security; the provision of awareness programmes and ongoing training for staff in data security and protection for end-users; the fostering of an organisational culture that respects data protection and privacy; executive level support for information security; and strong and reliable endpoint controls.
Among other things, company executives should show strong support for the implementation of information security by allocating enough resources and budget to the security department and by encouraging other committees and departments to actively participate in the implementation and maintenance of information security.
