Repost: Is it time to re-invent the role of the CISO?

Great topical article on the role of the CISO and alignment to business objectives. This is in line with one of my previous posts regarding the responsibilities of the CISO – as with all other roles the value add and justification of the CISO should be assessed against the backdrop of the business, external factors and strategic initiatives.

http://www.enterprisecioforum.com/en/blogs/wh1t3rabbit/it-time-re-invent-role-chief-information

Should Technology be at the Heart of IT?

When working with senior IT management a while back an example served to highlight different approaches to managing the IT function, or at least sub-components of it. What appeared obvious is the influence of the background and experience of management as people tend to play to their strengths. The example was a discussion around a new position that had been created in the IT governance team relating to process and ITIL.
 
What struck me about the approach was that the technology was already embedded, and the person was being recruited to manage the technology and build process around it. In other words technology was at the core of the business objective with administrative and procedural components being mapped around it. Is this the right way to approach IT management? The obvious risk is that this may render the situation at the mercy of the given technology, and should the technology be replaced within the organisation this will require a refocus on skills and possibly infrastructure or other components radiating outwards. Documentation and other sound governance elements will also require a revisit.
I don’t believe this model to be entirely wrong – there may be instances where building a function around a technology are advantageous, especially when core business objectives revolve around the technology.
 
From a maturity, reuse and risk management perspective I believe the process should be at the core of the function with technology acting as an enabler, especially given the current rate of change. I mention risk because in the Information Security space this is analogous to the development of an InfoSec Policy, which starts at a sufficiently high level to be technology agnostic and then to plug in current and future technology at lower-level standards and sub-policies. If technology comes before process then the latter constantly has to be updated as the technology matures.
 
So, is the decision to place technology or process at the centre due to the skills/experience of management driven by those more in touch with the technology (or those who shout the loudest), and is it destined to be tactical rather than strategic?

Protection of Information Bill and its Practicality relating to Information Classification

A bill was passed in South African parliament today [search Twitter for #POIB or #blacktuesday] which will effectively make it a criminal offence to possess and publish classified information (I wonder if that includes those who are responsible for managing it?). While it hasn’t become law just yet (the bill must still be approved next year), journalists are spelling the end of freedom of speech in the country, which is indeed a very concerning thought.

There are many legal, moral and ethical wars relating to this proposed law going on, but I wonder what the practical ramifications will be, and whether Government will get what they want, or the exact opposite?

Many organisations struggle with the process of identifying, classifying and securing information, so we can expect a government to have a far greater challenge at hand due to its complexity and sheer volume of information. Government processes and systems are often behind cutting edge blue-chip firms, so there is likely to be a wealth of physical, disparate and unstructured information to deal with. The easy choice (either from a KYA or practical perspective) is to deem all information as classified, and indeed I have heard this suggested in organisations too.

This is impractical as the basis for classifying information is to ensure that more sensitive and confidential information is better managed and controlled, and thus less likely to fall into the hands of those that shouldn’t have it. Making everything classified allows more people access to the information asset, and is likely to lead to unsustainable or expensive controls.

The net result in this scenario is that it could be harder to implement the Law as it is easier to get (and leak) the information, resulting in the opposite of what Government is trying to achieve. Throw social media and the relative anonymity of the Internet into the equation, and I struggle to see how this Law can be successful in muzzling those that wish to seek and share information that (insert your political or moral objective here). This should be an interesting item to watch.

As an aside, I am not for the Bill – the pragmatic view is that there will always be confidential information that should remain confidential outside a select few, but in the spirit of democracy and interests of a country you need to have avenues to expose information that citizens need in order to make decisions of future leadership accurately. As with any information classification process, one must ask ‘what is the value of the asset, and what risk are we trying to manage?’ (and perhaps in this case, who stands to benefit?)

LINK: Great blog post on security risk management

http://www.secureconsulting.net/2011/11/assets-black-swans-and-threats.html

A post after my own heart. We need to take a step back and look at the bigger picture when it comes to risk management. What is important, what can go wrong, how can it go wrong, who can make it go wrong? Is it really important? What is the method, motivation and opportunity? Very good read!