The InfoSec Maturity Dilemma
Protecting business information is a non-trivial exercise. The practices of Information Security Management & Cybersecurity Management (in essence a subset of Information Security Management focused on securing things that are vulnerable through technology) are relatively immature.
Both practices are concerned with protecting an organisation’s information assets, typically aligned to the Confidentiality, Integrity & Availability (CIA) Triad.
Whilst most data assets in today’s organisations are stored and managed electronically the opportunity to endanger those assets are mired with compromises originating from both internal and external actors and exploits targeting technology & non-technology weaknesses. This article predominantly focuses on issues with managing Cybersecurity to highlight the problems businesses are facing.
Managing a technology infrastructure is a complex undertaking. The ITSM (IT Service Management) & ITOM (IT Operations Management) practices adopted by many organisations to deliver effective management comprise a significant number of discrete disciplines – e.g. Account Management, Configuration Management & Problem Management to name a few. These disciplines, totaling some 20 in number, are fundamental to delivering best practice and ensuring the ongoing availability, efficiency and performance of the organisation’s services offered to their customers. Quite simply, without well-structured methodologies like ITSM & ITOM it would be impossible to manage any technology infrastructure (even relatively modest ones) with any confidence.
From an information security management perspective all of these disciplines to a greater or lesser extent impact an organisation’s ability to protect their information assets and/or react to a security incident – i.e. their Information Security Posture. For those disciplines that are exclusively performed to address security (Antivirus Malware Detection, Firewall Management, etc.) then this is obvious. But, for those disciplines that are not exclusively focused on security it is worth looking at an example to illustrate the impact non-compliance can have on a business.
Let us consider the discipline of Backup & Restore Management that comprises the activities required to ensure data is backed up and available for restore to support business operations. If an organisation does not regularly test restoring data, which is an essential activity within the discipline of Backup & Restore Management to ensure data can actually be restored, and it is subject to a Ransomware attack then it is highly probable that it will suffer unwanted consequences (that could easily have been avoided).
We can therefore see that basically all activities associated with the management of an IT infrastructure have implications if not correctly performed on the Information Security Posture of the organisation. In the case of managing information security then businesses also need to consider how they manage non-technology aspects of the business – e.g. do they screen employees prior to employment, do they have legal contracts in place with their 3rd party suppliers, etc.
These non-technology activities must be treated at least as seriously as technology activities – cyber criminals are not picky in how they breach a business, they will generally attack the weakest link which can be achieved by exploiting a weakness in a non-technology activity just as easily as exploiting a weakness exposed by not performing/performing incorrectly a technology activity.
Where ITSM and ITOM are established and proven methodologies for managing technology infrastructures to support the services being provided, the management of information security being a much more recent undertaking has no equivalent approaches to build upon. While frameworks like ISO27001 provide a set of guidelines for managing information security they fall short of providing prescriptive and proven methodologies down at the coal face that organisations can confidently rely on.
The development, implementation and management of these low level controls is generally the responsibility of security teams who are accountable for overseeing daily security operations. Frequently these controls are delegated to members of the IT organisation and business operations who operate the technology and business systems accordingly. Without significant oversight, communication across these different business entities can be lost in translation resulting in erroneous or incomplete actions being performed which in turn weaken the business’s Information Security Posture.
The immaturity of the Information Security Management industry is evident in the standard approach taken with respect to information security governance. Organisation typically still rely on spreadsheets as specialised software that is purpose built and incorporates detailed and prescriptive low level best practices, workflow, automation and reporting to enable rigour, consistency, structure, accountability and measurement is not widely available.
Given all of this it is hardly surprising that high profile reports like the EY Global Information Security Survey and Verizon 2019 Data Breach Investigation report conclude that 87% of organisations are unable to provide the level of security resilience they want and the inconsistent application of security controls is the major threat to business.