ISACA Journal - 2013 Volume 6

Since Operation Aurora was publicly disclosed in early 2010, 1 information security and, more specifically, cybersecurity (i.e., the protection of information assets against threats from cyberspace) have become top priorities in many organizations.

Executive management generally understands the importance of the topic and follows accepted good practice by setting “the tone at the top.” 2, 3

A common problem is that in large organizations with multiple divisions, global operations and layers of management, tone frequently disperses and fails to move the organization toward a stronger cybersecurity stance. What is needed is information security leadership.

This article presents a framework that
can help information security leaders build a
sustainable information security program that
avoids security gaps and blind spots. Specifically,
the framework:
• Identifies the security dimensions that
information security leaders must understand
• Presents five key decisions on which
information security leaders should focus
• Explains three mistakes of which information
security leaders should be aware
• Clarifies the concepts behind some terminology
that is not always used consistently
The objective is not to define a detailed
framework—volumes have been written on that4,

5, 6, 7—but rather to offer a pragmatic and
actionable map that executive managers can use
to shape their organizations’ information security
in a more direct and tangible manner.

DIMENSIONS OF INFORMATION SECURITY

Information security is difficult to attain because it is a systemic property that requires vigilance along three dimensions (figure 1):

1. Security controls are the mechanisms— including procedures, structures, culture and policies—that organizations deploy to obtain reasonable assurance that threats are mitigated and regulatory requirements are addressed.

2. Organizational structures are the divisions, regions, management layers and processes that determine how organizations accomplish work.

3. Technology comes in different types (e.g., wireless, bring your own device [BYOD], cloud) from different vendors and different generations or versions.

Failure to properly manage any of these dimensions increases the risk of security incidents. If key security controls are missing, risk increases substantially. If security controls are not deployed systematically across the organization, critical information assets are left unprotected. If security controls fail to cover all critical technologies (e.g., wireless, BYOD, cloud, Wintel, mainframe), the information assets processed by these technologies are exposed and vulnerable. It is the job of information security leaders to prevent such gaps and to oversee the deployment of security controls across all technologies, divisions, regions, management layers and processes.

Figure 1 also shows that security controls
follow from policies and standards. A policy is a

Klaus Julisch is a senior manager at Deloitte’s Enterprise Risk Services with responsibility for delivering security, privacy and risk management services.

Prior to joining Deloitte, Julisch was a research staff member at the IBM Research Lab in Switzerland where he pioneered many of today’s mainstream security technologies.

Leading Information Security
NOTE ON TERMINOLOGY

Unfortunately, information security terminology is sometimes ambiguous and information security leaders should always insist on clarity of terminology. For example, the terms “security maturity” and “security capability” are sometimes used to designate a variety of related concepts.