Managing Risk and Information Security: Protect to Enable

by Malcolm Harkins

How do we protect information when it’s located outside the physical perimete...

tag information so that we can track and manage its use.

the creator of a document can define exactly who has access rights throughout the life of the document and can revoke access at any point.

Data loss prevention is used to tag documents, track their movements, and prevent transfer outside t...

Users can become security risks for a variety of reasons.

Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. —Albert Einstein

began using the information gathered from users’ devices to offer personalized experiences, ranging from location-based driving directions to selected advertisements.

The idea of dynamically evaluating trust is a key aspect of the new security architecture that

When a user requests access to enterprise systems, our architecture will dynamically calculate trust based on contextual information such as the user’s identity, the security features of the device they’re using, their physical location, and the resources they’re trying to access.

The architecture then will decide whether to grant access, and the level of access that should be allowed.

provide users with a consistent experience across devices and the ability to seamlessly transition between them.

focus on the user experience and on enabling this broader range of devices while managing the risks.

these capabilities are likely to become more sophisticated and automated, allowing businesses to define policies that automatically store sensitive data in highly secured locations.

CISOs will need broad business and people skills as well as a thorough knowledge of security controls.

The conductor of the orchestra doesn’t make a sound. His power comes from awakening possibility in others. —Benjamin Zander, conductor and coauthor of The Art of Possibility

Business acumen is necessary to communicate the technical risks in language nontechnical people in the business can grasp.

Risk-taking is fundamental to business. Without it, no business value would be created.

The concept of “T-shaped” individuals has been widely used to describe the idea that IT professionals need to be able to provide value horizontally, across business groups in the organization, as well as vertically at all levels within IT.

The unique role of CISOs and other security professionals might be better represented as a “Z-shaped” individual, as shown in Figure 9-1. Adding the third dimension of core security skills, such as risk assessment and understanding of controls, allows us to deliver value across the business and all areas of IT.

The 21st century CISO needs to understand business priorities and processes well enough to identify how security controls help or constrain the business.

our mission is to enable the free flow of information and rapid implementation of new capabilities to ensure success and long-term competitive survival.

our goal is to enable the free flow of secured information for our customers. an example of that is seemlessly accessing content no matter where it rests.

the mission is always aligned with the business priorities,

our thinking must also be dynamic, and we must continually learn in order to protect against ever-evolving threats.

our no trust model must remain dynamic. it must provide the flexibiluty to make changes as our threates change.

To communicate, CISOs must become chameleon-like, with the ability to blend into a variety of environments. We need enough knowledge of each business domain to be able to communicate with different groups using language they understand.

I like to tell stories using metaphors and analogies. They are easily remembered, and they translate complex subjects into simple terms everyone can understand.

Helping employees communicate and collaborate at any time can drive significant productivity gains.

provide some level of access while mitigating the risk,

we need to act decisively based on imperfect information.

A sixth sense is only of value if the organization can act on it quickly.

we need the courage to take a leap of faith based on what we believe.

The second requirement is that the organization responds quickly when we inform them about a security issue.

the organization can act at the Speed of Trust, as Stephen M. R. Covey describes it in the book of the same name (Free Press, 2008). Faster, frictionless decisions are possible because people know, from experience, that our information is reliable and that our focus is on enabling rather than spreading fear.

this speak volumns. when you think about the vribles leveraged by a system to determine th trust level.

CISOs must become effective leaders who can inspire their teams to enable and protect the organization.

Our security team members must believe in our mission;

If people understand the greater goal, it helps establish an emotional connection and guide their everyday actions.

helping our team see how their jobs are connected to the business’s objectives and concerns.

Today, managers are moving away from command-and-control to a more collaborative approach that takes advantage of the diversity of employee ideas and strengths.

I’m not talking about a consensus process, which can lead to endless debate and indecision. Rather, a leader’s goal is to ensure alignment to a common mission and accelerate decisions.

Within this framework, differing viewpoints and debate spark creativity, generating new ideas and a productive...

A key study found that even small wins boost motivation, productivity, and creativity.

In the Harvard Business Review article describing the study, authors Teresa Amabile and Steven Kramer (2011) determined that the feeling of making progress is the most important contributor to an employee’s emotions, motivations, and perceptions.

It goes without saying that leadership means taking responsibility.

A final requirement of effective leadership is the ability to develop other leaders within the security group.

By building competence in depth, the CISO can ensure that the organization delivers sustained performance over time.

the organization shifts away from IT implementation to procurement and management of suppliers and services, while setting direction and establishing an overall IT architecture.

organizations cannot outsource risk.

We can hire companies to deliver our business systems, but we’re still responsible for compliance with SOX.

As regulations proliferate and more and more personal information is stored in business systems, the risks can only increase.

must retain the management of information risk as a core competency.

CISO. You need Character to ensure your actions demonstrate integrity; Intuition to anticipate what’s needed and act accordingly, taking risks when necessary; Skills that span business, technology, and a wide variety of risk areas; and Objectivity in order to avoid falling prey to fearmongering.