From all of the security controls an organization could deploy, which one do you feel adds the most actual value for day-to-day information security and why?
There are many security controls that bring actual day-to-day value to organizations. The value-add will vary a bit from organization-to-organization based upon many factors, such as industry, services and/or products provided, size, geographic location, extent of de-centralization, number of employees, etc. I can’t pick just one. However, from my 2+ decades of professional experience I’ve seen the following two information security practices to be the most important for adding security value to all organizations for accomplishing effective and successful information security goals on a daily basis.
1) Give authority to those with information security leadership responsibility
I was first made responsible for information security around 1991, creating all the corporate information security policies, procedures, doing all the training/awareness, and doing risk assessment to determine appropriate controls to implement within a large multi-national financial and insurance company. I was in a “Risk Controls and Management” department outside of IT, but still had several layers of management to report up through, including the Internal Audit Director, and from there the Chief Operations Officer. The separation of duties from IT was good, but the lack of authority resulted in the policies/etc., being largely ignored corporate-wide. Then our information security team was moved to the IT area. One less layer of management to report up through, but too many competing interests in IT, and conflicts of interest by shared management, which still prolonged the lack of authority. The next move was to report directly to the VP /CIO, who reported directly to the CEO. While he also had the IT Director reporting to him, my equal status to the IT Director helped to resolve many of the previous conflicts of interest. The VP/CIO strongly supported me, and also told me that I had the authority to enforce the information security policies, and establish directives. He made that abundantly clear to the organization with an initial announcement, and also told me I could CC: his name on the memos I sent, to remind people of his support of information security, whenever necessary. Cooperation for information security actions increased dramatically after that.
Lesson: To be effective, information security leaders must be given the authority necessary to ensure information security policies are enforced and appropriate actions taken.
2) Provide regular training and ongoing awareness
All employees need to have effective information security and privacy training, that is associated with their daily job responsibilities, if they can reasonably be expected to appropriately secure the information they handle on a daily basis. They also need to have ongoing reminders about how to protect information, to let them know about new threats, and so on. Throughout the years I’ve seen first-hand not only in the organization I described earlier, but in doing 250+ information security and privacy program audits at other organizations since then, that the organizations with the most vulnerable information due to inadequate security, and also those that had the most breaches, were those with no, little, or ineffective training and no, or few, awareness communications.
Organizations that don’t provide effective and relevant training to their employers, and don’t take the comparatively tiny amount of time to send out regular awareness reminders, are setting their organization up for a security incident and possibly privacy breach by not giving their employees, who have control over the information to which they’ve been given authorized access, good information security and privacy training. To not acknowledge or act upon the importance of training and awareness is reckless and irresponsible. You cannot reasonably expect that technology controls alone will effectively secure information and the associated systems. To believe the technology vendors who claim otherwise is not only playing into their ploy to get you to devote your training budget to their tech tools instead, but it is also negligent, and in direct non-compliance with growing numbers of legal data protection requirements.
Lesson: To be effective, information security leaders must provide effective, regular training to support job activities, in addition to providing ongoing awareness communications.
Rebecca Herold | The Privacy Professor | @PrivacyProf
To find out more about our panel members visit the biographies page.