The management of an information security program is a
significant project for a business owner or manager, and will not happen of its
own accord. When you plan your project, it is important to be clear about both
where you are at the moment and also what you wish to achieve. The best results
by far are gained by implementing and managing security as an overall programmed,
rather than adding occasional unrelated security countermeasures (such as a
firewall) on an ad hoc basis.
Information security program management is often viewed by
managers as something that "just happens" of its own accord. Nothing
could be further from the truth. In fact, it reaches into so many disparate business
functions, and involves so many people, that it is arguably one of the most
complex areas to manage successfully. Ideally, the Chief Information Security
Officer (CISO) needs all of the following attributes:
• In-depth knowledge of specialized technology, such as
firewall types, computer network configurations, and cryptographic algorithms,
for the purposes of computer security.
• In-depth knowledge of recognized standards (such as ISO
27001) to a level which enables the CISO to implement the standards in full for
a given organization.
• Experience of writing customized policies and procedures
for a given organization, based on the CISO's experience of industry best
practice.
• Knowledge of relevant legislation and industry
regulations, and how to comply with them, together with experience of liaising
with the company's legal department.
• Familiarity with methods of workplace training and
awareness-raising, plus experience of liaison with the HR department concerning
contractual clauses.
• A working knowledge of human psychology as applied to
workplace behavior and computer security.
• Experience of conducting IT audits and liaising with
external auditors and consultants.
• Experience of managing an information security team (for
larger organizations).
• Experience of managing a significant budget and liaising
with vendors.
This is a demanding set of requirements, and few people
perform equally well on all points. Just as obviously, the tentacles of
information security reach into every part of even a large organization, making
the job of the information security manager even more challenging than other
managerial jobs.
However, help is available from several sources. Chief among
them is the ISO 27001 standard, which specifies the design, implementation,
monitoring and improvement of an information security management system. This
standard and its sister standard ISO 27002 together represent the distillation
of best practice in this area. Becoming compliant with these standards will go
a long way towards easing the burden of information security program
management. In addition, help and advice can be obtained from professional
networking events with one's peers in the same town or city, as they will be
affected by exactly the same local conditions. Finally, reading relevant
periodicals can help to provide insight into commonly-encountered problems.
