February 25, 2009

Security Architecture Q&A

Recently, I was interviewed on the subject of Security Architecture and was given permission to share the Q&A:

In general, what kinds of information security issues does an organization face?

The overarching information security issue in any organization is one of communication, collaboration and the need for transparency vs. the need to protect information from being compromised. Information security is about more than just "stopping leaks." It is also about making sure that people don't intercept, interject or otherwise manipulate agency information for their own ends.

A related issue has to do with protecting the agency's critical IT infrastructure from physical or cyber attack. It's the age-old conflict: If you lock it down completely, then you're protecting it, but you also can't use it. And if you open yourself up altogether, then obviously it won't be long before somebody takes aim.

Finally, the largest threat to an organization's information is clearly from insiders, who have the "keys to the kingdom." And so one must pay great attention to not only the qualifications, but also the background, of the employees and contractors entrusted with access to IT systems. Additionally we must institute checks and balances so that each person is accountable and is overseen.

How do leaders demonstrate security leadership?

Leadership in the area of security is demonstrated in a variety of ways. Obviously the primary method for demonstrating the importance of this function is to formalize it and establish a chief information security officer with the resources and tools at his or her disposal to get the job done.

But security leadership also means building an awareness of risk (and countermeasures) into everything we do: education, awareness, planning, designing, developing, testing, scanning and monitoring.

When new applications or services are being planned and rolled out, does security have a seat at the table?

I can't imagine any organization these days that doesn't consider security in planning and rolling out new applications or services. The real question is, does the organization have a formal process in place to provide certification and accreditation for IT systems? By law, federal agencies are required to do this.

Would you say that information security is generally tightly integrated into organizational culture?

I think that a security mindset and culture predominate in professions where security is paramount, such as law enforcement, defense and intelligence, for obvious reasons.

But the larger question is, how would other organizations make the transition to a culture of greater information security? And this is actually a really important question in today's age of transparency, social networking, Web 2.0, etc., where so much information is freely flowing in all directions. One approach that I have adopted as a culture-changing mechanism is to treat key initiatives as products to be marketed to a target audience. The IT security professional needs to be a master communicator as well as a technical expert, so that employees not only grudgingly comply with necessary measures, but are actively engaged with, and support, their implementation.

At the end of the day, the organization's information security is only as strong as its weakest link. So security has to be as deeply ingrained into the culture and day-to-day operations as possible.

Is information security an inhibitor to new initiatives?

Information security is one of many requirements that new initiatives must meet. And of course there will always be people who see compliance as an inhibitor. But the reality is that security compliance is an enabler for initiatives to achieve their goals. So the key for IT security professionals is to keep educating and supporting their stakeholders on what they need to do to achieve success and security at the same time.


No comments: