Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Proper information security only comes by being truthful

Too many organizations are unwilling to face the facts when it comes to their information security risks and protective status. To move forward, an honest assessment is required…

By Dr. Jim Kennedy

Industry and government continue to spend tremendous amounts of money on information security process, technology and people. Despite this expenditure the breaches continue to happen and the costs of these breaches continue to grow as well.

A prudent person would ask why. Then we see blogs entitled: ‘CFOs don’t want to get it when it comes to risk and security’ or magazine articles entitled: ‘Senior managers cause far more security headaches than workers they out rank’; and some of the answers becomes clear. Senior management and board level people simply do not perform their fiduciary responsibilities well or at all in this area. C levels are too high up in the food chain to be bothered with the day-to-day tribulations of information security.

At one pharma company a top C level exec actually required his company’s network team to connect his office computer to another company’s network because he was on that other firm’s board of directors: despite that interconnection being against corporate policy. Both networks were placed at risk. Why? Because he was too important to adhere to security policies.

Boards of directors and C level executives continue to accept at face value from their subordinates (VPs, directors, and senior managers) that the company’s networks, computing equipment and intellectual property are all safe; without proper verification from an external third party.

I have also seen cases where high level sales people are sending unencrypted emails over the Internet containing sales numbers or, even worse, future sales promotions or sales plans which a competitor would love to get their hands on.

Because promotions, bonuses, and jobs are all associated with maintaining a good perception of security nothing ever seems out of order; while underneath the surface the entire computing infrastructure and company day-to-day business practices are primed for a simple attack to breach the network with leakage of critical information of private and personal nature. In the case of government agencies the leakage could have far more devastating outcomes as has been seen recently in the Bradley Manning and Edward Snowden breaches.

In the recent Target breach, costs could be upwards of one billion dollars.

Everyone seems to be covering their proverbial derrières and truth about risk and preparedness seems a scarce commodity.

In my experience of evaluating breaches most generally occur because of a lack of adherence to policy, failing to follow proper practices, or a lack or disregard of policy and procedures. Less often because no security technology was deployed or it was improperly configured.

What can be done?

So I am sure that you are asking yourself at this point what can be done. Well there are a few simple things that can be done that can have a very significant impact on the protection of information within a government agency and private businesses.

1) First and foremost we need the highest levels of management at both business and government levels to seek the truth. To make it clear to all levels throughout their organization that there is zero tolerance for failing to adhere to security policies and practices. To make it clear that security is very important and is the responsibility of all people within the organization.

2) Middle level management (VPs, directors, and senior managers) needs to provide clear, accurate, and un-scrubbed information as to the actual risk posture of the organization.

3) A truly independent third party review of security infrastructures (architecture review, risk assessments, penetration and vulnerability tests), policies (are they adequate and/or fit-for-purpose) and practices (in place and being followed?) needs to take place. The finding of such assessments or audits should be given directly to the board representatives responsible for security oversight: who will then review with appropriate lower levels management. Note: the reason I make this a requirement is that I have seen far too many poor or bad assessments killed at the lower level of an organization because an insecure mid-level manager feared for repercussions. The result was that the company was placed at risk of a breach. By truly independent, I mean a third party organization which does no other business with the firm except this security assessment work.

4) Maintain a risk register which identifies vulnerabilities, threats to those vulnerabilities, and risks associated, and who is responsible for abating the risk, how it will be abated and when abatement will be complete. This register should be reviewed quarterly with senior management to determine progress.

All senior level leadership should remember the first rule of information security: ‘trust but verify’.

Independent assessment

I also feel compelled to discuss a bit more about independent assessments.

We have seen the failures of large audit and consulting companies in the oversight area. Many larger consulting and audit firms have multiple contracts within an organization and in a desire to keep these lucrative engagements are postured to deliver risk assessment identification results that are less than crisp and concise, are rounded at the edges, so as not to make the operational manager in the area that the consulting firm is performing other work look bad. The aim is to make the results more palatable. Why? Because they will be coming to that same manager they are assessing later on for other work and they do not wish to anger them or to make them look bad.

An opportunity exists

Funny thing but timing has brought the US to a point in time where many ‘boomers’ are retiring. Many of these retirees have more than 20 years of information/cyber security assessment, review and/or auditing experience. Yet this wealth of available experience and independence goes untapped.

Companies could offer these experts a short term W-2 consulting job and they will probably give a firm a very good price (they are on Social Security and Medicare so medical insurance costs are not needed). Firms could then contract with these folks to perform completely independent reviews of the organization’s security and risk posture without the bias existent with other large consulting or service firms.

If you really desire a clear picture of your risk this is a perfect way to accomplish it quickly, reasonable inexpensively, and thoroughly.

In conclusion

It is up to a company’s board of directors and government agencies’ senior leadership to seek truthful and accurate status of their risks and vulnerabilities. Business as usual has not worked in the past (as seen by the ever increasing breaches and cost of breaches) and there is nothing to suggest that it will fare better in the future. Change the CYA mentality to ‘cover your assets.’

I am not saying not to trust subordinates throughout your organization, but just to verify, independently, that what is thought to be the truth is actually so.

About the author

Dr. Jim Kennedy, NMCE, CRISC, CEH, CHS-IV, MRP, CBRM has a PhD in Technology and Operations Management and is the lead and principal consultant for Recovery-Solutions. Dr. Kennedy has over 35 years' experience in the information/cyber security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of three books, ‘Blackbook of Corporate Security,’ ‘Disaster Recovery Planning: An Introduction,’ and ‘Security in a Web 2.0+ World – a standards based approach,’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Dr. Kennedy can be reached at Recovery-Solutions@xcellnt.com

•Date: 4th March 2014 • US/World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here