As a Chief Information Security Officer (CISO) I often receive this question, although you it is possible to replace ‘application’ with ‘tool’, ‘device’, ‘software’, ‘hardware’, ‘IT solution’, or anything along those lines.
I usually receive the question via e-mail with a certain sense of urgency: The process to buy the application (seemingly) is as good as finished, with approved budget, a successful Proof of Concept (PoC), and many users anxiously awaiting the moment to start using it. Somewhere during the purchase process, someone asked, ‘Did you involve security?’ That’s when I received the email.
Besides urgency, the email typically contains links to the application’s website and the supplier’s ISO27K certification. Also, there is an immediate demand for approval, with the extra comment: “… they are ISO27K certified, so there really shouldn’t be a problem and we can proceed, right?”
Unfortunately, having ISO27K in place isn’t enough for information security to proceed with the purchase. It only shows that the supplier of the application has its security processes in place. It doesn’t mean that the application somehow “automatically” secures the processing of the information of other organizations. And that isn’t very strange, because the supplier of the application has no knowledge regarding the value the information (we will process with its application) has to us.
What happens next is that the security department points to the information security process. A process that takes time and effort to execute. And that’s where the security department becomes the department that delays the purchasing process and frustrates all people that are screaming for using the application. The security department becomes the department of ‘No!’.
This is why people within organizations, unjustly, perceive the department responsible for information security as the part of the organization that decides what they can and cannot do. True, in the earlier days of digitization the security department (often the responsibility of the IT department), also thought to be true. Nowadays however, this responsibility shifted: the security department is responsible for creating the information security process. This process enables people within an organization to answer information security questions (like the one in the title) for themselves.
So, why does this happen? Let me start by saying: “mea culpa. It is also my fault.” As a CISO, I should’ve emphasized the security aspect of application purchases. An aspect that takes time and effort to establish. Or, well, of course I did embed it in the purchasing process… and wrote it down like this in the information security policy… but, although you might feel my last remark to be cynical, in my opinion this is still a challenge for the security department… as it is for senior management. Here is why:
- The security department is responsible for providing the information security process. A process that, when followed, provides insight in the organizational value of the information that the new application will process. To be exact: the value regarding confidentiality, integrity, and availability. This valuation of the information helps determine under what circumstances it is okay to purchase the application.
- Senior management needs to make sure that everyone in the organization understands that they must follow this process before purchasing new applications. Senior Management must also explain that this isn’t a demand to please the security department. It is there to safeguard business continuity. And yes, the CISO is also part of senior management.
While, as part of Senior Management, it is (also) my responsibility to deliver this message, it is not my responsibility to ensure that people actually follow the process. This responsibility lies with the people responsible for the people that process the information (to understand this sentence, please read it a couple of times). It is their information that their people, from their department, process. The security department doesn’t determine the applications used, as long as they ensure secure information processing per the process.
If they choose to deviate from the process and seek approval from security, they didn’t take their responsibility to first follow the process. And that means saying no to the question: “I want to buy this application, are you okay with that?”.
So, there needs to be a department that is responsible for creating the information security process, so that the rest of the organization is able to follow that process and embed it (information security) in their daily operations. And information security is a subject that touches just about everything that people in an organization do. Therefore, there needs to be a standardized approach to ensure consistency. Only by creating consistency, it is possible to manage it. And the organization will reap the benefits from this consistency. It will, for instance, help translate information security requirements to securely implement IT solutions. As a result, this consistency paves the path to more efficiently and effectively use technology to process information. You will actually improve your processes!
Responsibility for the information security process (CISO) is clear. Responsibility for adoption within the organization (senior management) and the responsibility for execution (everybody) is often vague. The way organizations position these responsibilities make it hard for people outside the security department to easily fulfill these responsibilities. People that studied (or study) information security learn the following basic statement: “Senior management is responsible.”. But that simple line doesn’t cut it. It doesn’t explain how to help senior management take this responsibility. It needs to be worked out further to help embed information security within all business processes and functions.
If you’re curious about my approach, check out my blog series: People Centric Information Security.