People Centric Information Security – Part II

In this second part of my blog series (for the first part, please click here), I will explain how I envision the approach for people centric Information Security. My aim is to help guide organizations on how to embed Information Security in their specific context. An important aspect is that we need to start perceiving Information Security as a cornerstone for the delivery of high-quality services, products, and solutions. In short: add Information Security to Quality Management. With the positive result that implemented measures and controls have more value, because they are based on delivering quality to people.

Information Security’s Relation to Quality

Just like quality, you need to build Information Security right into your processes, not alongside them. The more effectively Information Security becomes integrated, the greater the enhancement in quality, whether it pertains to a particular function, service, product, or any other aspect. To achieve good quality, you start by setting and defining specific quality requirements. By integrating Information Security as part of your Quality Management process, you consider security requirements at the earliest possible stage. Adding Information Security to your Quality Management process, will effectively embed Information Security in a more natural way, fitting seamlessly to the process it supports. It becomes an architectural fundament to build processes.

The reasons why I concluded that the steps taken within Quality Management are beneficial to Information Security are:

1. The involvement of stakeholders at each step of the quality process.
2. Quality Management incorporates the next important driver to enhance quality:
   • Change management
   • Adoption
   • (Digital) Transformation

At the same time adding Information Security as an aspect to quality is also beneficial to Quality Management. It will actually improve quality. Just think about it: What is the value of quality when (information) security considerations aren’t a part of it?

For larger organizations, Quality Management is often an existing business function. Smaller organizations usually apply a ‘build as you go’ approach. To realize Information Security, both approaches are fine, as long as you are aware of the fact that delivering high quality means that security must be part of whatever you build. It should be part of product vision and service management principles.

As mentioned in my first part of this blog series, to realize Information Security in the context of any organization, it is necessary to first focus on understanding how people process information to do their job. Only by understanding this you will be able to steer on quality.

So, what needs to change?

I’ve been discussing this with experts on the subject: Business Analysts. Day-to-day they analyze how people work and how to best translate this to the technologies (e.g., applications) they use. And from there they zoom in on the information streams (or information flows) within those business functions. They point out that, in practice, they often work in environments where the security quality (non-functional[1]) requirements have already been determined. They are static, and only adjusted when it is really necessary.

This ‘static’ approach towards security quality requirements rises, because organizations create them on the process or organization level. Consequently, all underlying business functions (and information streams within them) face the same requirements forced upon them. By disregarding the underlying business functions and the relation to their context, security quality requirements may in fact cripple them. By forcing them onto business functions, the possibility rises that they create unworkable or Kafkaesque situations. Situations that the workforce will try to circumvent, and by doing so, weakening security. The Business Analysts I discussed this with agree that it is time to start deep diving into business functions and distill information streams from them and determine the specific security quality requirements that apply to them. This is the only way to prevent these static security quality requirements from possibly crippling business functions.

We concluded that the new approach is to inventory and model security quality requirements based on information streams. This is where it starts to get interesting: Information streams reflect the way people, within a business function, process information. And this insight is exactly what we need to deliver people centric Information Security. The challenge the business analysts point out is that there is knowledge, but little experience on mapping security quality requirements on specific information flows. The challenge is to adapt currently used methods for this purpose.

The main points to tackle are:

1. Creating a process that adds involvement of both the correct people in the workforce, and the people responsible for that workforce. And we need to understand what information that workforce processes. By doing so, it is possible to determine who is responsible for what ‘information processing’, and which people actually process it. This leads to what I call ‘information governance’. To have people work secure, they need to become part of the process to get it secure. It shouldn’t be something that ‘others’ decide for them. Organizations need to:

• Retrieve input from its workforce to understand how ‘things are done’
• Create solutions (preferably with user groups), that balance workability and security.
• Take the workforce by the hand by explaining what they created, and what the benefits are (for both the workforce and the organization).

2. The cooperation between the following business functions (also to tackle the previous point) is key:

• Quality Management (function: Quality Officers)Enterprise Architecture Management (function: Enterprise Architects)Business Process Management (function: Business Analysts)Risk & Compliance Management (function: Risk Officers and Compliance Officers[2])

• Information Technology (to help realize Cyber Security)

These disciplines need to combine their knowledge and skills, to create a process that implements people centric Information Security.

As already explained in the beginning of this blog, I am convinced that Information Security should be an aspect of quality. And by doing so, both business functions will benefit. I also concluded that the business functions b through d, perform a lot of tasks similar to tasks performed by Information Security Officers. Examples of these overlapping tasks are:

• Executing business impact analyses.
• Performing (IT) risk assessments (sometimes with, and sometimes without the involvement of the business).
• Choosing (security) frameworks fitting to the organizations specific industry.
• Creating classification schemes[3] to determine what is critical to the organization.

The overlap is that:

• Business Analysts also execute business impact analyses (involving the business).
• Risk Officers and the IT department execute (IT) risk assessments.
• Compliance Officers make sure the organization complies to relevant law and legislations and choose fitting frameworks.
• (Enterprise) Architects set boundaries and classifications schemes in their architectures.

But perhaps the most important reason why these business functions would be willing to cooperate is that they all, in some way or another, have the same need regarding the first point to tackle: input from the right people. When working together, they create and share this information to the benefit of all:

• Quality Management will deliver higher quality.
• Enterprise Architecture Management will have more insight in how to strengthen the fundaments of its architectures.
• Business Process Management will be better able to determine non-functional (Information Security) requirements, ensuring higher optimization.
• Risk and Compliance Management have better input to address risk and implement controls for compliance.
• Information Security and Cyber Security are created with better business context.
• Information Technology receives better input on how to safely implement and configure technology to support business.

Conclusion

Information Security as a quality aspect will lead to the better, more natural working of processes. Alignment on both tackling points, (1) involvement of the right people and (2) cooperation between the mentioned business functions, is key. Realizing this, as discussed with Business Analysts, means extra effort by adapting existing methods to determine security quality functions.

Stay Tuned for Upcoming Blogs!

In my next blog, I will explain what information streams look like, and why they are so important to determine the value of information and realize information security.

In later blogs, I will explain how the two tackling points relate to each other and how Information Security relates to them. Many organizations already have the necessary business functions set up within their organization. Now there needs to be guidance on how to align them so that they can start cooperating and complementing each other.  

Also, I will explain why the extra effort, as discussed with Business Analysts, is a prerequisite to successfully adopt modern technologies to realize (secure) digitization. I will also share the approach I created to overcome the two tackling points.

[1] People establishing requirements use the term ‘non-functional’ requirements instead of quality requirements. As opposed to functional requirements they describe what a process or function must achieve. Non-functional requirements describe under what circumstances the result must be achieved and the desired quality. The ISO/IEC 25010 standard for software product quality may be used as a guideline. This model defines security as a quality characteristic. In this blog I will use the term ‘security quality’ requirements, which is interchangeable with ‘non-functional’ requirements.

[2] Including, when applicable, Data Protection Officers and Privacy Officers and Privacy Officers

[3] A classification scheme is an overview with parameters that show the level of criticality something has to an organization. There are, next to critical, several levels of classification possible. Most used are critical, high, medium, low, negligible. For information security classification schemes use parameters regarding confidentiality, integrity, and availability.