Asking the Right Questions
When I started my career, information security was primarily a technology-focused effort. It was all about mainframe security, and setting prescriptive practices for implementing mainframe security products. Anytime there was an operations problem, it was usually blamed on the security product, so you really needed a tremendous understanding of the underlying technology. Information security didn't get any kind of business scrutiny -- except if there was any related downtime
When I arrived at JP Morgan, though, we put together an Executive Information Security Committee. It was chaired by the Chief Financial Officer, and we had executive business heads sitting on the committee. It was really the first step in getting business involvement, even though it was still a technological focused area. One of the things that worked in our benefit was that "data security" policies and standards wound up having the full support of the committee.
It wasn't until probably the early 90's when people began to realize that they were making business decisions based upon the technologies, and then information security started to become a business discussion.
I moved to Citicorp in the mid-90s, and from the beginning we recognized that in order to be successful, information security had to have the support and buy-in from business and executive management. One of the early things we did was to use a little handout that said `Here's security in a nutshell, ` and we had a list of questions that we used to explain security to the Business Managers or to the Board of Directors. The intent was to make take the mystery out of security; the questions sort of went this way:
"Are you concerned with who is using the service? Is that a big deal or a little deal?" -- and if you are concerned, here are the different approaches that you can use to identify who is using your service. We then discussed alternatives that could be used to deal with the question ( i.e. ID and passwords) Once they figured out whether or not they were concerned with who was using their service, and we talked about them the next question.
"Once you know who they are, do you want to limit their activities?" This became vary clear when dealing with importance in trading systems, and funds transfer systems where limits had to be in place. Once we got those two out of the way, we ticked down through the rest of our questions:
- "Are you concerned about maintaining the privacy and confidentiality of information?"
- "Are you concerned about the integrity & availability of information?"
We were talking about security, but what it really came down to is "What is the business issue we're trying to solve?"
We spoke to them about being concerned about unauthorized access to information. We talked to them about trying to ensure that they had a signed receipt for transactions.
But it all really came down to simply asking the right questions about protecting the business. Which is very, very different from focusing on the 'State of the Technology.' We looked to get answers that made sense to the businesses we were there to serve.
From my perspective, a business-focused approach -- focusing on what needs to be done -- has to be primary. Focusing on how it has to be accomplished (process and technology) becomes a second order issue.
Next: Choosing the Right Staff