Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs have increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
Organizations do not run themselves. They are run by top-level managers whose job it is to exersize controls so as to bring about success. Like a truck traveling down a highway, the boss uses powers of observation and technological aides to view how things are going, understand the situation, and make adjustments to keep things going in the right direction. The better the view, understanding, and controls, the better the boss will be able to control the organization, and the better (we hope) the organization will operate.
Now comes the information age. The very nature of the way we work is changing, and over a period of only a few years, the value of the elements of our organization has shifted. In the industrial age, inventory, manufacturing facilities, and available cash were the major elements with financial value that management had to control. But as the information age came, more and more of the value of organizations moved into information assets. As Jim Schweitzer so clearly observes in his wonderful book Protecting Business Information:
The information value represented in business operations and product strategy plans and reports, which include technical, financial, and operational data, is probably equal to the value of the company less the value of physical assets. \dots [That is] the selling price of plants and equipment.
Consider management control over information assets relative to financial assets. Chances are, top management knows the financials quite well. They can not only tell you how much they have, but where it comes from, where it goes, and how they are certain of these facts. The reason they can do this is that, if they are doing their job well, they exersize effective control over financial assets. The same is probably true of physical assets. Top management knows where the plants are, how much inventory is in place, and they have at least a general idea of how materials move through the organization, where they come from and where they go to. Odds are, most of the top management has even visited most of the large plants at one time or another, gotten a tour, and talked to the key managers.
But if you ask similar questions about information assets, chances are that top management doesn't even know where to begin the answer. What is the value of our information? Where is it stored and how is it moved around? Where does it come from and where does it go? How do we assure that it is what and where we think it is? Have they ever been given a tour of the corporate network, seen what goes where, been told about the components involved?
If management can't answer these questions in the same level of detail as they can for financial or physical assets, it means that the information assets are out of control, and that means that they are unable to guide the organization as effectively as they could if those assets were under control.
There is one saving grace in any new age. The competition is probably just as out of control of their information assets as you are. Just like the beginning of the industrial age, management today has the reigns of a romping bull, and it will take some time before control is regained. But providence favors those who get their first.
Getting control over your information assets is, essentially, an information security effort. It involves getting a handle on the value of information, classifying it, marking it, and making decisions about how to handle it. It includes knowing and controlling what information goes where when, providing appropriate levels of assurance about the integrity, availability, and confidentiality of information, and creating control processes to allow management at all levels to manipulate, examine, and understand the information environment. All of these functions have been and continue to be at the heart of information security.
But the changes in the overall work environment resulting from the increased use of information technology are closely tied to the way computer networks allowed control to be localized, in many cases, directly to the desktop. While central computers under the tight control of data processing shops were relatively easy to control, the distribution of computation has made central control a thing of the past. The nature of the information environment has changed, making it harder and more complex to control, and increasing the burden on management to find new ways of guiding their organizations.
One of the most common methods used to deal with the distribution of information processing is to delegate control through data ownership. In the ownership model of distributed computing, information and technology is owned by the people who create and use it. This works very well for solving the problem of micro-managing a widely distributed network. But it also introduces some difficult challenges.
In many cases, the data owners don't know how to carry out many of their ownership responsibilities, in large part because they haven't been properly trained in the control issues, and aided by inadequate coordination. To address the coordination challenge, many organizations introduce centralized network coordination people. An organizational email expert might be tasked with making sure email works properly. The centralized email expert then coordinates with local experts within each of the sub-organizations, who in turn coordinate with even more local experts. This forms an email virtual-organization (we'll call it a vorg for now) consisting of a body of people, most of them working part-time on the email issues. The same technique is used to manage network address assignment and connectivity, to solve telephonic communication problems, and so on.
It all sounds great until you realize that the information protection function needed to assure control crosses all of these boundaries. Unlike email, information protection cannot be learned by a skilled programmer in a few weeks at a few seminars and managed part-time along with payroll programming. The function of assuring overall organizational control is tougher than that. Most people who are effective at information protection have many years of experience in the field. Those who have achieved certifications have roughly the equivalent of two masters degrees worth of graduate-level courses in the field and 5 years of professional experience, and like other types of professionals, require ongoing professional education to stay up-to-date.
Most data owners can decide that they want ccmail or microsoft mail, and the mail vorg can probably implement the interface. Few data owners can make prudent decisions about the value of their information assets to the overall organization, how it should be classified, what system of marking to use, how to effectively control access, and the hundreds of other similar decisions required in order to have an effective asset control program.
The email vorg can't make email security decisions alone because these decisions require coordination with the telecommunications vorg and the personnel vorg, and so on. In order to properly control this interwoven collection of vorgs within the larger organization, we need - you've got it - another vorg.
The info-sec virtual organization has the unusual challenge of crossing both the data ownership organizations and the technical vorgs. Few, if any, other vorgs face this challenge, and it can be daunting indeed. That's why proper internal support and structure is required.
In my experience with large organizations, I find that it is sometimes useful to use a chess analogy to discuss the organizational issues involved in creating such a vorg. I talk about kings and queens as being too high in the organization to be involved with info-sec at an operational level, and pawns as being too far down the ladder to have a substantial impact. It's usually the knights, bishops, and rooks that make things happen.
In a large organization, there are many knights and bishops. They are typically top-level technical people with responsibilities over systems, networks, technical support of business functions, and the like. While these are the people that make most of the technical decisions and get much of the most critical work done, they typically cannot cross organizations very easily and almost never have enough power to overcome objections or decisions of local bishops and knights within another part of the organization. The bishops and knights with technical interest, knowledge, and responsibility for information protection normally form the technical core of the info-sec vorg, but they are normally only effective when supported by a rook.
In most large organizations there are relatively few rooks. They are typically at least one level above the top technical people on the organization chart and are rarely more than three levels below the CEO. They usually have titles with words like director or corporate vice president in them. They are almost never the chief information officer, the chief scientist, or the head of internal audit, but they typically have the ear of these people when they wish to be heard.
The reason you need a rook to champion the info-sec vorg is that this is the only way to prevent local knights and bishops within other vorgs or data owner areas from overriding all info-sec decisions. When a rook is involved, it usually takes another rook to counter them. Since there are relatively few rooks, they tend to know each other, and they tend to work together regularly. To strictly overrule a rook requires a king or a queen, so in practice, they are rarely overruled, and overruling them involves substantial risk for the person who interrupts the busy king or queen to settle what they will perceive as a local dispute.
Having said all these good things about rooks, there are a few cautions. In choosing a rook to champion the info-sec vorg, it is vital to select someone who is secure in their job, has the respect of most or all of the other rooks, and has some interest in information protection. These conditions prevent having the rug pulled out from under the info-sec vorg whenever a dispute arises or the company is undergoing what has euphemistically come to be called rightsizing.
Ideally, the info-sec vorg is championed by a top-level information protection expert hired for the specific function of information protection. If your organization has taken this enlightened approach, the rook will be calling the bishops and knights together to form the vorg - or more likely already has. If you have had an effective vorg for a long enough time, the rook has either become that top-level information protection person, one has been hired, or one of the people in the vorg who works for or closely with the rook has become the de-facto expert.
So the info-sec vorg normally consists of a few bishops and knights who concentrate on information protection issues - most often from corporate headquarters and/or a few of the larger divisions, a rook at headquarters who champions the cause and ultimately heads up corporate info-sec, a set of other knights and bishops co-opted part-time from data owner organizations, and at least one representative from each of the vorgs that participate in implementing info-sec related decisions.
In normal operation, the info-sec vorg meets about quarterly to discuss large-scale issues, remain in touch, and coordinate changes in large-scale structure. These meetings usually also include exchanges of information such as new techniques being put in place and new requirements and new systems coming on line. As part of the meeting, expertise with particular products, technologies, and techniques are exchanged, new contact points are provided, and long-term progress is made. New people are also introduced to the group on an ongoing basis, an occasional celebrity visit from the rook is made, and on rare occasions, the CIO or a newly appointed company official may show up. In some more advanced info-sec vorgs there may even be a long-term outside info-sec consultant and a special-topic speaker at meetings.
Members of the vorg commonly communicate regarding areas of overlap. For example, the info-sec vorg member who is also in the email vorg will likely have regular communications with the telecommunications vorg-member and they will likely coordinate communications security issues related to email on an ongoing basis, calling on other info-sec vorg members when needed. Similarly, vorg members will likely be on many project teams and act as day-to-day points of contact between the info-sec vorg and the project team.
In emergency conditions, such as a case where a widespread incident occurs within the company, many or most of the info-sec vorg members may get involved in real-time.
The rook who underwrites the info-sec vorg will either head up to vorg personally or be kept up to date by one or more vorg members on a periodic basis, may request written reports and cost justifications from time to time, and may handle budgeting for the vorg if it becomes a sufficiently formal vorg within the company. The rook will also periodically call on vorg members to clarify matters, help settle disputes, and perform other vorg-related activities. On some occasions, the rook may also want to use the vorg for visibility or provide the vorg with visibility.
The movement toward a highly distributed computing environment has been reflected in a highly distributed management control process. This management process often consists of virtual organizations - vorgs.
Info-sec vorgs rule by consensus, good will, moral persuasion, and strategic placement and planning. They derive their power from momentum, the weight of their aggregate force within the organization, and the strength of their champion.
Info-sec vorgs provide management with control by providing an ability to effect large-scale changes, providing an ability to collect and aggregate information from the entire organization, and providing expertise to analyze and make prudent decisions based on that information.
Fred Cohen is a Senior Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net.