The Crucial Role of Leadership in Information Security

n n

nWe frequently talk about leadership roles within organizations andncybersecurity teams. As Kaushal Perera, CISSP explains, effectivencybersecurity leadership needs to address much more than justnoperational matters.n

n

n

n

nIn the contemporary digital landscape, characterized by looming datanbreaches and cyber threats, effective leadership stands as the cornerstonenfor establishing and upholding a resilient information security framework.nLeaders must grasp the importance of their role in shaping organizationalnculture, set the tone, and make pivotal decisions that establish a strongnfoundation in information security and continually reinforce it.n

n

nCurrent Threat Landscapen

n

nThe dynamic nature of the current threat landscape is forcing organizationsnto focus more extensively on their information security posture. In mynopinion, when considering potential threats against them, organizationsnshould no longer focus simply on their sector, industry, or geography.nInstead, establishing a robust information security foundation isnimperative.n

n

nThis foundation should be built upon best practices and standards, rathernthan focusing solely on specific threats, particularly at the initial stage.nThen, once the foundation is laid, further improvements may be based onnspecific threats.n

n

nFor example, companies should not (and usually do not) assess threats tonnetwork computers and implement anti-malware detection tools only on anspecific set of computers; rather, it should be the other way around, withnanti-malware being a standard deployment for all computers. A company shouldnimplement an appropriate malware tool and then extend or add to its featuresnor make further broad improvements based on the threats and risks. In short,nonce the base is laid and strong enough, companies can build upon it.nHowever, to build the foundation, companies should understand and accept thencurrent position.n

n

nUnderstand the Current Position and Setting the Tonen

n

nThis is where, in my experience, companies tend to make mistakes.nUnderstanding the initial risks at the foundation level and within thencompany culture is not an easy task. The best approach is to compare andncontrast with best practices, rather than looking mainly at the threatnlandscape and limiting focus to a particular area. This process aids innunderstanding gaps and is essential for identifying weaknesses, therebynfacilitating the implementation of controls to establish a robustninformation security architecture as the foundation.n

n

nHowever, when implementing controls, initial resistance may arise fromninternal staff. This is like the early days of workplace computing. I recallnone company where frustrated staff claimed that manual work was easier thannworking on computers: when initial data input issues arose and theynstruggled to adapt, they claimed that manual work had never posed suchndifficulties. Diverging opinions among various staff members may alsonconsume time and effort in reaching agreement and making progress.n

n

nLeadershipn

n

nLeadership of an organization should set the tone when it comes to valuingnand prioritizing information security for that organization. When leadersnemphasize the need and follow it, employees will – usually – fall into line.nIn my experience, the bottom-up approach never works for informationnsecurity.n

n

nTo ensure success, leadership should understand the risks to their company,nthe importance of best practices, and the consequences of not prioritizingninformation security. Ask yourself this: when assessing the risk for a newninitiative, if the cost-benefit analysis gives the green light to proceednbut the risk-benefit analysis gives you the red light, what do you consider?n

n

nThis is why leadership must understand the risk, and treat it based on thencompany’s risk appetite. If the company is willing to accept the risk, anstrong basis should be developed to justify the acceptance. There are nonshortcuts or workarounds for this.n

n

nHowever, this becomes a complicated issue if the overall picture is notntranslated holistically into a communicable language for senior management.nAs a solution, most companies and regulators emphasize the need for havingninformation security representation at board meetings. Yes, some regulatorsnmandate the role of Chief Information Security Officer (CISO), with thenright qualifications and expertise. This facilitates a smooth bottom-upninformation flow, enabling a better understanding of risks, informedndecision-making, and effective communication of decisions through a top-downnapproach to tactical and operational levels.n

n

nCulture Changen

n

nChanging attitudes is important to changing an organization’s culture. Inhave seen many people in important roles pay attention to informationnsecurity needs – especially individuals working in companies in highlynregulated sectors. They are fully aware of the benefits of informationnsecurity for the company, as well as for themselves. Such controls safeguardnnot only the company, but also its staff. For example: they know that logsnensure accountability for actions taken and safeguard them from maliciousnactivities they have not engaged in.n

n

nI have also seen the opposite behavior: network administrators with accessnto the internet bypassing controls, managers allowing software developers tontake source codes home in USB sticks, using their position to bypass accessncontrols while considering it their privilege to do so, etc. This is wherenleading by example is important, and attitude matters. Leaders whonprioritize and demonstrate a commitment to information security foster anculture of vigilance and accountability throughout the organization, and anpositive mindset in leaders is crucial for this.n

n

nCompanies should, for example, update their standard interview questions tonunderstand the attitude of a person towards information security, especiallynwhen recruiting staff to IT department and managerial roles in business. Itnis now normal practice to look for candidates with knowledge andnunderstanding in information security and controls. For example, whennrecruiting software developers, the companies not only look for expertise innprogramming languages but also require applicants to have knowledge in OWASPntop 10 and secure development practices.n

n

nInformation security directly connects, and needs direct contribution from,nmost areas of a business. Human resources, physical security and supplynchain security are some of the most direct contributors, thus improvementsnto people, processes and technology must be considered in these areas asnwell.n

n

nImprovement need not always relate to risk, regulatory requirements, or thenoutput of threat assessment or vulnerability assessment. For example, anprocess may require improvements to enhance efficiency and effectiveness;nthis should be looked at in a positive way. But to prioritize such areas,nleadership support and setting the tone are vital. Such support helps ensurenthat information security improvements are prioritized consistently acrossnthe company. As a result, all directly and indirectly contributingndepartments will understand and support the building, improvement, andnmaintenance of a strong information security posture.n

n

nResource Allocationn

n

nOnce leadership understands the need for change, changing the culture andnmindset is far from easy without adequate resources. It is vital thatnsufficient human and technology resources should be available to supportnprocesses. For example, to maintain continuity, backup personnel should bendesignated to take over and continue operations when/if the primary personnis unavailable.n

n

nLack of staff in critical areas can also lead to risk. Your SecuritynOperations Centre (SOC) must have an adequate number of competent staff tonmonitor incidents 24/7, avoid reducing the number of staff and relying onnjunior employees lacking expertise simply to cut costs as this can lead tonoverlooked incidents and failures in incident response procedure.n

n

nIt’s certainly the case that manual work can create inconsistencies andnintegrity issues, leading to vulnerabilities that directly affect thensecurity of data and information. Automation is a key mechanism fornimproving such processes. Of course, suitable investments should be made inna prioritized manner and only in line with company’s strategic objectives,nmission, and risks – not by randomly selecting products and services.nConsider basic needs too, such as firewalls, intrusion prevention systemsn(IPS), antivirus products, authentication and authorization controls,nvulnerability and patch management, penetration testing, data lossnprevention (DLP), and awareness training.n

n

nNote that leadership support is often essential to ensure that suchninvestments are made proactively – before an incident occurs.nRemember, too, that when investments are appropriately made to implementnrobust controls, many incidents are prevented unknowingly. Most of the time,nit is difficult to directly calculate and identify a quantifiable Return onnInvestment (ROI) for investments in information security controls.n

n

nConclusionn

n

nThree things greatly influence leaders’ decision-making andnincrease/decrease the likelihood of failures: the way they considerninformation security, their understanding of the consequences of notnimplementing robust controls, and their failure to consider informationnsecurity as a strategic objective. Set your direction, understand currentnrisks and risk appetite, budget constraints, and invest based on strategicngoals. Prioritize investment in technologies, processes and talent thatnaddress the most pressing security issues, contributing to the establishmentn(or maintenance) of a solid foundation and information security posture.nEssentially: lead.n

n

nnKaushal Perera, CISSP, has over a decade of experience in informationnsecurity, including hands-on technical expertise in implementing andnmaintaining information security controls, and specialization in ISOn27001, ISO 20000, and PCI DSS compliance.nn

n ]]>