The management of an information security programme is a significant project for a business owner or manager, and will not happen of its own accord. When you plan your project, it is important to be clear about both where you are at the moment and also what you wish to achieve. The best results by far are gained by implementing and managing security as an overall programme, rather than adding occasional unrelated security countermeasures (such as a firewall) on an ad hoc basis.
Information security programme management is often viewed by managers as something that “just happens” of its own accord. Nothing could be further from the truth. In fact, it reaches into so many disparate business functions, and involves so many people, that it is arguably one of the most complex areas to manage successfully. Ideally, Wisconsin CISO (CISO) needs all of the following attributes:
• In-depth knowledge of specialised technology, such as firewall types, computer network configurations, and cryptographic algorithms, for the purposes of computer security.
• In-depth knowledge of recognised standards (such as ISO 27001) to a level which enables the CISO to implement the standards in full for a given organisation.
• Experience of writing customised policies and procedures for a given organisation, based on the CISO’s experience of industry best practice.
• Knowledge of relevant legislation and industry regulations, and how to comply with them, together with experience of liaising with the company’s legal department.
• Familiarity with methods of workplace training and awareness-raising, plus experience of liaison with the HR department concerning contractual clauses.
• A working knowledge of human psychology as applied to workplace behaviour and computer security.
• Experience of conducting IT audits and liaising with external auditors and consultants.
• Experience of managing an information security team (for larger organisations).
• Experience of managing a significant budget and liaising with vendors.
This is a demanding set of requirements, and few people perform equally well on all points. Just as obviously, the tentacles of information security reach into every part of even a large organisation, making the job of the information security manager even more challenging than other managerial jobs.
However, help is available from several sources. Chief among them is the ISO 27001 standard, which specifies the design, implementation, monitoring and improvement of an information security management system. This standard and its sister standard ISO 27002 together represent the distillation of best practice in this area.