For the CIOs reading this: Who is responsible for information security in your organization? Hopefully you can respond with a name — there is plenty of evidence that hiring a chief information security officer (CISO) reduces the risk and the severity of a data breach. That's a good thing, and if you can answer that question in a crisp fashion, kudos to you. Unfortunately, it's the wrong answer.
Most IT organizations are structured around function: the coders in one little silo, the enterprise systems in another, your networking staff in yet another. Sure, there's some collaboration and areas of overlap, but Security (note the capital "S") isn't a functional silo. While it's a truism that "nothing gets done unless it's someone's job to do it," operationally it's too easy to treat security like a stand-alone function. Despite the increasing investments many of us are making in security technologies, Security is fundamentally about process, not technology.
What does it mean to say that "security is about process"? Obviously, there are security-specific processes — incident detection and response, for example. However, the kinds of processes I'm talking about here are more what I would label operations architecture: How do we design and maintain our IT ecosystem? How do we select products (hardware or software)? How do we deploy systems? And critically, how do we manage change to that ecosystem?
It's tempting to see Security as having a broad scope because each of these silos has unique security challenges. (Actually, one of the great things about working in security is that you get to stick your nose into almost everything.) Your security office focuses on these sorts of pan-organizational processes because Security requires a holistic view of the institution to succeed. Each layer of your architecture presents a different risk profile, and each layer potentially exposes the others to abuse or compromise. A compromised workstation sitting on a hardened network can turn that network into a malware canon. A secure application could still expose data through a successful Border Gateway Protocol (BGP) hack. And of course, the most secure environment is trivially defeated by the naive or malicious insider. It is precisely this coupling of risks that makes it so challenging (if not impossible) to completely address Security.
So what is the right answer to "Who is responsible for information security in your organization?" "Everyone," of course. Is your security office a partner in your network redesigns? How does your data center architecture reflect the varying degrees of risk brought by differing systems? How do your coding methodology and toolkits address secure coding requirements? Have your network, systems, and development staff been provided with security-related training? And the most fundamental question: Have you written formal requirements for security expertise and performance into job descriptions outside of the security staff?
The breadth of this challenge should be treated as an opportunity — an opportunity to create or enhance organizational cohesion through process maturity. Cohesive, organization-wide process will not only enhance security but also breed a healthier, more collaborative workforce.
Those of us working in Security will be happy to wax poetic about the importance of cross-institutional partnerships and information sharing. But the most fruitful partnerships for any security office are those formed within its home institution. CIOs and IT leaders of all stripes should recognize that information security is a shared responsibility and a wonderfully effective means to achieve an organization ripe with vitality.
Michael Corn is deputy CIO and CISO for Brandeis University. His areas of interest include privacy, identity management, and cloud services. A speaker and author on security and privacy, he has participated in many EDUCAUSE and Internet2 initiatives. He is also a member of the Internet2 Net+ Product Advisory Board. Prior to joining Brandeis, he was the CISO and chief privacy and security officer of the University of Illinois at Urbana-Champaign. Corn is a graduate of the University of Colorado at Boulder and the University of Illinois at Urbana-Champaign.
© 2015 Michael Corn. This EDUCAUSE Review article is licensed under the Creative Commons BY-NC-SA 4.0 International license.