The issue around the shortage of skilled professionals within IT security have been well documented and the work of initiatives such as the Cyber Security Challenge has gone some way to addressing that.
If teams are shrinking or short of staff though, just how involved can people be towards certain tasks? For example, in a recent conversation with SC Magazine, former head of enforcement at the Information Commissioner's Office (ICO) and now consultant within the security and information law group at Field Fisher Waterhouse, Mick Gorrill said that with the various stories coming from the ICO, someone should be employed as a full time data security ‘champion'.
He said: “You should have someone nominated for data security, as if you have accountability you will take notice of what the ICO is saying and put policy and procedure into place.”
Martin Hoskins, head of data protection, legal governance and compliance at Everything Everywhere, said that his team had made employees know about breaches and their impact. Asked if he was able to employ someone as a ‘champion' of data security, compliance or outsourced data, he said: “Our company is large enough to employ a team of IT security specialists, so naturally we have a good appreciation of the types of threats that are emerging and have developed countermeasures for them.
“Small-to-medium businesses (SMB) are likely to be at a disadvantage, as individuals are likely to be expected to fulfil much broader roles and consequently there will be less time for them to develop an expertise in any particular area.”
In agreement on the challenge that the SMB would face was Michael Everall, CISO at Lehman Brothers Holdings. He said that the IT manager has to have an understanding of what people are doing and this was a case for investment.
He said: “For the SMB, their staff footprint is going to be smaller, but it does not mean you are not an information security professional. As an SMB you cannot just hope that you're going to be ignored. You have to understand and accept that it will happen in some form that can vary from someone snooping at a colleague's email, through to an external third party wanting to see your bids for a contract.
“The scale of the issues may change, the discrete costs will be different and the complexities will be less, it does not however mean your risk is not equally high to you.”
He said that there is a thread of ownership, as someone somewhere has to own both the operational element of ‘doing' as well as the management element of governance, oversight and risk ownership and acceptance.
“In a small firm this may well have to be someone in IT having a part time role in the monitoring and ‘doing' but in that case, the critical part is ‘Quis custodiet ipsos custodes' (who shall guard the guardians)? Someone in the management structure has to own the output of the function, provide guidance and ensure that security findings tie to operational and business needs in a tangible way. Without that piece in place an unsupervised, unmanaged, ad-hoc security function can become a cure that is worse than the potential disease itself,” he said.
Hoskins said that he believed what Gorrill meant was regardless of the size of the operation a business owner needs to make sure that there is a line of accountability for all elements of the enterprise.
He said: “In some operations, particularly those involving the public sector, I expect that it can be hard to know who the accountable person is. While there is often a person who is accountable for the physical security of particular computer systems and processes, less often is there a person who is accountable for determining what information should be used by that computer system or process, or say, when that information should be deleted or shared with another organisation.”
He said that he did not find that the concept of a team sharing responsibility works particularly well and that he prefers the concept of individual accountability, as you need to know who can make decisions when there is a difference in views.
“When things go wrong, it is helpful to know who has previously had responsibility delegated to them to ensure that whatever went wrong shouldn't have gone wrong,” he said.
“Auditors use the phrase ‘what gets counted gets done'. I think we should start to use the phrase ‘the person accountable for ensuring the good-working of this system is…'. Once individuals take personal responsibility for processes, they tend to look after them.”
Speaking to SC Magazine last year, Francis deSouza, senior vice president of the enterprise security group at Symantec, said that what he was seeing was that the chief information officer does not run the operations and instead, they are tasked with coming up with policies and architectures and are turning it over to the operations team for implementation.
He said: “The person who rolls out anti-virus and manages it is not the CISO, it is the operations team and we believe that will continue to be the case. Who sets the policy on how frequently you roll out patches? Or which patches should be prioritised?
“The CISO is going to have a point of view around policies for most of the IT infrastructure and that is what organisations will rely on them for, but I don't think we will get to the day where the CISO is running operations.”
I asked John Colley, managing director for EMEA of (ISC)2, whether he thought this was a practical concept. He said that this is not just something for the individual to be responsible for, as the CISO should be involved as well.
He said: “The CISO has to be on top and think about new technologies and has to have skills to deal with them. We have found some organisations have a network security champion or a database security champion.”
So is the issue here that this is simply not practical? Robert Cockerill, head of IT at Thames River Capital, said that within his small team, he was solely responsible for security, with service desk outsourced. He said: “I don't do all of the footwork but get things running and handover to the user. It all needs to be easy and simple as otherwise it ‘does not compute'.”
Likewise, Giles Roberts, IT infrastructure manager at The Share Centre, said that with four people in the team looking after the infrastructure for the Share Centre's 150,000 customers and approximately 150 staff, security is shared ‘as we need to be familiar with all of the tasks so that if one of us goes on holiday we are not left with a problem'.
This issue can only really be addressed when you have the head count to make it happen and the reliability within your staff when there are the people to do it. Until that is the case, it may just be about following others' failures and working against them happening to you.