Anda di halaman 1dari 7

Journal Online

Information Security Program: Establishing It


the Right Way for Continued Success
Sekar Sethuraman, CISA,
CISM, CGEIT, CIA, CISSP,
PMP, CSQA, CVA, is the head
of IT security (Greater Asia)
at LexisNexis. He is also the
director of research of the
ISACA Chennai Chapter. He
has more than 25 years of
experience and has helped a
number of organizations with
their information technology
and information security. His
areas of expertise include
measuring and managing the
performance of information

In todays inter-networked environment,


organizations depend heavily on information
technology. It is imperative to succeed in
information security (as part of information
technology in many organizations) to achieve the
strategic goals of an organization. Even though
most organizations pursue information security as
a key business initiative, there are not many that
achieve great and continuing success. This article
looks at the various considerations that can help
in achieving continued success in information
security. By analyzing the characteristics of a
successful information security program, the
authors provide an integrated approach toward
realizing continued success.

security, managing security in


outsourcing, incident response,
ISMS, ISO 27001, and CobiT.
He can be reached at sekar.
sethuraman@lexisnexis.com.au.
Alagammai Adaikkappan,
CISA, CISM, ACA, LCS, is
the principal (technology
audit) at the National
Australia Bank, Melbourne,

What Is Success in Information Security?


Success is the achievement of something
desired, planned, or attempted; attaining the
results expected.1
Continued success has become a business
priority. An organization greatly successful in
information security (in the context of this article)
is, therefore, an organization that has a record of
successes in information security and succeeds in
information security on a continual basis.

Australia. She specializes


in IT risk management,
security management and IT
governance. In her current
role, she specializes in IT
audits in corporate and
institutional banking. Her
other areas of expertise
include data management,
business continuity planning/
disaster recovery, application
development and project
management. She can
be reached at alagu_
adaikkappan@national.com.au.

Success Comes From a Compelling Vision and


an Outstanding System
A distinct characteristic of successful
organizations is that they have a compelling
vision and an outstanding system to power their
strategy. Through their outstanding systems, they
connect their performance with their goals and
plans and thereby to their vision/dreams, quickly
carry out course corrections, continuously realize
better results, and perfect these to a level of
continuing excellence.2
These organizations have information security
as part of their business strategic vision. They
also use a powerful structure and approach to
achieve their goals by linking their performance
on information security with their organizational
goals and plans.

Principles for Succeeding in Information


Security
Research in the information security field has
revealed some inherent truths about information
security. This article categorizes them as
principles of information security much like the
principles required for success as explained in the
ThinkTQ approach.3 They are:
Security is a process, not a product.4
People, process and technology are the key
elements to a complete and holistic security
program; however, people are by far the most
critical element.5
Information security is not a destination, it is a
journey.6 It is a continuous practice. To achieve
a continued success in information security, an
organization needs to focus continuously on
improving its information security practices as
the technology environment keeps changing and
new threats arise.
It is infeasible to provide 100 percent
information protection to 100 percent of
information assets at all times. The right
approach is to identify the key information
assets that need to be protected (including data)
and the extent of protection required in line
with the risk appetite of the organization.
Security is an ecosystem, not a product.7
These principles have been proven time and
again and, therefore, it is prudent to develop the
information security program in line with these
principles, for maximum success.
A Sound Information Security Program Is the
Foundation
An information security program can be defined as:
The overall combination of technical,
operational and procedural measures,
and management structures implemented
to provide for the confidentiality, integrity
and availability of information based on
business requirements and risk analysis.8

ISACA JOURNAL VOLUME 5, 2009

Essential to succeeding in information security is a sound


information security program that will drive an organization to
realize its vision.
Characteristics of a Successful Information
Security Program
A successful information security program exhibits the
following qualitative characteristics in an increasingly balanced
and intense manner:
EnergyThe information security program should be
energized thoroughly by appropriate funding, key stakeholder
involvement and top management support, and should be
well coordinated.
MissionThe mission of an information security program
should be to provide appropriate confidentiality, integrity
and availability of information under all circumstances. This
mission should be integrated into the overall IT strategy
and should be directed toward achieving the organizations
mission.
AttitudePositive attitude is the key for the execution of an
information security program. Implementation of the program
should not result in an attitude of penalizing for information
security failures as a regular practice. On the other hand,
the program should, in general, create a positive attitude in
the organization toward security and create the necessity for
being secure.
Set goalsThe information security program should be
directed toward achieving clearly stated organizational goals
derived from the mission statement. These goals should
be specific, measurable, achievable, realistic and timely
(SMART).
PlanPlanning for achieving the information security goals
is one of the key characteristics of a successful information
security program. The security program should demonstrate
the ability of the organization to plan (annually, quarterly,
monthly, weekly and daily, as appropriate) and update the
program on a regular basis.
PrioritizeImplementation of the information security
program should result in identification of a number of
actions to be performed to comply with the information
security program. As stated earlier, it is infeasible to provide
100 percent protection to 100 percent of assets at all times.
Therefore, prioritization of action items becomes important.
Integration with the technology risk function should happen
well, and this should assist in prioritizing action items to
2

ISACA JOURNAL VOLUME 5, 2009

secure key information assets in an appropriate manner.


SynergizeThe organization actively synergizes involvement
of internal and external stakeholders and enables them to
commit to achieving the organizations information
security goals.
OrganizeActions are performed in an organized manner.
Actions are generally prioritized, scheduled, implemented and
reexamined for appropriate completion. Lack of appropriate
organizational skills results in suboptimal achievement of
information security goals.
OptimizeMature information security programs exhibit
optimization where actions are leveraged off, cost and
performance efficiencies are achieved, and results are
delivered in a predictable and acceptable manner. It
should be noted that optimization generally occurs in a very
mature environment.
Act nowThis is one of the important characteristic of a
successful information security program. If challenges/risks/
threats are not acted upon, the information security program
may not deliver its objectives. An act now philosophy
guides the actions and enables the organization to plan and
act instantly.
These 10 characteristics are described as the 10 colors of
a winner and they need to be in proper balance and bright
enough for one to continue to succeed (as elaborated by
ThinkTQ approach).9 This applies to the successful information
security program as well. Figure 1 shows the characteristics and
the results when they are intense and when they are weak.
To be successful, it is essential to have all of these
characteristics in place and balanced. It is also necessary
to continue to improve, thereby resulting in improved
performance and continued success. All of this happens
through a sound information security program.
Also, if any of these characteristics are weak, the actions
are to be in place and arising out of the information security
program to rectify the deficiencies.
Successful Organizations Follow a Powerful Methodology
The principles provide the truths that need to be followed by
organizations. The vision and dreams power the actions.
The information security program helps the organization realize
the goals and enhance the 10 characteristics to succeed.
A powerful methodology enables the setting up of an
effective program.

Figure 1Characteristics of an Information Security Program


Reflection on Information Security Program
Characteristic

When the Characteristic Is Intense

When the Characteristic Is Weak

Energy

Energized (fully funded, supported by stakeholders, top


management commitment, awareness created)

Drained, weary

Mission

Purposeful, rewarding, strategic-goal-focused, balanced,


creative, maturing, in line with organizations objectives

Uninspiring, not aligned to strategic goals and objectives

Attitude

Positive, powerful, accountable, progressive, sense of security

Uninspiring, seen as a penalty, disrespectful

Set goals

Focused, proactive, collaborative, specific, measurable,


achievable, realistic and timely

Lack of focus, motivation and clarity

Plan

Thorough, efficient, proactive, systematic, effective, optimized,


productive, duty-segregated

Haphazard actions

Prioritize

Balanced, focused, effective, risk-considered

Ad hoc actions, lack of risk focus

Synergize

Empowering, cooperative, inspiring, motivational, innovative,


flexible involvement, commitment, enhancing accountability
and compliance

Misunderstood, imprecise, clueless, stakeholders not committed,


not appreciative of external requirements, unable to get outside
parties compliant

Organize

Efficient, innovative, organized, growing

Impractical, chaotic, inefficient, overwhelmed

Optimize

Innovative, progressive, focused, informed, cost- and


performance-efficiency

Ineffective, Inefficient and immature processes

Act now

Action-oriented, dynamic, timely

Unfocused and overanalytic

One such methodology follows:10


Base the information security program on an appropriate
framework. A framework provides a number of advantages.
Some of them are:
A structured approach to the program
Help in identifying the commonalities and picking controls
that are in line with best practices and can guide in a
balanced approach and in comprehensive protection
Some of the most popular frameworks are:
CobiT
ISO 27002
IT Infrastructure Library (ITIL)
The selection of the methodology is to be done based on the
organizations business priorities. It is also possible to set up a
custom framework for an organization, deriving controls from
the various frameworks.
Use a sound risk management methodology. A key objective
of an information security program is to provide effective
controls to bring the risks within acceptable levels. It is,
therefore, essential that the organization adopt sound risk
management methodology that enables this process.

Make information security strategy an integral part of the


regular business strategy and annual plans. The information
security strategy needs to be integrated as part of the regular
business strategy. Information security plans are to be part
of the routine planning of the organization, with suitable
changes made depending on the organizational changes.
Integrate the information security program with the
organizations governance framework. Information security
governance is essentially the responsibility of top management.
Ensuring that the information security program has evolved
out of the overall governance framework of the organization
enables the development of the right management structure and
organization and the appropriate reporting processes, which are
necessary for the success of information security.
Establish an appropriate metrics program to support
the initiative. What gets measured gets done is true of
information security as well. Organizations would, therefore, do
well to establish measurements and derive actionable metrics
at the various levels in the organization. A select set of metrics
can be identified, tracked and reported on consistently to help
determine answers for the following questions:11
Are we doing what we should be doing?
Are we doing what we say we should be doing?
ISACA JOURNAL VOLUME 5, 2009

Engage the process owners and make the program as selfgoverning as possible. Establishing processes in which the
process owners are engaged in the overall process makes it
more successful. A self-assessment process is one effort that
can help in this. It should be a systematic and ongoing process
that will enable the process to be self-governing.
People make the difference. While people, process and
technology all make the information security management
process, the people component is the most crucial among
these. Engaging the people with appropriate awareness
and training programs right from the beginning is among
the crucial steps to success. This results in an appropriate
culture of accountability and responsibility throughout the
organization
Ensure effective continuous improvement. Continuous
improvement is the hallmark of a successful information
security program. Information security is a journey, and
the information security program needs to be constantly

improving and in line with the business priorities. These


improvements have to be in all areas.
Assessing the Overall Success and Value-add
from the Program
While the metrics program gives a comprehensive method of
tracking the performance at various levels, a balanced scorecard
(which can be set up in line with the metrics program) can
provide an excellent method of assessing the overall success
of an information security program and the value from the
program.
According to the Balanced Scorecard Institute:12
The balanced scorecard is a management system (not
only a measurement system) that enables organizations
to clarify their vision and strategy, and translate them
into action. It provides feedback around both the
internal business processes and external outcomes in

Figure 2The Four Perspectives of a Balanced Scorecard


Financial Perspective
How should senior management perceive security as
a contributor to business success business unit?
Mission: To enable business strategies through the
effective application of security
Objectives:
Business value of security initiatives
Stewardship of security investments
Strategic contribution

cost
reduction

Internal Process Perspective


In which services and processes should security excel?
Mission: To deliver effective services at or improve
service level objectives
Objectives:
Optimization of efficiency and effectiveness
Enterprise architecture evolution
Promotion of partnerships throughout business units
Responsiveness

Financial
Perspective

value for
money

Customer Perspective
How should employees, business unit managers and
external users perceive security?

continuity
of funding

Internal
Perspective

process
optimization

Performance

continuity
of revenue

Customer
Perspective

Objectives:
User satisfaction
Alignment with the business
Service level performance

continuous
improvement
process
improvement

Innovation
and Learning
Perspective

customer
needs

Innovation and Learning Perspective


How will security promote growth and learning to
better meet corporate goals?
Mission: To facilitate awareness of secure behaviors,
and promote grass-roots partnerships with security
Objectives:
Employee knowledge and effectiveness
Security staff professional growth
Emerging technology research

ISACA JOURNAL VOLUME 5, 2009

Mission: To be the supplier who fulfills security


requirements well

order to continuously improve strategic performance and


results. When fully deployed, the balanced scorecard
transforms strategic planning from an academic exercise
into the nerve center of an enterprise.13
Figure 2 elaborates on the application of the balanced
scorecard for information security.14
A typical balanced scorecard report for an organization is
shown in figure 3.
The organization can have a target overall score for a year,
work to realize that and use it as the basis for rating success.
Tracking the Progress of the Program
While the balanced scorecard provides a measure of the overall
success of the organizations information security at a point in
time, the performance and the related factors are to be tracked
on a regular basis and suitable actions taken. A scorecard
summarizes all the aspects and is a means to track the program.
This includes the results from the balanced scorecard as well as
assessment of the 10 characteristics of the program. Figure 4 is
an example of such a scorecard.

This scorecard can be used to integrate all the perspectives,


to track the progress and for corrective actions. This scorecard
can be quite useful to drive the timeliness of actions and as a
top-level report.
In summary, to succeed in information security, organizations
need to ensure a holistic perspective consisting of:
A compelling business vision and an integrated information
security vision
A powerful information security program to enable realization
of the strategy
Assessment of the 10 characteristics of the program, resolving
to eliminate the weaknesses and to enhance the strengths on a
continual basis
The right implementation approach, along with measurement
such as that shown in figures 3 and 4
Use of the measurement and taking actions that reflect on the
characteristics positively
Reporting the performance of the balanced scorecard to
top management and engaging the organization in the value
addition to the organization

Figure 3Quarterly Balanced Scorecard Report


Performance Indicator

Target

Actual

Status

Score

Financial perspective
Average cost of a security incident

$800

$750

Green

40

Cost incurred to deal with known threats

$10,000

$15,000

Yellow

20

Downtime of critical operations due to security incidents

15 minutes

20 minutes

Yellow

20

Number of projects stopped or delayed due to security incidents/issues

Red

Time taken to enroll a new agent/employee

4 hrs

4.5 hrs

Yellow

20

Number of reported security incidents

12

18

Yellow

20

Percentage of security incidents handled without resulting in a crisis

100%

80%

Yellow

30

Security systems meeting the requirements of client and suitably certified/accredited


where required

Yes

External audit
in progress

Yellow

30

Time to implement a regulatory requirement

1 month

2 months

Yellow

30

Speed of dealing with a new threat (measured by the number of security incidents
due to the threat.)

Yellow

20

Customer perspective

Internal process perspective

Learning and growth perspective

Overall Score

58.75%

Note: Targets and actual are hypothetical figures for the purpose of this example. Categorization into Green, Yellow and Red is done on a
predefined basis. The scores are arrived at based on an assessment by a team; maximum score for each indicator is 40 and the overall score is
calculated by giving equal weight for the 10 indicators.

ISACA JOURNAL VOLUME 5, 2009

Figure 4Overall Scorecard for the Implementation of Information Security Program (cont.)
Sl No

Description

<------- 2007 ------->


Q1

Q2

<------- 2008 ------->

Q3

Q4

Q1

Q2

Overall Score on Balanced Scorecard

Target

80

80

80

80

80

80

Actual

58.75

67.5

75

80

82.5

82.5

Shortfall from target (%)

26.56

15.63

6.25

-3.13

-3.13

Overall status indicator

Red

Red

Yellow

Green

Green

Green

Q3

Remarks

Q4

(Green if actual equals target or better; Yellow if shortfall is less than 10 percent; Red for all
other cases)

Characteristics of Information Security Program (on 1 to 10 scale; 1 equals worst case and
10 equals best case)

Steps taken in early Q1 2007 (and


which become more effective every
quarter)

Energy

IS organization strengthened;
CISO and information security
council (ISC) put in place, senior
management involvement enhanced

Mission

IS strategy in place

Attitude

Effective awareness program


installed

Set goals

Framework selectedISO
27002/27001

Plan

ISC regularly meets and finalizes


the plans

Prioritize

ISC regularly meets and acts on


points; effective internal audit
program in place

Synergize

Cross-functional teams act

Organize

ISO 27001 implementation team in


place to manage the implementation

Optimize

Regular planning and reviews

Act now

Daily meetings held and immediate


actions taken

Implementation approach

Appropriate use of a
relevant framework

ISO 27002/27001

Use of a sound
risk management
methodology

Risk management methodology in


place

Integration of security
strategy with business
strategy

Evolved out of business strategy and


increasingly integrated in execution

ISACA JOURNAL VOLUME 5, 2009

Approach adopted from Q1 2007


(and which becomes more effective
every quarter)

Figure 4Overall Scorecard for the Implementation of Information Security Program (cont.)
Sl No

Description

<------- 2007 ------->

<------- 2008 ------->

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Remarks

Q4

Integration of security
strategy with business
strategy

Evolved out of business strategy and


increasingly integrated in execution

Integration of security
program with
governance framework

Senior management participation


and efforts to cover IS program in
line with governance framework

Appropriate metrics
program

Metrics program installed

Self-governing nature of
the program

Visual display on intranet and other


efforts to engage process owners

Culture of accountability
and responsibility

Awareness program in place

Establishment of a
continuous improvement
process

Internal audit and continuous


program installed

Conclusion
Overall, it is the establishment of a sound information security
program that is derived from effective information security
governance and an appropriate risk management methodology,
along with its brilliant execution and ever-improving excellence
in operations, that enables an organization to succeed in
information security on a continual basis.
Endnotes
1 Dictionary.com, The American Heritage Dictionary of the
English Language, 4th Edition, Retrieved 14 April 2008,
http://dictionary.reference.com/browse/success
2 ThinkTQ.com Inc., The Power of TQ, www.thinktq.com/
products/books/tqs_ptq.cfm
3
ThinkTQ.com Inc., Commentary, 15 September 2008. www.
thinktq.com/training/commentary/tqs_current_commentary.
cfm?id=BDD5C589D9BCC67B7EB9EC449378970E
4 Schneier, Bruce; Crypto-Gram Newsletter, 15 May 2000,
www.schneier.com/crypto-gram-0005.html

5 Ransome, Jim; Security and Mobility Best Practices: People,


Process and Technology, www.securegovcouncil.org/
6 Schneier, Bruce; Crypto-Gram Newsletter, 15 June 2000,
www.schneier.com/crypto-gram-0006.html
7 Parrin, Chad; Security Is An Ecosystem, Not A Product,
ZDNet Asia, 11 March 2008, www.zdnetasia.com/
techguide/security/0,39044901,62038696,00.htm
8 ISACA, CISM Review Manual 2008, USA, 2007, p. 34
9 Op cit, ThinkTQ.com Inc., The Power of TQ
10 Sethuraman, Sekar; Turning Security Compliance into a
Competitive Business Advantage, Information Systems
Control Journal, September 2007, www.isaca.org/jonline
11 Opacki, Dennis; Building Business Unit Scorecards, www.
adotout.com/BU_Scorecards.pdf, December 2005
12 Balanced Scorecard Institute, www.balancedscorecard.org
13 Op cit, ISACA, 2007, p. 33
14 Sethuraman, Sekar; Use Balanced Scorecard to Enhance
Information Security Health, eIssa Times, April 2005, www.
eissa.org/april2005.htm#12

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving ITgovernance professionals, entitles one to receive an annual subscription
to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance
Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content.
2009 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in
writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St.,
Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date,
volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without
express permission of the association or the copyright owner is expressly prohibited.
www.isaca.org
ISACA JOURNAL VOLUME 5, 2009