Corporate Governance Task Force Pushes Security Best Practices

Security becomes a boardroom issue

What’s the best way to protect the nation’s critical infrastructure?

According to a report issues by the National Cyber Security Partnership (NCSP) Corporate Governance task force, get executives involved in security. The NCSP's report, “Information Security Governance: A Call to Action,” recommends several steps for both organizations and governments. It argues for a management framework for proper information security governance, greater executive- and boardroom-level attention on security, and more federal funding for tools to find software defects in the software-development stage.

To discuss the report, Security Strategies spoke with John Summers, global director for managed security services at Unisys. Among its customers is the Transport Security Administration (TSA); Unisys is implementing TSA’s network, including IT security, which includes 429 airports.

What was the motivation for producing the NCSP report?

One of the challenges that all organizations are trying to address—the government in particular—is what is the right way to implement [and] secure an electronic infrastructure. That’s true whether it’s a private company’s infrastructure or the government’s infrastructure. When you look at the current raft of regulations that are emerging around the globe, both in the U.S. and in state legislatures, and in Europe—and less so in Asia—those regulations are really concerned with … you watching for when bad things happen in your infrastructure. You have to tell somebody when you see those … and you have to implement best practices in securing your infrastructure.

Was Unisys involved with the report?

We were involved, but not directly. We’re involved with the ITAA [Information Technology Association of America], and they were involved directly in the committee.

Where are critical infrastructure industries when it comes to information security?

The industry itself is evolving from what I call an imperative phrase—security as an imperative, you have to put it in place—to a normative phase. So what are the standards I use to measure myself against? What are the norms, so I know when I am secure enough … and what are the responsibilities?

Do companies want outsiders to tell them?

“Oh, let’s have someone define those for us,” is a standard response. So one of the questions that comes out of the report is, should there be regulations? It’s a natural enough instinct—someone tell us what to do please. Well, … there’s a standard we can use to measure ourselves, one organization [against many]—a capability and maturities model. It’s a way of assessing, in the universe of maturity, around a particular domain of expertise, how capable and mature are you?

Isn’t the scale here, though—common security norms for critical infrastructure—enormous?

It is. It’s daunting, and the way the potential vulnerabilities of an infrastructure can be mitigated—that technology—… [is] evolving as well. So how do you put in place regulations that talk about specific best practices when the capabilities of the toolsets you want to deploy are still developing?

Would more regulations, perhaps by industry, be useful?

My conclusion is that while I understand the desire for having regulations that are fairly specific and that tell you what to do, I don’t think it’s possible to do that today … [because such regulations wouldn’t] have great relevance for any length of time, just because the threats and the ways of dealing with those threats keep changing.

Yet doesn’t the subject of regulating critical industries keep coming up, at least from outside the affected industries?

It comes up from people that are seeking an easy answer to a very complicated problem. If there was a clear set of regulations around it, then that sort of clarifies things. But one of the issues with security in particular is, it’s really more about risk management than about security as an absolutely black-and-white thing.

So, given the objectives of your organization, or your government agency, or profit maximization—if you’re an enterprise—you have a particular course of action you want to do. And what you want to do is put in the appropriate measures … to keep yourself secure. But you don’t spend so much on them that you’re over-secured, if you will. It’s very similar to an insurance model … you’ll put in measures that are designed to keep burglars out of your house, but you’ll buy insurance to make your house hurricane proof, for example, rather than building your house to withstand them.

What’s the noise level companies face, from reports, agencies, and groups, all trying to propose best-security practices?

In my dealings with clients, they’re sophisticated in their approach, and the way they listen to recommendations from vendors. They understand that there’s a lot of fear, uncertainty, and doubt around … addressing their approach to security, but in general I think clients are pretty savvy about that and do take it with a grain of salt from hardware and software vendors.

Similarly in the consulting space, they’re also wary of consultants with the latest and greatest methodology. [That resistance has] begun to change over the last two years [however]. [At the same time,] the market offering, to do that is rather saturated, and while I think companies have seen benefits from a lot of the security analysis [work] they’ve done, I think they’ve seen less than what they wanted to see.

Why have existing security investments not paid off the way organizations hoped?

That’s due, I think, to [the security assessment approach]. It can’t just be an assessment of the security measures in place; it needs to be tied to the needs of the overall business. Security isn’t just a silo; it’s an enabler for the whole business. So from doing a security analysis of one’s processes, as well as one’s business processes, you can [ultimately] … help improve availability of infrastructure, to help improve productivity of employees. If security is viewed that way, I think the payoff is much greater. I think organizations are much more aware of that today than they were.

Does the report help fill gaps in a cohesive response to critical infrastructure security?

There are still gaps, but the report is still a step in the right direction. Assessing risk is something that’s generally done by an audit function, so … what are the standards you use to audit yourself? There are varying standards, and this report is a standard in trying to consolidate, and point everyone in a common direction. We still have a ways to go before we’re there.

Should security managers read this report?

Yes, and in addition to reading this, the federal government, with its NIST standards, has got a whole suite of papers around best practices for implementing security infrastructure relative to the federal government, and whole [guidelines] federal agencies have to follow. There’s a great baseline [available]. It’s not specifically what you have to do, but [how you go about doing it].

What are some key takeaways from the report?

At the end of the day, the goal line is defined by the auditors, and the audit function in an organization typically reports up to the board level … [who are] typically very concerned with reporting on the business level, but going all the way down to the security level.

What’s great is the task force is really saying, "This needs to be a CEO-level issue. It will only be good if CEOs drive it. … It’s not just an IT problem."

Aren’t current regulations reinforcing that?

They’re basically saying, "Executives, you need to be paying attention to [security]." Sarbanes-Oxley says you need to sign on the dotted line, Mr. CEO. And [executives’] perspective is, how do I know [what’s what]? … And that goes back to the standards issue. As head of [for example] a financial organization, what are the norms I use to measure myself and know my organization is doing better than my competitors?

In closing, what’s the most important mechanism for CEOs and boards to assess their organization’s security?

Go back to the audit point. If you’re not watching it on a regular basis, how do you know what’s working? What sorts of controls do you have in place? It’s at that control layer that you need executives’ attention to be driven forward.

Related link:

The NCSP’s Corporate Governance task force report:

Related articles:

Best Practices: New Standard Helps Companies Prove Their World-Class Security

Integrating Security into Software Development