Last updated: 
3 weeks 20 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Security and the Board

Thursday, June 26, 2014 - 23:51

Many of the talks at the FIRST conference consider activities within and between incident response teams, but two talks today considered how CSIRTs and boards can work better together. Pete O’Dell suggested that many company boards either delegate or ignore information security, perhaps considering that it is “just another risk”. He suggested that information security isn’t a normal risk but requires boards’ special attention because, unlike weather or lawsuits, it is almost impossible to quantify or predict (there are few actuarial tables), is not limited to any geographic neighbourhood and can put the survival of the entire organisation at risk.

Malcolm Harkins suggested that security teams need to understand the risks to their business and ensure that their activities are focussed on addressing them. Security must contribute to the business achieving its goals, not obstructs them. As organisations become ever more dependent on accurate and reliable information, the commercial and ethical imperative to operate securely grows. If security is perceived as getting in the way, users will work around it and leave the organisation blind to the risks that they are incurring. Malcolm’s Intel security team has made this business focus explicit by changing its mission from a general "protecting the organisation’s information assets" to the specific "protect to enable". Finally, security teams must explain risks and benefits using terms and analogies that board members can understand, not a stream of acronyms.

Board members and executives must, in turn, take a lead in setting the priorities and tone for security in the organisation. So long as a CEO has '123456' as a password, it's unlikely that the organisation's information and operations will be secure. Few organisations will have the same security requirements throughout – senior managers must be involved in identifying the crown jewels where the greatest security spend and effort are required, and the internal perimeters (technical, organisational and human) that separate these from less sensitive areas. IT professionals need to learn to express issues in terms of organisational risk: communicating clearly and concisely, and probably in writing; they should suggest proactive measures especially those, such as identifying appropriate replacements for legacy systems, that can significantly reduce risk at low cost.

And since all security measures will sometimes fail, both boards and security teams need to ensure that cross-organisational incident response plans exist and are tested, and that everyone with access to the organisation’s information and systems is trained and prepared to defend them.