Many of the talks at the FIRST conference consider activities within and between incident response teams, but two talks today considered how CSIRTs and boards can work better together. Pete O’Dell suggested that many company boards either delegate or ignore information security, perhaps considering that it is “just another risk”. He suggested that information security isn’t a normal risk but requires boards’ special attention because, unlike weather or lawsuits, it is almost impossible to quantify or predict (there are few actuarial tables), is not limited to any geographic neighbourhood and can put the survival of the entire organisation at risk.
Malcolm Harkins suggested that security teams need to understand the risks to their business and ensure that their activities are focussed on addressing them. Security must contribute to the business achieving its goals, not obstructs them. As organisations become ever more dependent on accurate and reliable information, the commercial and ethical imperative to operate securely grows. If security is perceived as getting in the way, users will work around it and leave the organisation blind to the risks that they are incurring. Malcolm’s Intel security team has made this business focus explicit by changing its mission from a general “protecting the organisation’s information assets” to the specific “protect to enable”. Finally, security teams must explain risks and benefits using terms and analogies that board members can understand, not a stream of acronyms.
Board members and executives must, in turn, take a lead in setting the priorities and tone for security in the organisation. So long as a CEO has ‘123456’ as a password, it’s unlikely that the organisation’s information and operations will be secure. Few organisations will have the same security requirements throughout – senior managers must be involved in identifying the crown jewels where the greatest security spend and effort are required, and the internal perimeters (technical, organisational and human) that separate these from less sensitive areas. IT professionals need to learn to express issues in terms of organisational risk: communicating clearly and concisely, and probably in writing; they should suggest proactive measures especially those, such as identifying appropriate replacements for legacy systems, that can significantly reduce risk at low cost.
And since all security measures will sometimes fail, both boards and security teams need to ensure that cross-organisational incident response plans exist and are tested, and that everyone with access to the organisation’s information and systems is trained and prepared to defend them.