If you’re a member of your organization’s executive team, then you’re likely well-versed in various information security responsibilities, either by choice or by regulation. If you work for a private sector organization, then responsibilities likely include choosing a framework to align your information security program with. One such framework may be the National Institute of Standards and Technology’s (NIST) Special Publication 800-53. NIST 800-53 is just one of many standards and guidelines published by NIST to assist federal agencies in implementing the Federal Information Security Act of 2002 (FISMA). As a private sector organization, you have the freedom of choice.
There’s plenty of evidence throughout the private sector indicating that organizations prefer to align their information security programs with NIST 800-53 controls. While this increases the likelihood that businesses operate in a controlled manner with a focus on the confidentiality, integrity, and availability of data, it also presents challenges to the executive team. Will your organization have a structure that allows for efficient and effective implementation of controls? Will your organization be configured in such a way to support desired risk management and security efforts?
Management Information Security Reporting Structure
How your information security team’s reporting chain is configured can influence your information security efforts. In many organizations, there’s a Chief Information Security Officer (CISO) who may be responsible for establishing and maintaining the organization’s vision, strategy, and protecting the organization’s assets, including data and technology. The CISO often reports to the Chief Information Officer (CIO) who may be primarily responsible for the development of the information security program. This structure is often not recommended as it can complicate separation of duties.
In addition, not every organization is the same and structure can vary widely from industry to industry and from company to company. For instance, in small entrepreneurial organizations, executive personnel are often fewer in number and may wear many hats. As a result, some organizations operate without a CIO and have the CISO report directly to the Chief Financial Officer (CFO). There can be significant risk in doing this. The CFO’s typical focus is on maintaining a “reasonable” budget rather than meeting the needs of the information security program. Both goals are important, but if the CFO doesn’t communicate regularly with the CISO and isn’t sufficiently made aware of the needs of the security function, funding will unquestionably be inadequate, making alignment with frameworks such as 800-53 extremely difficult.
Organizational Culture
How your organization is configured, and the resulting culture, can also have a significant effect on your efforts to align with 800-53 and other information security frameworks. Culture also plays an important role in the identity of your organization. It may be very important to you to provide and promote a positive culture for your staff to help maintain overall employee satisfaction. It’s increasingly popular to structure an organization with a “culture of openness.” However, adversaries often prey upon organizations that are known to have a culture of openness.
Colleges, universities, and other entities involved with research and development are often targets for social engineering, spoofing, phishing, and other email-based malware campaigns. Squelching an organization’s open culture for the sake of security would hinder the company. Rather, you should ensure you understand the associated risks and act accordingly to ensure you can simultaneously support both the desired culture and your information security and risk management programs.
Final Thoughts
Building and maintaining a robust information security program is no small task. If you’re a private sector company that has chosen to align with NIST 800-53, for example, your efforts may include ensuring the operating effectiveness of anywhere from 100+ to 300+ controls. Implementing any one control may not tax your organization’s resources whereas addressing a large number of controls will.
Efficiently structuring your culture to allow it to flourish will have a significant positive effect on your overall information security effort. But you shouldn’t fret if your program isn’t at your target maturity level. It takes time, effort, dedication, and a positive tone that is allowed to permeate throughout the entire organization. As playwright John Heywood was attributed with saying, “Rome wasn’t built in a day, but they were laying bricks every hour.”
Interested in a security program review? Check out our services page for more information: https://nuharborsecurity.com/security-program-reviews/.
Interested in an 800-53 security assessment? Check out our services page for more information: https://nuharborsecurity.com/fisma-compliance.
