If you are a member of your organization’s executive team, then you are likely well-versed with various information security responsibilities, either by choice or by regulation. If your organization is in the private sector, then within this suite of responsibility likely falls choosing a framework with which you seek to align your information security program. One such framework may be the National Institute of Standards and Technology’s (NIST) Special Publication 800-53. NIST 800-53 is just one of many standards and guidelines published by NIST to assist federal agencies in implementing the Federal Information Security Act of 2002 (FISMA). As a private sector organization, you have the freedom of choice.
There is plenty of evidence throughout the private sector indicating that organizations prefer to align their information security programs with the controls in NIST 800-53. While this increases the likelihood that businesses operate in a controlled manner with a focus on the confidentiality, integrity, and availability of data, it also presents challenges to the executive team. Will your organization have a structure that allows for efficient and effective implementation of controls? Will your organization be configured in such a way to support desired risk management and security efforts?
Management Information Security Reporting Structure
How your Information Security team’s reporting path is configured can have an effect on your information security efforts. In many organizations, there is a Chief Information Security Officer (CISO) who may be responsible for establishing and maintaining the organization’s vision, strategy, and protecting the organization’s assets (including data) and technology. The CISO often reports to the Chief Information Officer (CIO) who may have as a primary responsibility the development of the information security program as a whole. This structure is often not recommended as it can complicate separation of duties.
In addition, not every organization is the same and structure can vary widely from industry to industry and from company to company within any one industry. For instance, in small, entrepreneurial organizations executive personnel are often fewer in number and may wear many hats. As a result, some organizations operate without a CIO and have the CISO report directly to the Chief Financial Officer (CFO). There can be significant risk in doing this. The CFO’s typical focus is on maintaining a “reasonable” budget rather than meeting the needs of the Information Security program. Both goals are important, but if the CFO does not communicate regularly with the CISO and is not sufficiently made aware of the needs of the security function, funding will unquestionably be inadequate, making alignment with frameworks such as 800-53 extremely difficult.
General Organizational Culture
How your organization as a whole is configured, and the resulting culture, can also have a significant effect on your efforts to align with 800-53 (and any framework for that matter). Culture also plays an important role in the identity of your organization. It may be very important to you that you provide and promote a particular culture for your staff to help maintain overall job satisfaction for a large percentage of your employees. I have seen many of my clients structure their organizations with what they define as a “culture of openness.” This takes many forms and can span a variety of industries. For example, colleges and universities and other entities involved with research and development are often targets for social engineering, spoofing, phishing, and other email-based malware campaigns.
While I appreciate the effort to have an environment that exudes openness and positivity, there can be risks associated with this culture that must be treated appropriately to avoid some common pitfalls with respect to information security. Adversaries often prey upon organizations that are known to have a culture of openness. I am not advocating that you should squelch an open culture. Rather, you should ensure you understand the associated risks and act accordingly to ensure you can simultaneously support both the desired culture and your information security and risk management programs. Actions that can instigate positive change may include phishing and other planned social engineering exercises.
Building and maintaining a robust information security program is not a small task. If you are a private sector company that has chosen to align with NIST 800-53, for example, your efforts may include ensuring the operating effectiveness of anywhere from 100+ to 300+ controls. Implementing any one control may not tax your organization’s resources. Addressing a large number of controls will.
As I have hopefully shown to you, how you structure your culture, and how you allow it to flourish, will have a significant effect on your overall information security effort. But you should not fret if your program is not at your target maturity level. It takes time, effort, dedication, and a positive tone that is allowed to permeate throughout the entire organization. As playwright John Heywood was attributed with saying:
“Rome wasn’t built in a day, but they were laying bricks every hour.”
Senior Information Assurance Analyst
Interested in a security program review? Check out our services page here for more information: https://www.nuharborsecurity.com/security-program-reviews/
Interested in an 800-53 security assessment? Check out our services page here for more information: https://www.nuharborsecurity.com/fisma-compliance