If you are a large multi-national corporation, you need an Information Security Manager.
If you are a large bank, you need an Information Security Manager.
If you are a large retailer or medical institution, you definitely need an Information Security Manager.
In fact, if you are any of these, you probably need a team of Information Security Professionals.
But many organizations don’t need an Information Security Manager; they need an Information Security PROGRAM.
Despite the need to focus on information security, a full-time information security professional might not be the best use of your organization’s resources. A typical ISM adds to your payroll, is hard to find, hard to retain, and (in the humble opinion of this author) not very productive after the first months on the job.
What does an Information Security Manager do? First, a new ISM probably look sto see what information needs to be protected. Any business, no matter how small, has a bank account and other critical financial information.
Companies have the social security numbers of their employees and contractors and in some industries, their clients. They have customer lists, Intellectual Property and other high-value data they want to protect. Some companies are especially vulnerable if they operate in areas such as biotech or have government contracts.
Second, a new information security manager looks at compliance issues. Is the organization subject to PCI when accepting credit and debit cards? Is the organization subject to HIPAA? Are there state regulations to which the organization is subject? As a result of these analyses and his/her own sense of best practices, the ISM identifies gaps in the organization’s Information Security systems.
Step Three consists of People, Policies and Procedures. The new ISM develops written policies and procedures, institutes password strength and expiration rules, and makes sure that anti-virus tools are in place and up-to-date and that all critical software is patched to the latest release. They check that users have the appropriate credentials and that terminated employees have been properly deleted from the systems. They also put together a security awareness training program and remind employees of the perils of phishing attacks and the need to protect credentials and portable devices.
Step Four consists of Technical Upgrades, including improved Firewalls, Intrusion Detection systems, Log Management Systems, Mobile Device Management Software and Encryption Software.
Step Five is the process wherein the ISM identifies any third parties who may have access to confidential information and assures that they have the controls in place to protect it.
Finally, the ISM performs an external vulnerability test to verify and validate that technical controls and policies and procedures are in place and working.
Once the Information Security Manager has completed these six steps, what is left to do? The system runs itself. Regulations should be reviewed annually, (and they don’t change that much) as should policies, training and vendor compliance .
The biggest job the ISM has is to keep tabs on changes within the organization that might highlight a new set of confidential information. The ISM also must monitor new information security technologies that their company may wish to deploy to thwart new threats or upgrade their defenses.
But instead of incurring the costs and headaches of an employee dedicated to a limited range of duties, most companies would benefit from employing an effective Information Security Program with the use of automated, cloud-based tools and cost-effective third parties.
A Certified Information Security Professional can, in a short period of time, sit with key managers and identify the data which needs protecting and the regulations and standards which need to be followed. This can be fed into a tailored database that can compare the required security controls with those already in place to produce a list of ‘security gaps.’
From here, the company can develop new policies and deliver them electronically to the staff, to whom security training modules will be made available via a web portal.
Firewalls can be leased and, along with Intrusion Detection, be monitored remotely 24/7 from a Managed Security Operations Center.
Vendors can be surveyed electronically and the results of their surveys stored on-line.
While this approach will not work for all SMBs, it could potentially save your organization thousands of dollars on an annual basis.
In addition to the financial benefits, an externally managed Information Security Program is better than employing an Information Security Manger in another key way: The organization does not fall into the trap of becoming overly ‘person dependent.’ That is, when the ISM is promoted or moves to another company, you don’t have to try and decipher his/her personal system of spreadsheets and on-line documents. The managed Information Security program operates independent of any one individual allowing your company to have stronger and longer term systems and processes.
So, before approving that requisition for the position of Information Security Manger, consider the option of third party tools and consultants. You will likely get a more comprehensive and longer-lasting Information Security Program for a lot less money.
By Ken Leeser, CISM | President, Kaliber Data Security
Bio: Ken Leeser’s background blends technical, financial management, business risk, and operations expertise. He has built companies which help organizations and their staffs better understand and implement technology. Most recently, Ken founded Kaliber Data Security and developed the concept of Security Resource Management to better equip organizations to achieve, maintain, and demonstrate security compliance while significantly improving their security posture. He helps businesses improve their Information Risk Management programs with the conviction that IT Security is not merely a technical issue, but rather a process that involves employees at all levels of an organization and is integral to business success. Prior to Kaliber Data Security, Ken led firms which helped organizations automate critical business processes through the selection, implementation and customization of enterprise management software. Ken holds Bachelor and Masters Degrees in Engineering from The Johns Hopkins University. He graduated from the Graduate School of Business Administration at Harvard University with an MBA. For further information please visit www.kaliberdatasecurity.com, follow him @KALDataSecurity or www.linkedin.com/kenleeser, or contact Ken directly: firstname.lastname@example.org.