The Quest for Independence - Information Security Management Pyramid. Mikhail Utin, CISSP, PhD, Daniil Utin, MS and Rubos, Inc.

Transcription

1 1 1. Introduction The Quest for Independence - Information Security Management Pyramid Mikhail Utin, CISSP, PhD, Daniil Utin, MS and Rubos, Inc. team The current state of global cybersecurity remains chaotic (ISACA 2016) In our first article (MIkhail Utin et al. 2008) we considered misconceptions in security management leading to ineffective operations and finally to the state we are in now. The reason was formulated as Information Security (InfoSec) Management utilizes Information Technology (IT) management methods. InfoSec should thus use its own ways and means to be able to protect IT against increasing threats. Every day news bring us security problems affecting operations of clouds, mobile devices and networks, Internet of Things, utilities and power grids control systems etc. During last decade security technology did improve but adversaries improved their capabilities as well and we are still losing this continuing battle. Here is the status of cybersecurity at the end of 2015 (ISACA 2016): The current state of global cybersecurity remains chaotic, the attacks are not expected to slow down, and almost 75 percent of respondents expect to fall prey to a cyberattack in Well, the same was correct for 2017 and no doubt will happen in The main contributor to insecurity remains the same - inconsistent information security management, which is still affected by IT-based management methods. That also includes ignoring Security Development Life Cycle and simply following what IT industry introduces on the market without any security analysis of associated risks and any real proof that technology is safe to use. One of the major principles of any management is the separation of duties. We consider below how the lack of that in IT and InfoSec management affects the possibility of correct decision making and, therefore, security. 2. Does Information Security Need the Independence? People who worked in Information Security long enough and within a few organizations - security consultants in particular, know that the line of management, i.e. positions and responsibilities, may vary. However, big or small, the most common model is that InfoSec belongs to IT. In a small or mid-size company ( employees) with existing line of IT management, security is to be assigned to a security analyst who will be responsible for all related processes and operations and reporting to, say, IT Manager. It means that the analyst has no security management responsibilities and completely depends on IT management decision making, including budget distribution. If such company requires compliance to regulations like DSS, HIPAA, ISO etc. the group or a department responsible for the compliance will be outside of IT management line. That is because the compliance is considered as mostly legal process and outside of IT and thus security operations. In such organization Information Security and Compliance Officer (ISCO) will not be

2 2 reporting to IT management line but will still be responsible for security processes including planning and reporting to government or the compliance governing organization. Such structure definitely saves money because there is only one operational security specialist and one a (sort of) security manager ISCO - not really having influence in IT security operations and no decisive power including security budget because the budget is in IT management hands. The distribution of resources and thus the fate of security projects in such management structure completely depends on the will and understanding of security matters by IT management while security specialist implements security and ISCO plans it. There is real life example how it works. IT manager seeing that the implementation of vulnerability scanning and management requires additional time and budget due to the mobile character of the company network said that there is no need in vulnerability scanning because there is patch management solution deployed. The argument that vulnerability scanning is for the verification and finding missed or unknown security holes was dismissed with the IT manager assumption that the patching software does all right. Are any comments required? However, the situation had the following logical development. New IT Director asked to resume vulnerability scanning and results revealed that numerous computers have multiple high risk vulnerabilities ranging between 5 and 20 per a computer. Finally it was identified that patch management solution was malfunctioning for the last six (!) months while reporting all computers patched. On the lowest security end are organizations like one Boston located hospital of 3,000 personnel and until 2014 have had one person tasked per cent to do database management and InfoSec. If the hospital reported HIPAA incompliance (and the compliance was definitely at the level close to zero) it would have been shut down. However, it was operating and thus falsely reporting compliance to the US government. Luckly, in 2014 the hospital hired Chief Information Security Officer (CISO) and promoted DB and security administrator to Director of Security and started hiring security personnel. Large organizations tend to have a security manager or director but still not top level executive like Chief Information Security Officer (CISO). According to Wikipedia information (Wikipedia 2017) (quote): In 2011, in a survey by PricewaterhouseCoopers for their Annual Information Security Survey, (Pricewaterhousecoopers 2011) 80% of businesses had a CISO or equivalent. About one-third of these security chiefs reports to a Chief Information Officer (CIO), 35% to CEO, and 28% to the board of directors. This estimate looks overly optimistic only one third of upper level security managers reports to IT boss. The percentage of organizations having CISO also looks too god 80%. It may relate to a specific group of organizations though. Unfortunately, the original survey is not available at the time of writing this article. Another estimate of who CISO reports to is in ISACA survey (ISACA 2016), which has been conducted at the end of 2015 (quote): of 842 individuals of which 461 are cybersecurity managers and practitioners. Reporting structure of cybersecurity/information security is as follows: to the CIO - 63%, CFO 4%, Audit 1%, CEO for 14%, directly to the board for 8%, and undefined, etc. 9%.. Basically only 22% are reporting to the top executive level and thus managerially are at the same level as CIO.

3 3 Another effect of clear IT influence in information security matters is reported in ((ISC)2 2015): the information security workforce shortfall is widening. In 2015, 62 percent of the study s respondents stated that their organizations have too few information security professionals. It has been also noticed (ISACA 2016) in 59% cases that 50% job candidates lack required qualifications. Existing employees lack the ability to understand business 75% and communication and technical skills 61%. While the results considered above are caused by various factors, we still think that appropriate line of security management, thus independence in information security decision making, and direct access to the organization resources will improve various security related processes and finally change security situation to be less chaotic. 3. Pyramid Model We developed simple Pyramid Model (Fig.1) representing how the line of management works in case of InfoSec being under IT control. The lowest level In the Pyramid is Security Analyst (SA) and above it there are four IT management levels IT Manager (ITM), IT Director (ITD), Director of Infrastructure (DoI) and Chief Information Officer (CIO) who reports to CEO of the organization. Such line of IT management is very common. Let s suppose that SA sees the need for SIEM (Security Information and Event Management) system which is required by the organization compliance with ISO27000, DSS, HIPAA, GDPR etc. standards. SA is trying to fill out the gap of missing essential security service. That will require monetary (approximately 100,000 USD) and human (additional security analyst) resources to acquire SIEM system and implement such process. SA researches available SIEM systems on the market and writes a proposal. That is submitted to ITM for review and consideration. ITM understands that the IT budget for this and next years is tight and the plan is to implement a few IT projects. Considering ITM s real life concerns, the best he can do is decision making, and the best chance to get SIEM project approved by ITM is 50%. In real life that is likely to be much closer to 0%. So, if the approval passed to the next ITD level, it also has at best a 50% chance of being approved, simply because ITD knows about tight budget and has urgent IT priorities required to expand the support of the business. Resulting probability to pass two (ITM and ITD) levels is thus 0.5x0.5=0.25 (25%). If the project happened to reach DoI level, we have the same situation as below DoI knows of various planned changes to improve IT infrastructure and the budget is, yes, it is tight. The best chance to pass this level is again 50% and all three levels 0.5x0.25=0.125 (12.5%). If the project passes three levels and gets to CIO, the best chance to pass and be approved is again 50%. Well, the CIO knows about the importance of the security, required compliance, etc. etc. but

4 4 Fig. 1 IT management Pyramid Model

5 5 There are a lot of software and infrastructure projects and tight budget and after all the CIO is a human being with all concerns of the top level executive. The chance to pass CIO filter thus at the best is 50% and all four levels is 0.125x0.5= (6.25%). Finally, if the project is so lucky that it gets on CEO table, at most it is again 50% chance to be finally approved, because of all investments, problems with IT services (as he/she knows from all the IT management, need to consider unplanned extension of the business services, REALLY LACK OF RESOURCES and TIGHT BUDGET So, X0.5= (3.125%, simply 3%. That is the chance of a security project passing through such IT governed management structure. Actually it is the BEST chance when all IT managers were not negative but neutral (50-50) to pass the project to the next level of decision making. If such project were presented to CEO by CISO who would remind that the organization has approximately 15% (it is real life number) HIPAA or whatever compliance and if audit happens then the organization will likely be shut down to fix the gap of 85% incompliance, then SIEM project helping to decrease the incompliance will very likely be approved. At least it would have 50% not 3% chance. 4. Conclusion The situation in information security is not getting any better. There are various reasons, and one of them is enormous IT influence in all InfoSec processes and aspects. For instance, IT technology standards which do not consider how proposed technology is secured and how it could be exploited. So far, there is no SDLC (Security Development Life Cycle) requirement when IT standards are developed. Examples are numerous the most recent are Meltdown and Spectre, before were computer system management software and virtualization. The position of InfoSec in its competition with IT for resources may improve if security management had the same level of influence direct access to the top executive level decision making. We want to be optimistic on that matter; however, US government, for instance, did not have Federal CISO position until September 8, And, Federal CISO still reports to Federal CIO. The federal government was reluctant to organize appropriate level of security management and that definitely affected various federal programs requiring strict implementation according to NIST SP800 standards. For instance, Cloud First FedRAMP project had various problems and failing security implementation (Utin, M. 2015). Major US government security projects are still to pass two levels of the executive branch CIO and the President. Well, 25% by our calculation 5. References 1. State of Cybersecurity Implications for ISACA, 2016 (ISACA 2016) 2. Mikhail Utin, Dan Utin, Jane Utin. General misconceptions about information security lead to insecure world. (ISC)2: Information Security Journal: A Global Perspective (Mikhail Utin et al. 2008)

6 6 3. Chief Information Security Officer, Wikipedia, 2017 (Wikipedia 2017) 4. Annual Information Security Survey, PricewaterhouseCoopers, 2011 (PricewaterhouseCoopers, 2011) (ISC)2 Global Information Security Workforce Study ((ISC)2 2015) 6. Utin, M. (2015). From misconceptions to failure: Security and privacy in the US Cloud Computing FedRAMP Program. In s. Shumacher and R. Pfeiffer (Editors). In Depth Security: Proceedings of the DeepSec Conferences (Pages ). Magdeburg: Magdeburger Intitute fur Sicherheitsforschung (Utin M. 2015)