August 18, 2014 at 11:08A little about the organization of the information security department
At the current moment, sadly, information security for our country is most often a fashionable thing, with an incomprehensible purpose. For management, this is basically a bottomless hole for financing, from which there is no return, except for the words: everything is under control. For employees - some strange people forbidding passwords on paper to write down.
Based on this misunderstanding, all the IS problems in organizations and, in fact, the organization of information security itself are emerging.
The first, most frequently encountered problem is who should include information security?
The 2 main archetypes are submission to the security service (economic, personal, etc.) and IT submission.
Let's consider both options with pluses and minuses.
One of the most common archetypes, I worked in many organizations, where things were like that. The logic of the leadership is clear - security, then to the Security Council.
Of the obvious disadvantages, there are different directions that practically do not overlap. This implies the following - not an understanding of the direct leadership of your work, but, accordingly, of your tasks, needs and so on. You just talk to them in different languages. This is compounded by the fact that the leadership of the Security Council, as a rule, is former police, military, FSB officers, and for them you are generally a half-alien.
And more often it turns out that in large organizations where the leadership is, in fact, celestials, you, as an employee, will not listen, and your leader will not be able to explain anything properly, because he himself does not understand anything. As a result, there is little financing of the direction, resistance to any innovations, in fact you are being held for “furniture”, so that there would be someone to be responsible for safety under 152 Federal Law or an industry standard.
Of the benefits - the authority of the Security Council, as a rule, is very high. Many doors will be opened and you will know a lot.
In this case, the main obstacle is a conflict of interest. The work of IS, in particular, is the monitoring of compliance by IT specialists with the rules, regulations and regulations. During the audit, again, in case of non-fulfillment of some points by the IT department, the protocol may not be signed by the head and so on. And again, a question with a difference of directions, since information security has only an indirect relation to IT. Most of it is not completely compatible with IT.
Of the positive aspects - it’s much easier to introduce some systems, in fact, performers are at your fingertips.
In any of these archetypes there is a problem of passive resistance due to the number of matching levels. In the worst case (from my own experience), the coordination vertical looks like this:
Each of the stages takes some time, and with an increase in the level of coordination, this time grows in progression. As a result, documents can hang for quite some time, the electronic document management system will save the situation, but not 100%.
Ideally, submission directly to the general or first deputy, or, as an option, to the deputy for security. The smartest thing is, of course, the deputy security officer, but I have never seen such a thing in the vastness of Russia. In this case, you can get the advantages of the first option, while reducing the vertical coordination and decision time.
The second problem, from which the first one partially follows, is that the leadership does not fully understand your work, as well as the goals, objectives, and solutions.
Hence the problem of financing the service, slowing down projects and some implementations, and other unpleasant factors.
In general, the problem is often found in IT and follows from the fact that IT and security professionals, as a rule, do not know how to talk with businessmen. We have our own language, understandable to us and easily interpreted by us for us. The problem is that one must speak the language of business with business, not abstract concepts like “high”, “low”, etc., but more specific ones expressed in percentages, for example, or better in specific amounts.
Of course, in order to explain to the general or commercial director the benefits of introducing a particular security system, you need to get confused and calculate the return on investment from its implementation. This is complicated by the fact that information security does not directly bring profit and the benefit from unrealized losses should be considered.
As an example: a virus attack in the office. Infected 20 computers, 5 of them in the stage of dying. There is admin Vasya, with a salary of 44,000 p. Vasya treated 15 computers for 5 hours and reloaded 5 killed for another 3 hours. Total spent 8-hour working day to restore work. On average, Vasya has a salary of 2000 rubles. per day (44000 p. / 22 working days in a month), therefore we lost 2000 p. due to attack.
And one could stop at this calculation, but those people whose computers were affected were also limited in their working tools, that is, 15 jobs were gradually restored within 5 hours and 5 more jobs for 3 hours. And these people also received a salary during the downtime, or they made a presentation for the client or a commercial offer.
Thus, the management should receive, in fact, a choice between 2 or more alternatives:
A disappointing result, in this case, will be the indisputable truth - a good specialist is not a good leader. Managing a department is not the same as managing an information security system, even if the work here is 90% related to people. But, by and large, having filled up cones at building the ISMS, having communicated with management and colleagues, the IS specialist will be 50% ready to manage his own IS department, the remaining 50% are management textbooks, ITIL and similar practices, and, of course , experience!
Based on this misunderstanding, all the IS problems in organizations and, in fact, the organization of information security itself are emerging.
Subordination structure
The first, most frequently encountered problem is who should include information security?
The 2 main archetypes are submission to the security service (economic, personal, etc.) and IT submission.
Let's consider both options with pluses and minuses.
IB as part of the security service
One of the most common archetypes, I worked in many organizations, where things were like that. The logic of the leadership is clear - security, then to the Security Council.
Of the obvious disadvantages, there are different directions that practically do not overlap. This implies the following - not an understanding of the direct leadership of your work, but, accordingly, of your tasks, needs and so on. You just talk to them in different languages. This is compounded by the fact that the leadership of the Security Council, as a rule, is former police, military, FSB officers, and for them you are generally a half-alien.
And more often it turns out that in large organizations where the leadership is, in fact, celestials, you, as an employee, will not listen, and your leader will not be able to explain anything properly, because he himself does not understand anything. As a result, there is little financing of the direction, resistance to any innovations, in fact you are being held for “furniture”, so that there would be someone to be responsible for safety under 152 Federal Law or an industry standard.
Of the benefits - the authority of the Security Council, as a rule, is very high. Many doors will be opened and you will know a lot.
IB as part of IT
In this case, the main obstacle is a conflict of interest. The work of IS, in particular, is the monitoring of compliance by IT specialists with the rules, regulations and regulations. During the audit, again, in case of non-fulfillment of some points by the IT department, the protocol may not be signed by the head and so on. And again, a question with a difference of directions, since information security has only an indirect relation to IT. Most of it is not completely compatible with IT.
Of the positive aspects - it’s much easier to introduce some systems, in fact, performers are at your fingertips.
In any of these archetypes there is a problem of passive resistance due to the number of matching levels. In the worst case (from my own experience), the coordination vertical looks like this:
- Employee creates document
- The direct manager agrees
- The director of the department agrees
- Agrees Deputy Director General
- Signed by CEO
Each of the stages takes some time, and with an increase in the level of coordination, this time grows in progression. As a result, documents can hang for quite some time, the electronic document management system will save the situation, but not 100%.
Ideally, submission directly to the general or first deputy, or, as an option, to the deputy for security. The smartest thing is, of course, the deputy security officer, but I have never seen such a thing in the vastness of Russia. In this case, you can get the advantages of the first option, while reducing the vertical coordination and decision time.
Misunderstanding
The second problem, from which the first one partially follows, is that the leadership does not fully understand your work, as well as the goals, objectives, and solutions.
Hence the problem of financing the service, slowing down projects and some implementations, and other unpleasant factors.
In general, the problem is often found in IT and follows from the fact that IT and security professionals, as a rule, do not know how to talk with businessmen. We have our own language, understandable to us and easily interpreted by us for us. The problem is that one must speak the language of business with business, not abstract concepts like “high”, “low”, etc., but more specific ones expressed in percentages, for example, or better in specific amounts.
Of course, in order to explain to the general or commercial director the benefits of introducing a particular security system, you need to get confused and calculate the return on investment from its implementation. This is complicated by the fact that information security does not directly bring profit and the benefit from unrealized losses should be considered.
As an example: a virus attack in the office. Infected 20 computers, 5 of them in the stage of dying. There is admin Vasya, with a salary of 44,000 p. Vasya treated 15 computers for 5 hours and reloaded 5 killed for another 3 hours. Total spent 8-hour working day to restore work. On average, Vasya has a salary of 2000 rubles. per day (44000 p. / 22 working days in a month), therefore we lost 2000 p. due to attack.
And one could stop at this calculation, but those people whose computers were affected were also limited in their working tools, that is, 15 jobs were gradually restored within 5 hours and 5 more jobs for 3 hours. And these people also received a salary during the downtime, or they made a presentation for the client or a commercial offer.
Thus, the management should receive, in fact, a choice between 2 or more alternatives:
- as it was before and what costs we will face each time we repeat
- how much we need to spend so that this does not happen again (in cooperation with the first point - after what time we will beat the decision price in relation to losses from unrealized risks)
- another solution, intermediate, but with no less accurate calculation
Total
A disappointing result, in this case, will be the indisputable truth - a good specialist is not a good leader. Managing a department is not the same as managing an information security system, even if the work here is 90% related to people. But, by and large, having filled up cones at building the ISMS, having communicated with management and colleagues, the IS specialist will be 50% ready to manage his own IS department, the remaining 50% are management textbooks, ITIL and similar practices, and, of course , experience!