Compliance is a business issue
April 14th, 2007 by Rob Newby Posted in ComplianceSomething which is taught very early on in the CISSP course: ALE = SLE x ARO.
Annual loss expectancy (ALE) is the yearly cost of security breaches to a company, including fines for non-compliance, which is calculated by taking the single loss expectancy (SLE) and multiplying it by the number of occurences in a year (ARO = Annual Rate of Occurence). If ALE exceeds the cost of securing against ALE, why bother, right?
Well, future proofing, peace of mind, running a secure business, stop me when you hear the thing that applies to you. As a CSO I would look for peace of mind, as a CIO, future proofing my network, as a CEO, securing my business and making that a differentiator. As “the Security Guy” in your organisation (I know I am, and I expect you are too), you are not given a huge budget like the network guys often are, you have to give reasons, proof and returns on everything, even when the proof boils down to “nothing is happening to our network”.
In these cases we need to rise above the technical, and look at the business:
Why will doing what is best for the network be best for the business?
If we are always concerned about the bottom line, how can I do my job without being terrified that we are going to lose critical systems?
The systems are critical to the business, therefore these are business issues. Compliance is very much a business issue, security is a technical/people/process issue. This is why compliance is increasingly industry specific, but security still addresses the network. It can be very confusing for a security guy, probably with an engineering background. The other business people in your organistaion are interested in running an efficient business, and compliance should be a minimum for guidance, not a maximum for budgeting. Unless they are guided by the security guy, this is often ignored.
Security Guys should be looking to interpret these compliance standards and regulations in terms of what makes sense for the business, and in most cases that doesn’t just mean doing the bare minimum, but providing scope for future improvements, doing everything possible to avoid breaches and creating further business opportunities and drivers. PCI was created by the card companies for exactly this reason, not to strangle business, but to support it.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
17 Responses to “Compliance is a business issue”
By APM on Apr 16, 2007
Totally agree.
I’ve been saying this to my FD for months with little reaction, unfortunately.
I’ve tried the “I can get you compliant via the project process but how are you going to maintain compliance after delivery?” question with little reaction, unfortunately.
I’ve presented estimated cost breakdowns for varying levels of security breach showing the “business cost” in financial terms with little reaction, unfortunately.
That doesn’t make the statement any less relevant. It just proves the saying, “there are none as blind as those that don’t want to see”.
Unfortunately.
By Rob Newby on Apr 16, 2007
Hi APM,
We’ve had this conversation via email already, so I appreciate the position you’re in and it’s very difficult. Offshore gaming environments must be a special case, hard to touch with regulations and not particularly interested in compliance.
I think in this case you have to come away from compliance altogether and concentrate on just the business issues. If you can identify all the business issues and translate them into security, you may well find that you can cover some of the compliance as well. Unfortunately this will mean you don’t have a Compliance Project as such, which I understand can be unappealing.
Look for the compliance within the business rather than the business within compliance.
Makes me sound like Yoda, but then he was a wise man…
Rob.
By APM on Apr 16, 2007
Man wise you are.
Indeed, the latest track I am taking is “business benefit” with everything from efficiency savings to speed to market improvements of security related issues. Some of my suggestions may be a little, ahem, intangible, but that’s the way it goes.
I’m not holding my breath…….
regards,
Andrew
By Rob Newby on Apr 16, 2007
Hi Andrew,
You’re always one step ahead of my suggestions!
I’d be interested to hear how you’ve turned each part on its head to become a business requirement, it’s a very valuable skill and something we should post about here.
In the meantime, let me know how it goes, good luck, and may the force be with you.
Rob.
By APM on Apr 16, 2007
OK, here’s an example of the sort of level I have to work at.
Our HR department is a law unto itself. It gets involved in what it wants to and ignores the rest. As part of my onslaught of “Information Security”, I have proposed an awareness training programme for the staff. Nothing amazing in that you may think.
Well, the HR department did not want to get involved in that for various reasons. That being the case, I would have struggled to design, manage the delivery of such a programme for 300 staff on my own. So what did I do?
Well, there has been some talk in the company about improving internal commmunication. I suggested to the HR Manager that they issue a bi-weekly newsletter with “interesting facts and news about the company”. A couple of months later and we’ve just had the third edition. The next edition, will include a piece from me on password management and the use of pass phrases as an alternative.
The intention is to increase the number of submissions from me over time until the HR department thinks there are too many InfoSec related articles in the newsletter, then I’ll ask them if they have a better way of delivering Information Security Awareness. By then, the managed awareness programme approach will be their idea and of course, they will want to manage it!!!
By Rob Newby on Apr 16, 2007
Genius! That’s great, and although it sounds like hard work, it’s got things off the ground for you. HR will never get involved in anything that they see as creating “unnecessary” work for them or less productivity in the workplace in general. Again, this is about presenting it as a business issue.
When you say “training program” to them they will envisage having to organise 300 people into groups and taking them out of their day to day jobs for weeks at a time. Your newsletter is a far simpler idea. Your battle now of course is to make sure it gets read.
By APM on Apr 16, 2007
“Your battle now of course is to make sure it gets read.”
Absolutely.
So, to that end, I have engineered the HR department into thinking of getting a “forward” by a different management type (starting with Directors) every edition. This should mean that people can relate to the newsletter because it’s “from their boss”.
Also, they are going to have employee competitions (win a voucher / spot the difference type things), employee news (birthdays, marriages, births etc.) and even a relevant cartoon. All to move it away from being a boring old company document into being a publication that has some meaning to the employees.
Of course, all of these things are HR’s “brilliant ideas” with, ahem, no help from me…….
And yes, it is bloody hard work when all I wanted was them to do their job!!
By Rob Newby on Apr 16, 2007
You’ve obviously had to think about this far too hard.
I was going to suggest a competition, but how do you make it security related without everyone switching off?
By APM on Apr 16, 2007
Slowly-slowly-cathy-monkey.
The first few competitions will be generic and nothing to do with InfoSec. Then we’ll add a competition with a security related concept but in a non security related environment. For example, the old WWII poster “Loose lips, sink ships” could be used in a spot the difference competition to deliver a “subliminal advertising” approach to security. This could be backed up with an aritcle about password sharing, bar room business discussions etc, etc.
At least, that’s the idea.
By Rob Newby on Apr 16, 2007
Work your way up slowly, good idea. Are HR aware that it is their responsibility to make the users aware of privacy levels, web usage monitoring, email usage, etc?
If not, you should point it out to them, and then offer to help them with an online security program of some sort, i.e. no extra work for them, but they can support you instead of how you are having to work it now, which kind of relies on their participation.
Then of course you have to come up with an online security program, but HR should feel more inclined to make sure everyone goes through it when they join the company. It needn’t be much at first, because you’d have to update it regularly anyway, but it might be the sort of thing that suits both sides?
By APM on Apr 16, 2007
All good stuff. Unfortunately, however, this assumes a certainly level of use of common sense on a certain departments part. Not necessarily available at the moment.
Another example. I reviewed the company’s induction process for InfoSec related aspects and it was decidedly lacking. There is an Acceptable Use policy but it is so vague as to be pointless. When I pointed out that certain (most) areas were not covered, the response was “well, if you want to change it for your own benefit fine but this is what we are going to give the staff”.
The problem here is absolutely no concept of policy or procedure type approaches. Everyone does what they want, or not as the case may be. Therefore, the idea of HR being “responsible” for something is alien to them unless it is their idea.
This is a concept I am working to change but with the nature of the business and the fact that it is within a privately owned and loosely regulated environment, the progress is virtually non-existent.
Still, that said, it is a fantastic learning ground!!!
By Rob Newby on Apr 16, 2007
Sounds like you need to start from the management and work your way down. Tell them what they can expect if you don’t implement a security program, and then show them what a simple one looks like, acceptable use, risks, symptoms, actions and expectations. But make it business focused.
Always get management backing before you set out on a security program, however, from what you’ve told me before, this is also not as straightforward as that.
If you can’t achieve all of this on your own, maybe I’ll come down to Gib and help you out.
By APM on Apr 16, 2007
Yet again, all good stuff but……
As I think we’ve discussed before, the management are significantly more interested in “making money” than “spending money” on InfoSec, as they see it.
We had an “issue” recently which was insider driven and made worse because of the lack of any sort of InfoSec approach. It was quite costly. Did this give them new impetus to take InfoSec seriously and enact _any_ of the suggestions I had previously put forward?
In a word, no.
The only reason they are interested in PCI Compliance is because someone stated that if we weren’t compliant it would be “highly likely” that we would be prevented from processing card transactions. And we’d get fined “tens of thousands of pounds on July 1st”.
Can’t imagine who put thos stories around…….
By Rob Newby on Apr 16, 2007
Sounds like you need to be covering yourself in that case. Companies who are not prepared to act are leaving themselves open to an attack, and as I said to you before, you’ll end up being the scapegoat if you’re not careful.
Get a copy of Mike Rothman’s “Pragmatic CSO” if you want some useful pointers on how to deal with management. There are a couple of gems in there which I will paraphrase here:
Identify the business units, manage their expectations, build your plan and sell the story.
If there are no consequences to failure, you are not a proper business unit.
I’d be amazed if none of them will listen once it is turned into a proper business case, especially as you are saying they are interested in making money. They will lose money if they don’t, big time. Have you shown them all the stories in the press about TJX? They weren’t compliant. More to the point, they were not secure. They had probably had someone saying “forget security, it’s a waste of money”, now they have lost their own money, reputation, customer’s money, AND are facing fines and criminal charges on the back of it. See if your management would be happy with that.
By APM on Apr 16, 2007
Yes indeed.
I have used the TJX case extensively in my war on complacency to mixed results. It has helped, definitely.
I had already ordered the Pragmatic CSO and am looking forward to it, hopefully it’s not just hype and will include some good ideas.
The underlying issue with this company is that they like risk. They see risk as a good thing (we are an online gambling company after all) so anything related to risk they see as a positive.
Understanding that has been a learning curve and half I can tell you!!!