Shifting to a flexible information security framework

In today's financial businesses, information security remains a top priority despite the economic recession -- at least conceptually. It's still struggling when it comes to making the short list for funding by C-level business executives. Why is getting buy-in for information security services so difficult? While it's recognized as inherently important, executives are focused on optimizing business functions in the down economy and their views of what information security does for the organization are skewed.

If you asked the top CSOs and CISOs from any of the large financial firms to define information security in one sentence, likely most would give some variation of the Wikipedia definition: "protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction." While that's an accurate description of what information security protects against, it doesn't establish the fundamental view of what an information security framework does. A better definition should be: "The establishment of secure communication channels for authorized recipients to gain access and effectively use information from its sources."

If you read over these two definitions several

times you begin to see the first is negatively focused and a business deterrent where the second concentrates on the positive aspects of what information security services can do and is a business enabler. While accurate, the first definition conjures up images of locks, keys, police and Big Brother looking over your shoulder. It also doesn't take into account that the source of information may not be an information system, but possibly generated from a person. Meanwhile, the second definition focuses on how information security works, and provides benefit to the business. It brings to mind collaboration, access to information, adaptability, little or no road blocks, etc. -- the business needs an information security model to provide all of these things.

Financial-business managers are well aware that their traditional product-focused and multilayer management operational models are too conservative for today's marketplace and are actively moving to more market-driven, dynamic, virtual, team-structured, adaptive business models. By positioning security as a "protection service," it is perceived by business managers as locking down information, which goes against their goal of adaptability. Just like the new operational business model, an information security framework needs to also be seen as adaptive. It needs to say to the business that it will put in place services and technologies for people to securely and effectively do their jobs while not encumbering them -- a much better alignment to the business way of thought.

But what about costs? Does one definition imply anything about costs over the other?

When you talk about protection it's impossible to quantify who and what you're protecting against; the field of battle is just too great. Historically, throwing up walls and defenses around a kingdom provided short-term protection against enemies that had the time and motivation to seek out and test vulnerabilities, and then develop effective weapons against them. This kept the kingdom constantly deploying new weapons and defenses. Plus, those same defenses inhibited commerce from moving freely from kingdom to kingdom.

Today in information security, the same scenario applies. No matter what you defend against, there's always someone who either has a better counter-defense or finds another vulnerability to attack -- just look at the almost daily articles on new vulnerabilities that are uncovered. So the defenses, which cost money, time and personnel, may not be effectively protecting the most vulnerable areas of the company or may even be protecting against an enemy that isn't even there. Not a wise use of ever-limited resources. Plus, as an individual passes from one information security defense to another, they have to stop and authenticate themselves while the systems ensure they have the authorization to proceed. These security stops along the way to the information cause slowdowns and loss of productivity.

But looking at security as a business benefit implies business-tailored information security services and thus less cost. Instead of building generic, ineffective defenses against unknown enemies, building your information security model around deploying "secure communication channels" creates flexible defenses that have one authorization point to verify access needed to sensitive information and one exit point at the sources of information. Whether this is "white listing" access, encrypted tunnels from Web access management systems to multiple business systems, using federation protocols to remove the need for multiple authentications, or encrypting email correspondence through a messaging appliance, the goal of these services is to enable recipients to securely get to the information they need without having to be aware, or encumbered by, the security mechanisms in place. By focusing on the need of the business to securely obtain information they need access to instead of keeping out perceived enemies, information security can be a well thought-out plan, scaled as necessary, with known costs and benefits.

So as business managers discuss their needs with the person responsible for their information security program, will that person talk about how they lock down information or will they discuss the opportunities to enable secure access to the information? And how satisfied with the business person be when they walk away? It all depends on the company's fundamental ideal of what information security is.

About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 15 years. He specializes in security/identity management strategies, methodologies and architectures..