What is Information Security Management? Why is it important? What is an Information Security Management System? Top Information Security Management courses? What does an information security management professional do? What salary can you earn?
Deepu Krishnan, a seasoned information security management manager, addresses all these questions in this article.
The CIA agent. No, We are not talking about the Central Intelligence Agency here. We will be talking about Confidentiality, Integrity and Availability, what they call the CIA triad in Information Security, and how it is the cornerstone for a career in information security.
Like any other asset, information is an asset which is of value to the organization. In this age of information, this particular asset can make or break an organization. So organizations have to protect or secure this asset.
In the world of information security, an information asset is valued based on three factors:
Now which of the three is most important?
There is a lot of debate about this in the industry, but personally I would side with Integrity.What is the use of making information available and keeping it confidential,if the integrity is lost (meaning the info is not accurate)?
An Information Security Management System (ISMS) is a framework which consists of policies and procedures for managing an organization’s information assets in a systematic fashion. The aim is to minimize risk and ensure business continuity by addressing employee behaviour and processes in addition to information and technology.
The general approach to manage risks, are the 4 Ts. Tolerate (Accept) the Risk, Terminate (Avoid) the Risk, Transfer the Risk (by insuring, getting into joint ventures or outsourcing arrangements, etc.) and/or Treat (Reduce or Mitigate) the Risk – by planning alternatives, applying controls, etc.
We already heard some of the jargon associated with information security – information asset, ISMS, CIA, Risk, 4Ts, etc. We need to be familiar with some more to get into information security discussions without appearing naïve.
Before talking about the sort of controls that we need to put in place to protect our information assets, we need to assess the risks of losing these assets (or something that affects C, I, and/or A).
For that we need to understand the threats that may exploit the vulnerabilities associated with the information. We run a risk when a threat exploits a vulnerability.
First thing to understand is that a threat will always be there. For example let us take an information asset, say that multi-billion dollar contract the company has obtained, which is kept in hard copy. Fire is a threat since it can destroy the document. But we can’t do anything about fire itself as such. That threat is always there.
But we can do something about the vulnerability. In the case of the paper document, the vulnerability is that by nature,paper is inflammable. If the threat (fire) exploits the vulnerability (that the paper document is inflammable) we have a risk (the important document is destroyed). We definitely can do something about the vulnerability.
For example we can put the document in a fire-proof safe. The risk or business risk is gauged in terms of the probability of the threat exploiting the vulnerability,and the impact if this happens. Please note that there can be multiple threats which can affect the asset.
Say a disgruntled employee in a department which has access to this document decides to teach his boss a lesson. He get his hands on the document and tears it apart or puts it in the shredder. The control to be put in place to address this sort of risk may be different (say CCTV), though the information asset is the same.
Also note that even after we adopt some control,there is still an element of risk. If the temperature rises beyond a certain threshold, the document held in the fire proof safe can still be destroyed. CCTV can’t prevent the disgruntled employee from misusing his access rights to destroy the document.
It may only help in providing evidence for legal action against the employee. The risk that remains despite the control that has been put in place, is called the residual risk.
We can reduce the impact of the risk further, going back to the contract document example, by having a scanned copy (soft) in the cloud or in an off-site location like the CEO’s home, but there will always be some amount of residual risk.
Probability of a risk happening can be determined based on past data (for example how many incidents of fire has occurred in the last 3 years). Impact is generally determined by converting the value of the information asset to a dollar/rupee figure, but this is not always possible. For example it is almost impossible to put a financial value for loss of reputation of the organization due to data leakage.
Controls can be of three types – corrective, detective and/or preventive.
Preventive controls can be as simple as locks, passwords to address logical access to confidential info, etc. or a complex access management system to control physical access to different areas of the office and/or logical access in the intranet.
CCTV is an example of a detective control. Backing up data is an example of a corrective control. In the event of the data getting corrupted, it can be restored from the backup, and if we use current mechanisms, with almost zero loss of productivity.
Risks are minimized by putting controls in place. But do keep in mind that after putting in place certain controls, the organization will finally accept the residual risk. It has to. No organization is going to spend more than the cost of the information asset for putting protective controls in place.
In fact if they aim for hundred percent protection, there may be no end to it. So at some point they will stop. This depends on what we call the risk appetite of the organization.
Again to give an analogy, a layman’s example, let us say that as per the current statistics in our city, more accidents happen on Saturday night (due to more instances of drunken driving, road rage, etc.).
A very risk averse person may decide to stay home and relax on Saturday nights, reducing the probability of an accident (risk) to almost nil (well, unless the roof collapses and falls on his head).
Another may decide to go out, but ensure safety measures like putting on the car seat belt, or helmet if he is taking a bike. These guys are not doing anything about the probability.
Safety measures can reduce the impact in case an accident happens. But if your risk appetite is quite high, you may just decide to go and have a bash. Risk appetite of organizations are comparable.
Expectation from information security standards like ISO 27001:2013 (which gives the requirements for an ISMS) is that the organization makes an informed decision. What that means is that you take the risk not out of ignorance, but after carefully weighing the pros and cons.
So what does it take to be a CIA agent, I mean an information security professional? Like anything else you want to excel in, you have to fall in love with the subject. Knowledge is power. Technical know-how is an advantage in this field, but don’t confuse Information Security with its subset – Network Security.
The latter including communication and data centre security constitutes only about a quarter of information security. The remaining chunk in information security is procedural security which also includes physical security (consisting of perimeter security, manned reception, access controlled work areas, etc.) and business continuity management.
There are a host of certifications (CISA, CISSP, CISM, etc) but most of these have an experience element so it may not help you enter the field. Incidentally I have seen people with less experience excel at the CISA exam though they have to wait for some time to satisfy the experience requirement.
Like many other international certifications, the exam requires that you select the most appropriate answer as indicated in the associated BoK. And in many cases it becomes more of a test of the English language.
If the time gap between your college studies/sitting for competitive exams and your CISA exam is minimal, you may score higher than people with experience who let experience take over their answers, giving the BoK a back seat.
Mostly these certifications are useful for people in the middle of the careers. Personally after more than a decade in the field, I haven’t got any offer based on my CISA, but the certification does burn a hole in my pocket every year (ISACA membership, certificate maintenance, earning CPEs, etc.).
If you are not working in a company which is willing to pay for certification maintenance costs, it may be better to opt for certifications which don’t have the maintenance component like ISO 27001:2013 Lead Auditor.
Those who are interested in the technical side can look at Certified Ethical Hacking courses, etc.or specialized courses on Cloud security, Mobile security, PT and VA, data privacy related stuff like GDPR, etc.
Even if you want to get into the process side, it may be easier if you are technical. Get into one of the technical roles associated with information security, and then switch over to the process side.
Salaries of course vary depending on the company, the role and your experience. The difference is considerable depending on whether you are placed in India or abroad.
I know experienced information security professionals in the UK who charge 500 to 800 pounds per day.
In India an empaneled auditor generally gets upward of 3000 INR per day (excluding travel and accommodation). But then again I know senior consultants/trainers whose daily rate is in the range of 25K.
In fact while I was the CISO (Chief Information Security Officer) of a company, there was an instance where a reputed training organization charged us for ’air time’ (time the person was in a flight from Delhi to Trivandrum) at a rate proportional to the daily rate for one of their senior-most trainers. So sky is the limit.
Life as an information security professional can be challenging especially if you are into incident management. Even in ISMS implementation and maintenance, a lot depends on the organizations senior management commitment and support.
Many organizations go for ISO 27001:2013 certification just for the certificate hanging on the wall. It may be necessary for bidding and demonstrating compliance to customers. But that’s about it.
Theoretically, it is possible to have an ISO 27001 certification and very little actual security for your information assets. Many organizations ISMS implementation is similar to closing all the windows but leaving the front door wide open for the thief to walk in and rejoice.
For example, organizations give local admin rights and enable the USB drives in the corporate network, saying that they have monitoring mechanisms to ensure that this is not misused.
But when you cross-check with the team which is supposed to monitor the alerts, they have their hands full with other stuff. In this context, informed decision making may be part of the problem if the management uses it the wrong way – we know it is high risk, but we have decided to accept it. So they accept it and sign off, so that external auditors can’t contest it too much.
But that approach will not work with customers who are serious about information security (believe me, there are customers who are okay as long as the vendor has a certificate to show).
An information security professional working under such conditions is susceptible to disillusionment and depression.What am I protecting? Well if you need the job badly, stay on.Otherwise find an organization which is serious about security.
But do remember Dwight D. Eisenhower’s quote:
We will bankrupt ourselves in the vain search for absolute security. Absolute security is a myth.