Do you Really Need an Information Security Manager?

If you are a large multi-national corporation you need an Information Security Manager.

If you are a large bank you need an Information Security Manager.

If you are a large retailer or medical institution you definitely need an Information Security Manager.

In fact, if you are any of these, you probably need a team of Information Security Professionals.

But many organizations don’t need an Information Security Manager; they need an Information Security PROGRAM.

Despite the need to focus on information security, a full-time information security professional might not be the best use of your organization’s resources. A typical ISM adds to your payroll, is hard to find, hard to retain and (in the humble opinion of this author) not very productive after the first months on the job.

What does an Information Security Manager do? First, a new ISM will probably look to see what information needs to be protected. Any business, no matter how small, has a bank account and other critical financial information.

Companies will have the social security numbers of their employees and contractors and in some industries, their clients. They have customer lists which they would want to protect as well as Intellectual Property and other high-value data. Some companies are especially vulnerable if they operate in areas such as biotech or have government contracts.

Second, a new information security manager would look at compliance issues: Is the organization subject to PCI because the accept credit and debit cards? Is the organization subject to HIPAA? Are there state regulations that the organization is subject to? As a result of these analyses and his/her own sense of best practices, the ISM would identify gaps in the organization’s Information Security systems.

Step Three would probably be People, Policies and Procedures. The new ISM would develop written policies and procedures, institute password strength and expiration rules, make sure that anti-virus tools are in place and up-to-date and that all critical software is patched to the latest release. They would check that users had the appropriate credentials and that terminated employees had been properly deleted from the systems. They would also put together a security awareness training program and remind employees of the perils of phishing attacks and the need to protect credentials and portable devices.

Step Four would be Technical Upgrades: Perhaps improved Firewalls, Intrusion Detection systems, Log Management Systems, Mobile Device Management Software and Encryption Software.

Step Five would be a process wherein the ISM identifies any third parties who may have access to confidential information and assure that they have the controls in place to protect it.

Finally, an external vulnerability test would be performed to verify and validate that technical controls and policies and procedures were in place and working.

Once the Information Security Manager has completed these six steps, what is left to do? The system will run itself. Regulations should be reviewed annually (and they don’t change that much). Policies and training and vendor compliance should also be reviewed on a yearly basis, as well.

The biggest job the ISM has is keeping tabs on changes within the organization which might highlight a new set of confidential information. The ISM will also monitor new information security technologies which companies may wish to deploy to thwart new threats or upgrade their defenses.

But, instead of incurring the costs and headaches of an employee dedicated to a limited function most companies can employ an effective Information Security Program with the use of automated, cloud-based tools and cost-effective third parties.

A Certified Information Security Professional can, in a short period of time, sit with key managers and identify the data which needs protecting and the regulations and standards which need to be followed. This can be fed into a tailored database which would compare the required security controls with those already in place to produce a list of ‘security gaps.’

Policy can be easily developed and delivered electronically to staff. On-line security training courses are available and can also be deployed and monitored from a web portal.

Firewalls can be leased and, along with Intrusion Detection, be monitored remotely 24/7 from a Managed Security Operations Center.

Vendors can be surveyed electronically and the results of their surveys stored on-line.

While this approach will not work for all SMBs it could save your organization thousands of dollars on an annual basis.

In addition to the financial benefits, an externally managed Information Security Program is better than employing an Information Security Manger in another key way: The organization will not be overly ‘person dependent.’  That is, when the ISM is promoted or moves to another company, you won’t have to try and decipher his/her personal system of spreadsheets and on-line documents. The managed Information Security program will operate independent of any one individual allowing your company to have stronger and longer term systems and processes.  Further, an independent Certified Information Security Professional works with a number of companies, sees a variety of approaches and outcomes and is continually encountering new and different threats and countermeasures.

So, before approving that requisition for the position of Information Security Manger, consider the option of third party tools and consultants. You will likely get a more comprehensive and longer-lasting Information Security Program for a lot less money.

Speak Your Mind