If we are together, nothing is impossible. If we are divided, all will fail.

—Winston Churchill

To reduce cost, our company’s human resources group wants to move all HR-related processes to a SaaS provider, a cloud-based business that’s less than five years old. At first glance, this might seem a low-risk decision. There’s a clear business case, and outsourcing HR systems doesn’t seem to create risks to corporate information assets such as intellectual property. Most businesses regard HR systems as commodity applications, so they might select the supplier who can deliver the required functionality at the lowest cost.

But there’s more to consider. Employees’ personal information will be transferred to the outsourcer, potentially creating new privacy concerns. And imagine the impact if thousands of our employees don’t get paid because the supplier experiences system problems on payday and lacks adequate disaster recovery capabilities .

Clearly, the HR group owns the HR business processes. However, outsourcing these applications and processes can introduce risks for the entire business. The systems that support HR processes can create information risks . Outsourcing also involves procurement. The business needs a clear overview of all the factors, including the risks, in order to make the best decision. To provide this view, the HR, procurement, and information risk and security groups need to work together.

A typical organization makes many decisions that require this kind of internal partnership to manage the risk. A product group wants to outsource development work to bring a product to market more quickly. A marketing team wants to engage a developer for a new social media initiative.

Similar considerations also apply to internal technology transitions such as OS and application upgrades. Each new technology introduces new capabilities and risks. Sometimes, the technology also includes features or options designed to help reduce risk. By carefully analyzing the risk and security implications, including privacy and e-discovery considerations, we can help manage the risk of the transition, and we can often capitalize on the new features to improve the risk picture overall.

For example, when Intel IT was considering whether to migrate to Microsoft Windows 7, the information security team partnered with other groups in a broad evaluation of the OS. We identified several features that could improve security compared with previous versions of Microsoft Windows, and these security capabilities were an important factor in the decision to deploy Microsoft Windows 7 across Intel’s enterprise environment (Fong, Kohlenberg, and Philips 2010).

The ability to make these decisions with an accurate view of risk depends on having the right organizational structure in place. Because each organization is different, there’s no single, standard risk management structure that applies to all organizations. But at any organization, building an effective risk management structure involves considering two key areas , which I’ll discuss in this chapter:

  • Clearly defined information risk governance: Governance defines who makes decisions, who can block them, and who is allowed to provide input.

  • Strong partnerships and multi-stakeholder collaboration: Collaboration between the information risk and security team and other internal groups is critical in forming an accurate view of risk and managing risk overall. Some partnerships are formally defined as part of the risk governance structure; others are informal relationships. These formal and informal relationships are so important that I’ll dedicate a large part of this chapter to them.

Information Risk Governance

Governance is about establishing a structure that enables the organization to effectively sense, interpret, and act on risk. Traditionally, information risk governance has been considered as a component of IT governance. The IT-centric view is encapsulated in a definition from the Massachusetts Institute of Technology Center for Information Systems Research (MIT CISR):

“ . . . A framework for decision rights and accountability to encourage desirable behavior in the use of IT. Governance identifies who will make key IT decisions and how will they be held accountable.”

But as every company becomes to some extent a technology company, we need to broaden this definition to include the information risk associated with technology-based products and services. Perhaps a better definition for this broader view is “Governance identifies who will make key information risk decisions and how will they be held accountable.”

Information risk governance focuses on enabling the business while protecting the confidentiality, integrity, and availability of information, whether it is corporate data or personal information about employees or customers. It requires the involvement of the entire organization. To achieve effective information risk governance, the information risk and security team must work closely with other groups.

A company’s primary areas of information risk are closely intertwined, underlining the need for an effective governance structure that embraces all of these areas. For example, a hacker might compromise the IT systems used by the company’s product developers, and then use those systems as a way to introduce malware into the company’s technology-based products.

Think about how easily security researchers were able to hack into Jeeps and other vehicles over the past couple of years, demonstrating their ability to remotely take control of the car with potentially life-threatening consequences . Clearly, security may not have adequately considered such a scenario when the car’s product groups designed those features. Yet any big company, including automakers, typically has large teams of people dedicated to managing information risk. It seems that in the case of the automakers, the companies perhaps lacked an effective structure for managing information risk wherever it occurs, whether that is in the company’s products and services or within back-office IT systems.

To some people, the word governance may imply unnecessary bureaucracy, or perhaps even a dictatorial approach. MIT CISR notes that “good governance is enabling and reduces bureaucracy and dysfunctional politics by formalizing organizational learning and thus avoiding the trap of making the same mistakes over and over again.”

Research at MIT CISR shows that the more businesses leverage the structure, tools, and techniques of governance, the greater the potential benefits. In fact, MIT CISR’s work suggests that firms with effective IT governance enjoy profits that average at least 20 percent higher than their competitors (MIT CISR 2012).

However, leveraging governance doesn’t imply slavishly following rules and procedures. A few years ago, I encountered an IT professional who was regarded by some people, including himself, as one of the best managers in IT. He rigorously based his project decisions on the prescribed practices and procedures, and gathered the correct metrics for reporting progress. Yet the projects he was responsible for generally turned out to be large, expensive failures. His obsession with correct procedures often impeded, rather than facilitated, the projects he was working on.

To use an analogy, if you gave the same recipe to a top chef and an average cook, would you expect them to produce exactly the same result? Probably not. Expert chefs don’t simply follow the rules; they continually make adjustments using their senses and experience to achieve the best results. The temperature of a cooking surface is not exactly uniform, so a chef may move the pots until they’re simmering just right. Fresh ingredients vary from day to day; the experienced chef is alert to the differences and tweaks the recipe and seasonings accordingly.

Like the procedure-obsessed IT project manager, we may scrupulously adhere to the rules but fail to achieve the desired outcome.

This is one reason that partnerships with other groups are so critical. They provide channels for dialogue, helping us sense changing business priorities so that we mitigate risk based on those priorities rather than our preconceptions.

Without a governance structure that facilitates this dialogue, organizations may take too rigid an approach when applying controls to manage and mitigate risks. For example, some security groups try to ban the business use of social media due to the risks, but attempting to stop the use of external social media web sites is counterproductive and, in any case, impossible. At Intel, we found it was more effective to embrace social media and shape the way that employees use it, as I’ll describe in Chapter 5. This approach, developed in partnership with other internal groups, enabled the organization to enjoy the benefits of social media while managing the risk.

Finding the Right Governance Structure

No single governance structure will fit all companies (see Table 3-1 and the sidebar “IT Governance Archetypes”). Furthermore, organizations may shift between different risk governance models over time. When most organizations’ information assets were primarily managed in centralized IT systems, it was natural for information risk to be a centralized function managed within the IT group. But now, information-related risks are much more distributed. To drive corporate revenue, many companies are developing technology-based products and services more or less independently from the central IT organization. At the same time, business groups are shifting to cloud-based applications that store corporate and customer information at external cloud providers.

Table 3-1. IT Governance Archetypes. Source: Weill and Ross 2000
Full size table

IT Governance Archetypes

When considering the right risk governance structure for your organization, it may be entertaining to think about how your organization compares with the deliberately provocative governance archetypes, ranging from a feudal structure to anarchy, identified by MIT CISR in the influential book IT Governance (Weill and Ross 2000, 59).

In practice, organizations may shift between different risk governance models over time—from an IT-centric monarchy during the mainframe era, toward a feudal model or business monarchy as distributed systems emerged, swinging back to a federal model as they recognized there’s a role for centralized IT, then shifting again towards a business monarchy with the focus on technology-based products and cloud computing.

Today, many organizations may find that it makes sense to establish a hybrid governance model that balances centralized and decentralized risk management functions. At the same time, the need for a single, broad view of all information-related risks is driving organizations to create an executive role with overall responsibility for information risk. The executive often has the title of Chief Information Risk Officer (CIRO) or sometimes the Chief Security and Privacy Officer (CSPO) . The executive’s broad responsibilities encompass the roles of Chief Information Security Officer (CISO)/Chief Security Officer (CSO) and Chief Privacy Officer (CPO).

To consider how this model works, let’s first think about all the interrelated risks that an enterprise needs to manage. Figure 3-1 shows each primary area and the core elements that are common to all of them. The CSPO’s role is to manage this “Rubik’s Cube of risk.”

Figure 3-1.
figure 1

Security and privacy : the primary areas of information risk, and the core elements of information risk management that apply to each area

Full size image

Now consider the governance model, the organization’s framework for managing those risks, shown in Figure 3-2. It consists of four main areas:

  • Oversight : This area focuses on making informed risk decisions and reviewing risks. It includes committees and review boards that set strategic direction, and review key risk areas such as ethics, compliance, and corporate investigations.

  • Monitoring: Monitor (sense) risk through external and internal sources. External sources include industry research and analysis. Internal sources include internal partners who inform us of new business risks or legal requirements. These internal sources also include our own security technology sensors.

  • Engagement: Participate in industry workgroups and in partnerships and dialogues with trusted peer organizations. These external engagements provide a valuable risk-sensing function and help influence key security initiatives. I’ll discuss external partnerships in more detail in Chapter 4.

  • Operations : Day-to-day risk management activities and processes, including risk assessments, incident response, and exercises such as war games.

Figure 3-2.
figure 2

A corporate information risk governance model

Full size image

Typically, the corporate governance model should achieve a balance of centralization and decentralization. At most large companies, risk is decentralized: at any one time, our companies are planning or managing many technology-related initiatives and events across practically every part of the business. Therefore, we need decentralized risk management processes; too much centralization can mean losing the ability to sense threats and respond in an agile way. But at the same time, we need a broad centralized view of the dynamic risk landscape and the ability to set organization-wide policies in areas such as security, ethics, and privacy. So the model must allow a centralized view and ownership of key risk functions, along with the ability for decentralized execution.

The CSPO and the information risk and security team are involved in all four quadrants of the model. The CSPO tends to be more focused on oversight and engagement, while the team’s members naturally tend to be more involved with monitoring and day-to-day operations.

For most functions, the CSPO and team work with other parts of the organization, either taking primary responsibility or operating in a participatory role. In the Oversight quadrant, for example, the CSPO may sit on the ethics committee and participate in business unit risk management reviews. In monitoring, the CSPO’s team may have primary responsibility for threat landscape reviews and threat indicators, but take more of a participatory role in internal audits and assessing business unit risks. In operations, the team may own responsibility for the security development lifecycle and privacy by design, while participating in change control. It should be apparent that all of these functions require collaboration with other groups within the organization.

Building Internal Partnerships

By providing vehicles for dialogue and decision-making, internal partnerships and multi-stakeholder collaborations enable information security teams to become more agile and responsive to business needs. The number of potential partnerships has grown as the scope of information risk has broadened to include a range of privacy and regulatory concerns as well as traditional security threats.

In mature and proactive organizations, the information risk and security team partners with many internal groups for a variety of functions, including risk management decisions, incident response, and monitoring. These groups include legal, finance, human resources, physical security, and business groups.

Partnerships may include formal structures such as standing committees as well as a large number of informal and ad hoc relationships. These are created and maintained through everyday communication with people in other groups. We might initially contact a business group to understand the potential impact of an emerging area of legislation. The business group identifies risks and opportunities that we hadn’t even considered. Our initial request thus sparks a dialogue about requirements and controls, and ultimately evolves into a partnership that helps us monitor risks and mitigate them. We also gain business acumen, which helps us play a more valuable role within the organization.

In my roles running risk and security, partnerships and multi-stakeholder collaboration have been critical to my success in understanding the broader risk picture, helping the organization sense, interpret, and act on risk. Through these relationships, other groups can act as additional eyes and ears for the information security group , such as security threats and compliance concerns. For example, the HR legal group might alert us to an employment-related regulation that creates new compliance concerns. Information about risks flows in the other direction, too: we may alert our partner to new threats that we’ve encountered. As we leverage other groups to look out for our interests, they can also use us to look out for their interests. We also work with partners to interpret this shared information through analysis and decide how to act in response.

Internal partnerships may focus on just one of the areas shown in Figure 3-2, or they may intersect multiple areas. For example, we partner with HR for incident response (operations) and to learn about new employment laws (monitoring). Multiple partnerships may also be required within each focus area: with the growing number of regulatory requirements, partnerships with internal groups such as HR, legal, corporate security, and internal auditing become increasingly important and valuable in the area of operational investigations.

Because no two organizations are identical, each organization may require a different set of internal partnerships, depending on its structure and business needs. Every partnership should be created with a clear purpose. The organization should also clearly define who is involved and who makes the decisions. To determine the partnerships your information security group needs, as well as their structure and purpose, it may be useful to ask the following questions:

  • Who do we need to partner with and why? To put it another way, who do I interact with every day, and why do I interact with them?

  • What benefits do I receive from that interaction, and what benefits does my partner receive?

In the remainder of this chapter, I’ll discuss some examples of important partnerships, describing how we can use them and the value they provide. I’ll start by examining partnerships with fellow travelers who have complementary roles in managing business risk and liability: legal, finance, human resources, corporate security, and corporate risk management groups. Then, I’ll examine partnerships with business group managers.

Legal

Legal groups are among the information security group’s most important partners because of the many areas where their roles intersect with ours. They own the responsibility for legal compliance and legal review. They interpret laws, analyzing the implications and relaying the relevant information to the rest of the organization. Key partnership areas include privacy, litigation, intellectual property, contracts, and compliance with financial regulations.

As companies create more technology-based products and services, their initiatives are likely to come within the scope of a broader range of laws and regulations. Health-monitoring products might fall within the purview of the Food and Drug Administration; companies thinking about using drones for photography need to think about Federal Aviation Administration requirements.

Privacy

As privacy regulations continue to grow in complexity and reach, many organizations need to comply with multiple requirements at local, regional, and national levels. Legal specialists across the organization can help us understand what’s required in each geography, align policies and controls for protecting personal information, and decide how to manage responses in the event of a breach.

Even local regulations can have implications across the enterprise. For example, citizens of European countries are subject to European and national privacy laws and regulations. The simple transfer of European employee personnel information to a US-based server will trigger a need to comply with the EU data privacy laws regarding such transfer of employee information.

Litigation

As one might expect, it’s essential to partner with legal specialists in situations where litigation is possible or already in process. Examples are investigations of security breaches, particularly when law enforcement is involved. Another area of partnership is in responding to subpoenas and litigation discovery orders; a legal group may need to work with the information security team in order to collect the required information. To ensure that data is available for discovery when needed, we may also need to collaborate with the legal group to implement appropriate data retention policies.

Intellectual Property

Many organizations use a data classification structure to protect intellectual property, with the most highly classified information receiving the greatest protection. We work with legal groups to specify the classification structure and then implement controls on management and distribution of such information to provide the appropriate level of protection. We also partner to respond to suspected or known IP thefts. Suppose an employee loses a laptop storing the designs of future products; a dialogue with IP attorneys is essential to understand the implications and decide how to respond.

Contracts

Almost every contract with a supplier or customer contains a confidentiality provision, which sets expectations about how each party will maintain the confidentiality of the business transaction and any shared confidential information. We partner with the procurement organization as well as the legal group to define and implement these requirements into contracts.

If our company decides to outsource a business application to an external supplier, we’ll typically work with the procurement organization and legal team to define these confidentiality and data security expectations, as well as the evidence we’ll need to validate that those controls are operating properly. For example, when hiring a company to manage health benefits, we set expectations about how they must protect our employees’ personal health information.

Our customers have expectations, too. Another company may need to share some IP with us to help us integrate our technology into their product. We need to understand their requirements and ensure that appropriate controls are implemented.

A security technology supplier has to meet customer expectations that go beyond the product’s ability to provide protection. As I mentioned in Chapter 1, one of the irrefutable laws of security is that even a security feature can be used for harm. So suppliers must be able to discuss their security development lifecyle, privacy by design, and overall state of internal controls, all of which could ultimately affect the efficacy of the product.

Financial Compliance

In the United States and other countries, public companies are legally required to disclose “material events,” those likely to have significant financial impact that could affect investor decisions, including IT-related incidents. An important aspect of risk governance, therefore, is partnering with legal groups to understand the types of events and specific incidents that must be reported.

Guidance from the US Securities and Exchange Commission specifically discusses the obligation to disclose the impact of cyber attacks, including those that result in IP thefts. Companies are also required to disclose material increases in security spending in response to an attack, even if the attack didn’t result in a loss of IP (SEC 2011).

The legal team cannot do this alone because it lacks the security context of the event: the frequency of specific types of attack, the potential impact, and the cost of response. Therefore, the security team must be involved.

In 2010, Google disclosed that it had been breached in the widely publicized Operation Aurora attack. At around the same time, Intel also experienced an incident of similar sophistication. This was before the SEC issued its guidance in 2011, but as I pondered the potential ramifications of a cyber breach one sleepless night, I realized that I should call our SEC legal experts to discuss the incident. Subsequently, we disclosed the incident in our financial report for the first quarter of 2010 (Intel 2010).

Legal Specialists Within Business Groups

At large companies, each business group may have embedded legal experts. We need to work with them for issues directly related to their group. In addition, because of their connections within the group, these legal professionals can be extremely helpful in influencing the group’s controls and expectations.

Marketing groups, for example, usually include individuals who want to explore new ways to communicate with users via social media. This appetite for adventure is a good thing; it can benefit the business. But at the same time, we have to ensure that content is adequately protected and includes appropriate privacy protection and statements. If we bring up the issue directly with marketers, we may receive a lukewarm response, as they tend to view any controls as restrictions on their ability to move quickly. But the legal professionals within the marketing group understand the need for controls. So a good way to raise our concerns is to have a conversation with the business group’s attorney, who can help persuade others in the group that controls are needed.

While I was Chief Security and Privacy Officer at Intel, we implemented a program that reviewed all new externally facing online projects and monitors for potential problems (see sidebar). The projects ranged from web sites to more sophisticated tools, such as an application that users can download and use in conjunction with external social media sites.

As part of the review, we asked the project group who their legal contacts were so that we could verify that they’d received legal approval. We also asked whether trademark and branding teams had reviewed the initiative, which was essential in many cases—especially if the project was planning to register a new web site. Sometimes the answer was no, in which case we facilitated a dialogue with the trademarks and brands team. This enabled the trademark and brand people to manage the risk and helped forge yet another important relationship within the company.

Securing Intel’s External Online Presence

Intel’s business groups use hundreds of web sites and third-party solutions, including social media platforms, to communicate and conduct business with customers and business partners. Collectively, these externally facing Intel-branded solutions were known as Intel’s external presence.

Until 2006, these web sites proliferated rapidly in response to business needs, without centralized oversight. Given this growth and following a number of security incidents and the identification of several significant risks, we established the Intel Secure External Presence (ISEP) program to provide appropriate security for Intel’s external presence (Leon 2011).

The goals of ISEP, which was a part of Intel’s information security group, were to protect Intel’s information assets and customers against threats such as loss of personal information and malware attacks, and to maintain compliance with laws, regulations, and standards. By achieving these goals, we also helped to protect Intel’s corporate image.

We helped ensure this protection and compliance by reviewing all planned new external presence projects and by monitoring existing Intel-branded web sites. ISEP review and approval was mandatory for new externally facing online projects. We worked with Intel business groups to review planned projects before launch, whether they were to be hosted within Intel or by a third party.

Any ISEP-like process for reviewing a company’s external presence should include several key aspects:

  • Ensure notification of new projects by working closely with business groups and other stakeholders within the company. For example, the information risk and security team should be notified when business groups request new Internet domain names or seek approval to land a new application in the externally facing IT environment.

  • Work with the business group on each project to review details of the planned approach to maintaining security and privacy compliance. Verify that the project includes any required mitigating controls before giving approval.

  • Establish an overarching governance board, including senior managers from multiple stakeholder groups. This board should have enforcement powers including the ability to shut down web sites for noncompliance.

Human Resources

The human resources group is the organization’s center of expertise on employee procedures, include legal specialists who are the organization’s experts on employee-related laws. Because of its responsibilities, the HR group also tends to be heavily involved in insider risk considerations and applying action in any cases that are discovered. In some organizations, HR is also responsible for other functions, including internal and external communications. Because of this broad charter, the security team may form valuable partnerships with HR in several areas, including employee policies related to appropriate use and protection of information assets, internal communications, and investigations.

Setting Employee Expectations in Security Policies

Employees are part of the security perimeter, as I’ll discuss in Chapter 5. Their behavior can have as much impact on security as the technical controls we use—particularly since a growing number of user interactions with the outside world take place on external web sites and networks, and on personal devices such as smartphones.

It is therefore critical to create employee policies that set expectations for secure behavior. If we can influence employees to behave in more secure ways, we can reduce risk for the business overall. However, the security team cannot write these policies without partnering with HR, including HR legal specialists, to ensure that they comply with employment laws and the organization’s existing rules. Then, if an employee disregards the policies, we need to work with HR to take disciplinary action.

Careless behavior can have highly damaging consequences. Imagine an IT employee who decides to store some corporate data on a server at his home so that he can more easily work on projects when out of the office. But his home system is open to the Internet, and thus the data may be broadly exposed to anyone worldwide.

The employee’s action has created a significant security risk. To explain the potential impact to HR, it may help to use analogies. We could say it’s like an engineer taking critical product designs home and showing them to her neighbors. Or a factory employee taking dangerous chemicals home to experiment with them, and creating the danger of an explosion in his garage. If we have a good relationship with HR, we can have this kind of discussion and determine the appropriate consequences for the employee.

Employee Communications

The responsibilities of the employee communications group often include employee training, employee awareness, and internal distribution of other corporate information. This group’s expertise can be very useful when we want to communicate security messages to the workforce. The group already has established communication channels and knows how to align messages with corporate style guidelines. A good employee communications group also knows how to present information in ways that engage employees rather than intimidate them.

In my prior roles running security and privacy, I always worked extensively with the employee communications group to create engaging security awareness messages, including interactive content that helps encourage secure practices when using social media and the Web.

Investigations

Partnership with HR is also essential in internal investigations, including investigations into insider threats responses. In other cases, we may already be pursuing an investigation and need help from HR legal specialists to access employee information.

Finance

The finance group typically takes the lead in managing enterprise-level risk and controls for the organization overall. Therefore, we need to partner with the finance group to assess the business impact of damage to information assets—a loss of confidentiality, integrity, or availability. This applies not only to internal systems that support business operations, but also to information technology-based products and services that generate revenue. We also work together to determine the required controls.

Sarbanes-Oxley Compliance

The corporate finance team usually has overall responsibility for Sarbanes-Oxley (SOX) infrastructure. We also work with the finance group, as well as legal groups, to determine whether we should categorize specific events as material and report them as required by SOX. This also includes product- or service-related vulnerabilities and controls that could have a material effect on revenue or corporate liability.

Working with Business Groups

Each sizeable business group is likely to have a group controller or other financial specialist responsible for financial controls. These finance experts can become important partners for the security team.

Because financial specialists focus on risk and controls, the culture among finance specialists has some similarities with the culture of the information risk and security teams. This shared focus can make it easier for us to communicate our concerns, particularly since the impact of information risk is often measured in financial terms. Therefore, the financial specialist can be a key contact point when we need to discuss information risk with business groups.

Sometimes these risk conversations can evolve into productive multi-way partnerships. A recent example: an IT team presented plans for new systems to support one of Intel’s new businesses. As we assessed the information risks, we noticed that the plan didn’t include fully redundant systems to ensure business continuity. When we asked why, it emerged that the business group hadn’t requested redundancy because it would add cost. Revenue from this new business was initially expected to be modest, so the group’s budget was limited.

However, when we discussed the revenue projections with the finance specialists who worked on the project, they expected the business to grow rapidly. This growth would also increase the information-related risk because a system failure would have a much bigger impact on revenue. As we discussed the implications, it became clear that it would make more sense to prepare for the anticipated growth by including redundancy from the start. So we suggested that the business group negotiate a higher budget—and that’s what happened through a partnership between the business group managers, the information security team, and IT finance and business system specialists. The business group allocated increased funding that allowed IT to implement a redundancy safety net that would protect the growing business.

Internal Audit

Financial groups are often also responsible for an internal audit, which typically includes an IT auditing function—a job with considerable potential for overlap with the information security group’s role. If the security team and internal auditors duplicate each other’s efforts, we’ll waste resources and annoy business groups. Imagine that we contact a business manager to say that we need to conduct a risk evaluation of the group’s systems. The next day, internal auditors contact the same group and say they’re planning to do an audit, which some business managers might perceive to be essentially the same as a risk evaluation. What kind of reception do you think the auditors would receive?

We can minimize the overlap by partnering with internal auditors. This partnership becomes a mechanism for effectively allocating risk management resources. If the information security team has already assessed a system, auditors may be able to increase the efficiency of an audit by leveraging the work that the security team has already performed.

For effective partnership, our work must be thorough, transparent, and well documented so that auditors can see what we have done. We may also swap resources: sometimes security experts may act as guest auditors for specific projects because they have skills that the financial group lacks. The partnership can also be used for valuable dialogue and mutual support. If we’re concerned about a system that internal auditors have previously examined, we can ask for their opinion. We’ll sleep better knowing that another group of objective, risk-focused specialists has analyzed the system.

Corporate Risk Management

Most large organizations employ people whose job includes purchasing insurance for general business risks, including property and casualty insurance to protect the organization in the event of damage to a data center or another facility. When buying insurance, the corporate risk management team may need information from us about the organization’s IT business continuity and disaster recovery plans. Insurers ask for this information in order to set premiums.

Today, the corporate risk management team usually focuses on physical risks. But their scope is rapidly expanding to include IT-related risks as well as risks associated with products and services. Privacy breaches or other compromises can have a major impact on a company’s revenue, cost, and brand image. Because of this trend, insurance against cyber risks is a rapidly growing category, and we can expect a growing need to partner with the corporate risk management team to ensure adequate coverage of information risks.

Consider the case of Sony, which suffered a breach of its PlayStation Network—estimated by the company to cost at least USD 200 million (Perlroth 2011)—and then became embroiled in a legal dispute with its insurer, which claimed Sony’s insurance policy did not cover cyber risk. The breach at Target, in which hackers stole the payment card accounts and personal information of millions of customers, is estimated to have cost the company roughly $250 million. Reportedly, the insurance payout of $90 million left the company $158 million in the hole, plus what it paid for cyberattack insurance.

Privacy

Privacy and security are closely linked. However, increasing security doesn’t always enhance privacy. In fact, it can have the opposite effect. Unfettered bulk collection and monitoring of the information and activities of users and their machines may be capable of increasing security, but it may also intrude on personal privacy. This data store may also be an attractive target for intruders.

This creates inherent tension between security and privacy interests. This tension is apparent at a national level in the way that privacy advocates respond to the use of surveillance and data mining. Government security organizations may feel that they protect data extremely well, but privacy advocates still object to the fact that information is collected and the way it is used.

Similar concerns apply at the enterprise level. We need to carefully manage the relationship between security and privacy, ensuring that we apply the appropriate level of controls to protect information without infringing on personal privacy.

The structure of this relationship varies between organizations. While at Intel, the information risk group that I managed for over a decade included the privacy team, which reported to me as the CISO. Then as we began to see growing confluence of the risks shown in Figure 3-1, I was promoted to a broader role as Chief Security and Privacy Officer, to give us an integrated governance and accountability structure. At other organizations, privacy is the responsibility of a separate group headed by a Chief Privacy Officer who is the CISO’s peer. This arrangement necessitates careful management of the relationship between security and privacy teams to manage tension, align policies, and control breaches. In organizations with this structure, the security team sometimes complains that the privacy team is “getting in their way,” which usually means that the security team wants to collect specific information and the privacy team objects.

Regardless of the organizational structure, it is the security team that is logically responsible for implementing IT controls. It is the product security team that is responsible for security development lifecyle (SDLC ) and product security incident response processes (PSIRT) . Laws define privacy rights; the organization’s interpretation of those laws drives compliance requirements. It is the security team’s responsibility to determine how to implement controls to support those requirements.

Corporate Security

The corporate security team focuses on physical security concerns ranging from door locks and guards to break-ins, fires, and natural disasters. By partnering with this team, we can make sure we’re aligned on protection of key information assets. It wouldn’t make sense to implement sophisticated data-protection tools on the servers in the data center and then leave the data center doors unlocked.

We also need to coordinate on other issues, including incidents that involve law enforcement. Not so long ago, assaults and harassment were almost always physical incidents handled by corporate security and the police. Today, there’s a much bigger overlap with information security. More crime is moving online, and we may encounter other problems, such as cyber bullying. Because of these trends, we may need to help assess the impact and drive the response.

Business Group Managers

Each business group has its own processes and applications, whether it’s a product-focused unit responsible for generating revenue or an internal group managing finance or human resources. The information security team needs to partner with each group to implement security controls that protect the group’s applications and information.

As the business acumen of our information security team increases, we can better fulfill our Protect to Enable mission by focusing on controls that improve security without impeding the business. This applies not only to the systems that support business operations, but also to the technology-based products and services the business unit creates. For example, we may discover product vulnerabilities through our security development lifecycle processes. We can partner with the business group to correct vulnerabilities before shipment, and we can work on training to prevent future mistakes due to poor coding, design, or architecture.

By working with business groups, we can also leverage their strengths. Business group managers can help drive decision-making and incident response. They can also help improve security by setting the “tone at the top,” publicly setting expectations for their employees’ security behavior. Suppose we notice that an increasing number of the employees at a specific facility are experiencing laptop thefts. We discuss the trend with the general manager and explain that we want to increase employees’ awareness with messages about how to prevent theft. The business manager may offer to help by bringing up the topic at a site meeting or otherwise directly communicating with employees. This management request may exert a more powerful influence on employee behavior than messages sent by the security group.

How To Respond To Emergencies

Defining a clear IT incident response process is an essential aspect of IT governance. Similarly, a clear PSIRT is an essential aspect of risk governance for technology-based products and services. Over time, while I was at Intel, we developed a clearly defined crisis management process for responding to emergencies and other significant incidents that affect IT infrastructure or services (Fleming and Tomizawa 2012). The goal of the process was to prevent material impact to the organization and its employees. Similarly, the goal of a PSIRT process is to prevent material impact to customers or even to society in general, depending on the nature of the risks.

Incidents that may trigger the process include cyber events and other information security incidents; physical incidents such as fires, leaks, and major outages that affect IT systems; and major disease outbreaks. A useful starting point for developing the process is the incident management principles based on the US Federal Emergency Management Agency’s response to disasters.

Once initiated, an IT emergency response process (ITERP) • operates with a command-and-control structure, led by an incident commander who has overriding authority to make decisions across IT for the duration of the emergency. The structure consists of a virtual organization staffed on a volunteer basis by people from every discipline within IT. When an incident occurs, all team members perform their response roles instead of their normal duties until all issues are resolved.

Following an incident, the team should quickly identify the state of critical business processes that must continue during the crisis. It determines the current status of the key steps in the product cycle: design, build, order, ship, pay, and close. It assesses the physical state of the infrastructure, and analyzes the legal and other impacts if intellectual property or personal information is compromised. Decisions about response and remediation are driven by the incident commander and determined by business priorities.

PSIRT and privacy response processes should be structured along similar lines, focused on their respective mission-critical priorities.

While I was at Intel, the ITERP team, the PSIRT team, and the privacy incident response team proved to be essential components of the successful resolution of every crisis management, coordination, control, and communication activity across the company during my 13.5-year tenure.

Conclusion

Information risk has become a major concern for the entire organization. Managing information risk therefore requires a clear governance structure that enables the organization to make the right security decisions quickly and effectively.

Building the right governance structure can sometimes seem like a complex challenge. I’ve found that a good way to simplify and focus the thought process is to consider the following two cardinal rules. In my experience, these rules apply to all organizations, whether large or small, public, private, or non-profit.

  • Rule 1: Structure drives behavior. Thinking about the behaviors that you want to see in the areas of security and privacy will help lead you to a structure that encourages those behaviors.

  • Rule 2: You get what you measure. Thinking about the desired outcomes will help you determine how you should measure your organization’s success in managing risk.

Think about how your own organization manages information risk. Do you develop strategies in close collaboration with business groups? Do you feel that you communicate well enough with every group to understand their priorities and implement controls that reflect them? Have you clearly defined all of the processes required to respond to a major breach or denial-of-service attack? If you answered “no” to any of these questions, you may need to improve your information risk governance.

Effective governance relies on partnerships between the information security team and other internal groups across practically every part of organization. In this chapter, I’ve described some of the most important partnerships and the value we can derive from them.

To develop these partnerships, CSPOs as well as Chief Security Officers and Chief Privacy Officers need more than just technical skills. We need to communicate in terms business people understand and build relationships that enable us to influence people at all levels across the organization. As the scope of information security expands, we also need extensive management and leadership skills, both to operate at an executive level and to coach and inspire our risk and security team.