RESPONSE

In such a convergence of changes, the responsibility to fashion a program which can provide reasonable (not absolute) protection for the organization’s most critical information assets has become ever more difficult. The next sections contrast two principal methods of addressing the increased risks and significant changes in risk.

Old Information Security Organization Model

The typical information security organization of the late 1980s and early 1990s approached its responsibility to protect information assets with several underlying assumptions, often unstated. The first one was that the job couldn’t or wouldn’t get done properly unless the IPS organization actually “owned” the responsibility and associated protection resources. In a world of rapidly increasing threats this assumption resulted in an effort to gain an ever-increasing percentage of the organization’s headcount and expense budget. Thus, as mainframe security issues grew, IPS acquired security administrators to set up accounts and access rules. As small and mid-range systems proliferated, we justified the need for, and were assigned, staff experts in VAX, UNIX, and AS-400s. When large relational data bases arrived, we asked for ORACLE, INFORMIX, or DB2 experts. As microcomputers and local area networks proliferated, more headcount was allocated to IPS. As global WANs developed, the inevitable request for network expertise followed.

In every case the response was to seek more: more budget, more headcount. An often unwritten corollary from this growth path is the well-established “principle” that more staff and budget = more responsibility and thus a promotion to manager and eventually to director or even vice-president.

So, what’s the problem with this approach? After all, doesn’t everyone win? The IPS group grows in power and influence, risks are “eliminated”, and the responsible leader is promoted to ever higher levels of rank and authority!

Well, even in those unusual cases when an organization can provide the requisite headcount and supporting budget, the organizational risks are not eliminated. Such a melange of expertise and backgrounds, harmonized only with a common commitment to safeguard information, is a nightmare to support administratively. How does a manager provide a career path and maintain skills in these diverse areas? When one technology is replaced (say, the mainframe data base with a UNIX server-based implementation of a new relational data base) the retraining of staff can consume precious expense dollars. The alternative of laying off old skilled staff and hiring new skilled replacements can have a devastating impact on staff morale.

Permanent and Growing Core of Protection Assets

The main reason why this model fails is that the foundation assumption never was achievable. In no organization was risk ever eliminated; rather, IPS staff helped reduce the risk by ensuring that acceptable information security measures such as individual user Ids, passwords, and audit trails were properly implemented and carefully monitored. Risk prevention/elimination was an unmet promise that gave rise to large, heterogeneous departments with little more to recommend them than the promotional opportunity they provided to canny manipulators of the total headcount.

Another set of problems often grew out of the initial success of the IPS group. Over time, the growing budget often became an attractive target for reduction during times of corporate “rightsizing”. After all, if the IPS department did well, then there was little perceived need for them as the “problem” (risks of losses arising from breaches in systems security) was perceived to be eliminated. Conversely, if the department failed, and the organization suffered known or embarrassing information security lapses, then it seemed unreasonable to maintain a large and increasing investment in a group unable to deliver what was expected or promised. In addition, efforts to centralize information security responsibility in the corporate IPS group could and often did lead to the perception that the corporate staff was little more than a “bottleneck” which provided no identifiable “value added” service.

The bottom line is that many risks to critical information in today’s complex and rapidly changing IS and operating environment cannot be cost-effectively eliminated, and organizations that attempt to do so embark on a dangerous and fruitless path that will only discredit the sponsors. However, risk can be and has always been intelligently “managed” by organizations that realize that management is expected to balance risk and rewards, and that when properly informed they can do so with regard to information as they do with other assets.