Are You an Information Security Manager?

Jana Puskacova, CISO, Slovnaft

Information security managers are unique in their ability to envisage cyber risks for the organization they work forand propose how to reduce them. If they want to be successful they need identify threats faced by the company and deploy an optimum mix of people, processes and technologies to provide the highest possible level of protection.

They may be certified, extraordinarily experienced even enthusiastic. However, if understanding of relationships or support across the company is lagging, their effort may be vain.

Jana Puškáčová, managerof Information security department at MOL IT & Digital GBS Slovakia, a daughter company of Slovnaft, a.s.(Slovak refinery),shares her experience: “When starting a securitymanagement job, I try to go through my To–do list, in order to get aview where the organization is standing.” And based on her long cyber security experience, she adds: “I keep on revisitingmy task list as not to overlook the forest for the trees.”

Any good information security officer knows that there is one more criterion on top of all professional ones – you can´t learn security. Security is about the mindset.

My TO-DO list looks as follows:


1. Learn to speak the language of your business tribe

We live in the same world, we use the same technologies and yet organizations and companies differ in their take of cyber security. That´s why the very first difference is where the information security manager is coming to – is it an established industrial corporation or a company that has grown on information and (tele)communication technologies.

Understanding means listening, comprehending and at the same time adequately using one´s experience and deliver one´s recommendations in a clear way. The task of information securitymanager has been and will always be coping with security risks - however, in the context of added value for the business and being able to communicate such added value in a comprehensible manner. Without the support and involvement of top managers, process owners and IT guys including system administrators and operators, even the best recommendations are futile.

The placement of cyber securitymanagement in company organizational structure speaks volumes about the priorities of the management that need to be respected. There are companies where securityreports directly to the top executive manager, in other structures, it can be production manager, HR department, financial, commercial or IT director.

2. Find an ally

Cybersecurityencompasses technologies, software, legislation, procedures, processes as well as internal and external data communication and impacts agenda of any units, employee and top manager. So, in addition to the basic task, information security officer must pose the same question again and again:How am I supporting my business colleagues and individual departments in their performance?

Apart from the top management of a bank, asset management company, oil refinery, aluminum plant, heat plant or hospital, there is always a decisive person who is sort of a soul of the organization and theirposition is internally highly respected. Such a person can teach you a lot about the company and you can, through an alliance with such an internal leader identify and assert a real benefit of cyber security in the corporate structure.

3. Make inventory of your team skills and fill the gaps

Be it the people in the information security team or external supplier providing support to such team, the priority is to know not only their professional skills but their internal set up as well. If a member of the information security team is lacking willingness, motivation and a certain level of stubbornness, even the best professional skills cannot compensate for the lack of engagement. An experienced information securitymanager should be able to formulate recommendations for further development or soft skills so important for proper functioning of the team. He or she should also be able to assess which area is suitable for out–tasking using highly qualified external suppliers.

If an organization has identified a need of specific cyber security skills such as security monitoring, forensic analysis, architecture or immediate incident response, out–tasking can be an optimum solution. Via out–tasking, the information security department gains a very fast and flexible approach to an entire team of professionals providing specialized services or consultations and appropriately complements the capacities and capabilities of the internal team by delivering partial tasks.


4. Prepare a quick situation map

Once we have the overview of people and skills of our team and have identified the allies, the time has come to survey processes in terms of information security and evaluate the level of security awareness in the organization.

Quick security assessment of some information systems allows us to find out if and how existing business processesare aware of and comply with the best practice and industrial standards (e.g.ISO27000, OWASP, COBIT or the Law on Cyber Security).Suchan assessment is a great candidate for out-tasking.

Social engineering tests can be arranged internally and can reveal a lot about existence of information securityprocesses, security awareness of employees and their acceptance and understanding of those processes.

Outputs of these assessmentsprovide valuable inputs for high level situation map that can reflectcurrent status and reveal the weak spots in the information security process area.


5. Check status of assets your company values most

Having got a glimpse of people skills, awareness and processes, the time has come to focus on IT infrastructure. From the technology point of view, the minimum we should know is whatis operated locally in the data center and what is in the cloud, how gateways, firewalls and servers are configured, how many endpoints do we need to manage in our domain, etc. We should also understand what ourcrown jewels are – especially from business point of view and what technology supports them, who are their owners, administrators, operators, where they are locatedand what their status is.

A tool enabling the effective identification all technological and technical assets is an invaluable assistant in getting to know the process. Vulnerability management solution can kill two birds with one stone: discover and map hardware and software assets visible in the network and identify their weaknesses. Identifying which weaknesses should be tackled first, determining priorities of remediation activities and assessing their potential business impact, requires an intensive communicationwith business stakeholders and supportfrom all asset owners – which, however, cannot be identified by any tool.

6. Monitor the traffic on yourcommunication highway

Our mission does not end up with understanding ourmost valuable assets (be it people, data or technology), security awareness level of our end users or maturity level of supporting processes. Now is the time to dive a bit deeper in communication of our IT assets.

Tools such as firewall, intrusion detection probes, proxy or endpoint devices can provide but partial information about what is happening in our infrastructure realm. We need a comprehensive visibility of the entire traffic, a solution that can detect and identify “near real time” threats, trigger relevant alerts, obtain inputs for fast defense response and collect suggestions for defense activities while complying with the Law on Cyber Security.

Should a need to increase visibility of communication flows arise in anorganization, a fast and elegant solution is to order a security monitoring service that can consist of leasing a technology, supervision center services and expertise of security consultants. Technologically, the solution can be platform independent and the main benefits of such a service should be not only a reliable identification of infrastructure threats, early detection of unknown attacks and harmful activities but also a fast access to highly professional know how and expertise without the need to build in-house capacity.

The end? Just the beginning

Six hints in three areas should help us get a picture of the new environmentand provide solid input for information security roadmap update. Informationsecurity is a never-ending story that requires a clear direction, healthy stubbornness and ability to adapt to current situation while not losing the goal from the sight.

Final thoughts

  • Informationsecurity is here for the business... not the other way round.
  • “NO” is not an answer. Business must always go on and information security should find a way HOW to meet security requirements while managing the business expectations.
  • Learn to cope with “hate/dislike” –information security measures often introduce change, sometimes can introduce more complexity and many times do not make life easier, but safer. And that is what people usually do not accept easily.
  • Be friends with corporate communication department – they can help you communicate even the most complex topics from totally different perspective.