Posted by: David Schneier
Audit, business continuity planning, CISO, compliance, GLBA, information security, information security office, ISO, Regulatory Compliance, Vendor Management
I was talking with a client last week about a perceived gap in their organization. Despite having to address multiple regulations cutting across several oversight bodies, they were lacking a single point of contact or central coordinator for all information security related activities. Their sense was that they were long overdue for some form of a chief information security officer (CISO) and I had to agree.
The same point was underscored earlier this week during a kick-off meeting with a client regarding a pending audit. Almost all of the requests for information, including policy and procedure documentation were redirected to their most senior IT person. As we were wending our way through the items on the list and they kept verbally pointing to the IT person, I started wondering how he could be responsible for all of these information security related items and perform his regular IT duties. The answer of course is that he can’t, not effectively anyway.
There’s a discipline involved with regards to regulatory and industry compliance that requires someone be committed to both understanding what needs to be done and then making sure that it’s happening. This isn’t a new consideration; I’ve blogged in the past how we’ve moved from an age where you simply needed documentation to one where actionable steps are required. It’s not enough to have an information security policy in place, you also need to comply with it and then be able to prove that fact upon request. You can’t talk about how you restrict access to systems and information and not be able to provide a recent access review/report.
I’m routinely amazed by how few of my clients understand the growing need for the role of a CISO despite their awareness and sensitivity to the increasing regulatory burden. Many financial institutions will offer up that they have a BSA officer and some will introduce a compliance “person” who is almost always focused on AML/Patriot Act activities and not much else. I’ve interviewed several dozen people over the years who were included in the audit or assessment process because I asked to speak to their head compliance person and it turned out that they had very little if anything at all to do with information security and GLBA-related activities. How is that possible?
How can you expect someone who is an expert in technology to to also be an expert in information security and GLBA?
The answer is obvious, you can’t. First, there’s a very real conflict of interest in asking the person who owns many of the required controls to also monitor themselves. Second, I’ve yet to meet a technology person in all but the largest institutions who didn’t end the day with more to do than when they started it. Third, it’s very unlikely that a technologist will interpret and apply the myriad rules around information security for all in-scope regulations and apply them correctly. I’ve been doing this sort of work for more than a decade and it’s a full-time job just keeping up with the changes let alone figuring out how to properly comply.
There needs to be an assigned gatekeeper for information security, plain and simple. And the size of your institution doesn’t matter. I’ve worked with very small financial institutions (under $100m in assets) that had a single, non-IT person in charge and it worked out quite well. In one case the individual was also responsible for business continuity and vendor management, which oddly enough isn’t so odd. Both of those require a certain degree of expertise that exceeds what you’d expect a technology person to have and more importantly, both of those activities need to cover the entire organization, not just what runs on the network. When I worked within the technology infrastructure, I never understood why these things always got dumped there and now that I’m on the other side of things I know that it doesn’t make sense.
When the examiners or auditors ask to speak to your CISO, ISO, head security person, compliance officer or compliance manager, you need to have a name to give them not some vague answer or explanation about how it’s done piecemeal. This is 2009 and the demands of compliance are great and they’re real. Ignoring the obvious or incorrectly assuming that this is a part-time job is no longer acceptable.