IBM Center for Applied Insights

Highlights: In order to embrace the opportunity for innovation, IT security must evolve from a culture of “no” to “yes.” At IBM, we’ve transformed the security organization into five core functional areas — all designed to foster a pragmatic, affirmative, and strategic approach to risk management.

Executive Series

Consider for a moment the most vital operation in your enterprise. It might run financial processing around the world, control a city’s electrical distribution, or handle millions of passengers’ airline reservations. What happens to your business if the computers directing such operations are hacked, sabotaged or shut down — if customers can’t process transactions or global airline reservations go dark? Facing such frightening scenarios, it’s not surprising to imagine that many information security leaders might want to shut the door and say no to initiatives that might threaten their delicately balanced security operations.

In fact, a study by IDC/RSA suggests that security concerns inhibit innovation. More than 80% of executives surveyed in 2008 said they “occasionally” or “often” didn’t pursue innovative business opportunities because of information protection concerns.1 More recently, security concerns have been seen as contributing to slowing the adoption of a number of innovative technologies — from social technologies and electronic medical records, to open government platforms and smart grid technologies.2 By shooting down ideas and standing in the way, IT security has grown in many enterprises into the “Department of No.”

This must change. Security has to expand its role into the operations of the enterprise, so that each new idea or initiative is conceived and designed with security challenges in clear focus and the appropriate response baked in. Such change requires a comprehensive systemic approach to security — and an organizational structure to support it.

Security Essentials for CIOsEstablishing a “Department of Yes”

2

Security IntelligenceExecutive Series

2. PlanAt this point, the job moves to the policy and architecture unit. These professionals (which in small companies could of course be the same as the strategy team) map out steps to take. They identify the technology and suppliers, and come up with the budget and timetable. In short, they design a plan so that the strategic goals are actionable.

Each security function provides the opportunity for continuous improvement, so developing a feedback loop is essential.

3. ImplementA management team must carry out these plans. If it’s an anti-virus program, for example, they install it across the designated systems. At the same time, they register the steps they’re taking into a service catalog. This way, the tools they’ve installed can be re-used. And if something should go wrong, a detailed record will be available for analysis.

4. MeasureSpecialists in compliance analyze the effectiveness of the controls in place. They determine where the efforts are meeting security goals and, more importantly, where they fall short. This unit identifies key risk indicators, such as the malware infection rate. It details its findings on a balanced scorecard, which it presents every quarter to the strategy team.

5. RespondEven with meticulous planning and organization, things go wrong. This is when the incident response team swoops in. In the process of responding to crises, they come up with vital information about what went amiss. This feedback is provided to the strategy unit to further refine technology and policy components.

This is what we have done at IBM, and in the process we have turned security into a “Department of Yes.” This approach was developed over time, with leadership from the top, shining a spotlight on security. It also took important organizational changes.

In this paper, based on our experience, we will outline five functions to help create a pragmatic, progressive, organizational structure for enterprise security, one that balances innovation with risk and can transform the departmental culture from “No” to “Yes, here’s how.”

1. DefineThe first function is dedicated to assuring the organization has a forward looking strategy (~3-5 years) for addressing IT risk. How? Practically, this organization will capture information about both existing and emerging IT risks to the business (based on new initiatives or changes in the landscape) and determine whether the risks are managed effectively. If executed correctly, this function will “chart the course” and identify where and when course corrections may be needed. Most importantly, this activity allows you to treat risk expenditure as investment.

Key risk scenarios:

Cyber Security An attack or virus contagion cripples a data center, spies on operations, leaks customer data

IT Compliance A regulatory snafu, such as faulty handling of customer data, can cause business interruptions, not to mention a bruised reputation

Supply Chain A technology supplier fails, leaving obligations unmet and services disrupted

Business Transformation A strategic technology project faces delays, budget overruns or operational glitches

1 “Innovation and Security: Collaborative or Combative”, IDC, Sponsored by RSA, September 2008, http://www.rsa.com/innovation/docs/IDC_innovation.pdf

2 “HP and AMD Research Shows Concerns about Security, Technology Budgets Are Main Barrier to ‘Gov 2.0’”, April 24, 2012, http://www.hp.com/hpinfo/newsroom/press/2012/120424c.html

3

Security IntelligenceExecutive Series

About the author Kristin Lovejoy is Vice President of IT Risk, Office of the CIO, IBM. She can be contacted at klovejoy@us.ibm.com.

About the IBM Center for Applied Insights The IBM Center for Applied Insights introduces new ways of thinking, working and leading. Through evidence-based research, the Center arms leaders with pragmatic guidance and the case for change.

Each function provides the opportunity for continuous improvement, so developing a feedback loop is essential. For example, by analyzing the balanced scorecard, the strategy team can spot areas that need to be fixed or enhanced. This might call for improving the efficiency of a technical control, clarifying a policy requirement, or investing in employee security awareness programs.

One key to success is a seat for the information security leader at the executive table. In the 2012 IBM Chief Information Security Officer Assessment it was determined that the most influential security leaders have a strategic voice in their enterprise.3 This means they have the ear of senior management, the power to convene a security/risk committee with top executives, and effective metrics to measure risks, and to craft appropriate responses.

At IBM, our risk management team meets quarterly with a top advisory committee, including senior vice presidents of all the business units, who report directly to the CEO. These include the leaders of many functional areas including finance, marketing, technology and others. Each of these executives must understand the security risks to his or her unit and what controls are in place. Together, they shape and decide strategy. Security, after all, is intimately tied not only to their units, but to the future of the enterprise.

IBM CIO—IT Risk: Functional Organization

5. Respond4. Measure2. Plan 3. Implement1. Define

IT Risk Strategy Team

Analyze existing and emerging risk &

“chart the course”

Policy & Architecture Team

Design policy controls & identify technology

and suppliers

A feedback loop between each function offers continuous improvement.

Management & Operations Team

Execute initiatives & maintain service

catalog

IT Risk StrategyDefine risk map & risk posture improvement strategy

Compliance & Audit TeamMeasure &

report compliance status

Computer Incident

Response TeamIncident handling

& response

3 “Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment”, IBM Center for Applied Insights, May 2012, http://www.ibm.com/smarter/cai/security

Join the conversation To read additional articles, learn more about Security Essentials for CIOs, or share your thoughts with other security leaders join us at ibm.com/smarter/cai/security.

Security IntelligenceExecutive Series

Please Recycle

© Copyright IBM Corporation 2012

IBM Global Services Route 100 Somers, NY 10589 U.S.A.

Produced in the United States of America March 2012 All Rights Reserved

IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates.

WGW03005-USEN-00