Senior Executives Commitment to Information Security - from Motivation to Responsibility Jorma Kajava University of Lapland P. 0. Box 122, FIN- 96101 Rovaniemi, Finland
Jorma.Kajava(ulapland.fi
Juhani Anttila Quality Integration Rypsikuja 4, FIN-00660 Helsinki, Finland
[email protected]
Rauno Varonen University of Oulu P. 0. Box 7200, FIN- 90014 University of Oulu, Finland
Reijo Savola VTT Technical Research Centre of Finland P. 0. Box 1100, FIN-90571 Oulu, Finland
[email protected]
[email protected]
Juha Roning University of Oulu P. 0. Box 4500, FIN- 90014 University of Oulu, Finland Juha.Roning(ee.oulu.fi motivated, senior management lacked the necessary information security management skills. This was evidenced by the fact that an external consultant managed to convince the top management to agree to a work safety study without asking experts on the company payroll, who anticipated a better information security solution. Examples such as this one can be found also in governmental offices and at univiersities. Our work aims at elucidating the significance of senior management in the promotion of organizational information security. A great number of organizations boast extensive security awareness programmes, but the top management often shies away from them. Damage caused by an individual employee may have far-reaching consequences for a company, but when damage is inflicted by senior management, the effects may be devastating. Thus, it is important to get top managers to endorse the adopted information security solutions whole-heartedly, which involves not only being motivated to follow security principles, but also accepting the responsibilities that go with the highest positions. As its starting-off point, this paper takes the new international standard ISO 17799 [1] However, as we are dealing with a serious issue, standards are not
Abstract For senior executives, information security is a basic requirement for business success. Yet, despite being well-motivated, top managers often have only a superficial understanding of information security, which may lead them to make decisions that are not conducive to raising the organization's security level. Enhancing information security awareness among all employees has been found necessary, but the key to success is raising the awareness level of senior management. Playing a decisive role, they must assume overall responsibility for information security. The question is how to achieve this in an efficient and natural way.
1. Introduction: Information Security and Safety at Odds Attitudes toward information security vary. Everyone knows the fundamentals, but few have a deeper understanding of it. Some time ago, an extensive survey, conducted in a Finnish company, indicated that although all employees were well-
1-4244-0605-6/06/$20.00 C2006 IEEE.
1519
Business life tends to value ease-of-use more than security. A change of values occurs often only after a serious mishap, although only part of the damage may be expressed directly in terms of money. The prevailing view seems to be that information security produces costs, not profit. Unless we change our way of thinking, we will soon find that the cost of doing nothing is even higher. As indicated by our survey, there are great deficiences in the management of information security, particularly as regards the commitment of senior managers. To remedy this situation, we must find the means of gaining this commitment, before some hostile party forces the change. As a rule, information security management is seen from the viewpoint of large corporations. In today's world, however, we must become cognizant of the fact that business is based on networking. Even giant corporations are not islands, they are connected with other, smaller companies through subcontracting and outsourcing, for instance. As a result, negligence in the management of information security, even when it occurs several nodes down from some large corporation, may nevertheless affect it through the network. Commitment to information security is therefore of utmost importance for the entire network. By their commitment, corporate managers help pave the way towards the information society.
objectives must be known by corporate employees as well as by external partners. Information security policy represents the position of senior management toward information security, and sets the tone for the entire organization. It is recommended that coordinating the organization's information security policy should be the responsibility of some member of top management. Encouragement should be given to the extensive application of information security within the organization and among its stakeholder groups to make certain that problems are dealt with in an efficient and regular manner. When necessary, external professional assistance should be sought to keep abreast of advances, standards and values in the field. At the same time, this enables establishing forms of collaboration for potential security breaches. The key component of information security work is the visible support and engagement of senior management. In practical terms, this commitment involves allocating necessary funding to information security work and responding without delay to new situations. Nevertheless, swelling the size of the information security organization is unwise, for a small organization is often more flexible and faster on the draw. A better alternative to enlarging security staff is to enhance information security skills and knowledge at all levels of the organization, because that is where the actual work processes are. Yet another way of showing management commitment is participation in a range of information security-related events, which serves to underline the importance attached to the topic.
3. Commitment of Senior Executives
4. Evidence Supplied by Surveys
Ultimate responsibility for managing information security is borne by corporate management, which provides the resources and sets the requirements on the basis of which the IT security manager promotes and coordinates security activities. A lively discussion has been going on for some time now on the commitment of senior management to information security. The objects and activities of information security must be in line with the organization's business objectives and the requirements imposed by them. Senior management must take charge of this and provide visible support and show real commitment. To do this, they have to understand the seriousness of the threat that information risks pose to corporate assets. Further, they need to ensure that middle management and other staff fully grasp the importance of the issue. The organization's information security policy and
We became aware of the sensitive nature of the topic in 2002, when several reports were published highlighting the commitment of senior management to corporate information security solutions. Of particular interest was the report stating that the commitment level among Finnish managers was slightly above 20 percent [5]. This finding provided a good starting point for a national discussion. When the result was explained to a group of Austrian researchers, they congratulated us on the high percentage rate. This was a little confusing, as the title of the original paper declared that information security does not interest corporate management. Moreover, the paper went on to point out that only two managers out of ten have realized that information security is of strategic value to their company. And yet this survey involved 50 companies among the top 500 businesses in Finland
sufficient, we must advance from a discussion on standards to a change in culture [6].
2. Day to Day Business
1-4244-0605-6/06/$20.00 c2006 IEEE.
1 520
listed by business magazines. The crucial question was: how is this result to be understood and evaluated objectively. One central issue identified by the survey was that merely 11 of the 50 largest companies had an information systems manager or a corresponding person on the management team. This is a far cry from showing commitment, and is undoubtedly reflected in corporate attitudes and practices. Thus, the sentiments implied in the title of the paper, information security does not interest corporate management, describe the situation spot on, because smaller companies display even less commitment. At around the same time, we conducted a survey in a Northern Finnish company with 500 employees. It turned out that all members of the fairly large management team as well as key personnel were wellversed in information security and its attendant risks. Yet, although they were motivated to deepen their knowledge and hone their skills, we were left wondering, whether they had internalized their own roles in the management of information security [6]. What does commitment to security work entail? A key factor is enthusiasm, "getting personally involved", believing in what you are doing. Another important factor is providing resources for the work. Everyone must also know who is responsible for taking decisions and directing activities. On this road, the first step involves motivation and gaining an understanding of information security. Obtaining funding serves to anticipate future needs and has farreaching consequences, but training staff and winning their support are equally important. At the management team level, the delicate issue of authority and responsibility often leads to conflict. Authority should be exercised in a manner that promotes performance even under difficult circumstances. Responsibilities stand in relief when things go wrong and a mishap occurs. Authority and responsibilities are also necessary during the following recovery period, and should be considered in advance. Most information security breaches and violations take place within the organization, by its own staff, who are involved either wittingly or unwittingly. Incidents of this type show how important it is that the person charged with coordinating information security really has the support of the senior management and acts with their authorization. Although it may be disconcerting, action must be taken to prevent insider abuse before anything serious happens.
5. Information Programmes
Security
Awareness
Success in information security management, as stated in the ISO/IEC 17799 standard (2005) [1], demands two things: commitment of senior management and provision of information security awareness programmes to all staff. The contents of such a programme were already outlined in earlier documents of the ISO/IEC JTC 1/SC 27/WG 1. In 2002 - 2004, we applied this information to create an intranet-based learning environment for information security [3]. An information security awareness programme may incorporate at least the following topics: * factors that influence organizational information security policy together with such extensions to the policy, guidelines, directives and risk management strategy that enable a deeper understanding of risks and security measures, * implementing the information security programme/plan and verifying the effects of security measures, * basic data protection requirements, * a classification scheme for protection of information, * reporting procedures for information security breaches, attempts thereof and investigation of such breaches, * significance of security extensions to end users and the entire organization, * work procedures, responsibilities and job descriptions, * security audits and checks, * managing activities and organizational structures, * explaining effects of unauthorized activities. There are several avenues of obtaining guidelines on information security training. It may be confusing for some employees that they receive security-related information from several sources or through many different channels. In larger organizations, the implementation of information security programmes is coordinated by IT security managers. Nevertheless, these awareness programmes are invariably the responsibility of senior management who must integrate the approach with the organization's genuine business needs.
6. Promoting a Culture of Security An approach that considers the best interests of all participants and the characteristics of information
1-4244-0605-6/06/$20.00 C)2006 IEEE.
1521
systems, networks and associated services can be both efficient and secure [7]. The OECD approach comprises nine principles that deal with awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management and reassesment: "Security management should be based on risk assessment and should be dynamic, encompassing all levels of participants' activities and all aspects of their operations. It should include forward-looking responses to emerging threats and address prevention, detection and response to incidents, systems recovery, ongoing maintenance, review and audit. Information system and network security policies, practices, measures and procedures should be coordinated and integrated to create a coherent system of security. The requirements of security management depend upon the level of involvement, the role of the participant, the risk involved and system requirements." [7]. In addition, the OECD guidelines state that fostering a culture of security requires both leadership and extensive participation. Security design and management should be an important element in corporate management, and all participants must appreciate the value of security. The principles set up by the OECD form a foundation for promoting a culture of security across the society. All participants must assimilate and promote this culture as a way of thinking about, assessing and implementing information systems and networks. Organizations are exhorted to adopt a proactive approach to information security. Business is likely to suffer if senior management has insufficient knowledge of security. This state of affairs poses a severe threat not only to the organization's reputation, but to its entire business and existence. This paper seeks to emphasize the role of senior management in the creation of an organizational culture of security. A solution that is custom-tailored to a particular organization is only applicable to that organization. This raises the issue of how general principles and standards could be utilized to create an approach to information security and security management that is adaptable to different organizations with certain adjustments. This leads us to propose that the starting point for an information security awareness model designed for senior management should incorporate the following aspects: senior management * must understand their own roles as business leaders. A better grasp of information security in fact facilitates their work, as it enables them to set
1-4244-0605-6/06/$20.00 C 2006 IEEE.
* *
policy objectives and take a leading role also in security; should define what the critical assets are that must be protected. For that, they need to have a basic understanding of information classification; and must pledge a holistic commitment to information security, manifested, for example, by active participation in business continuity planning.
7. Conclusions We have discussed one of the most remarkable practical-level problems of information security management in organizations: the lack of senior management commitment to information security. This problem is difficult to solve because many professionals think that it is not a good idea to "teach" their managers, or "preach" to them. However, if the information security awareness of senior management of a company is at too low a level, the consequences may be very dramatic to the company's business. Products - goods and services - with poor information security solutions can be very easily driven out of the market by consumers. In addition, co-operation partners may vanish after they realize that a company is not paying enough attention to its information security management and that the key persons - senior management- are not committed.
8. References [1] ISO/IEC 17799:2005. "Information Technology Security Techniques - Code of Practice for Information Security Management", ISO, Geneve. (2005). [2] ISO/IEC 27001:2005. "Information Technology Security Techniques - Information Security Management Systems - Requirements", ISO, Geneve. (2005). [3] Heikkinen, I., Ramet, T., "E-Learning as a Part of Information Security Education Development from Organisational Point of View". Oulu University, Oulu, Finland., In Finnish (2004). [4] Kajava, J., "Critical Success Factors in Information Security Management in Organizations: The Commitment of Senior Management and the Information Security Awareness Programme". Hallinnon tutkimus - Administrative Studies, Volume 22, Number 1, Tampere. (2003). [5] Kajava, J., Varonen, R., Tuormaa, E. Nykanen, M., "Information Security Training through eLearming - Small Scale Perspective". In VIEWDET 2003. Nov. 26-28. Vienna, Austria. (2003). [6] Lempinen H., "Security Model as a Part of the Strategy of a Private Hospital" (In Finnish), University of Oulu, Finland. (2002). [7] OECD, "OECD Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security", OECD Publications, Paris, France, 29 p. (2002).
1522
