1.1      Organization Roles and Accountability

This section is central to holistic security, addressing the whole organization. It looks at responsibilities undertaken directly by staff or appropriately delegated and outsourced to third parties.

1.2      No Shared Responsibilities

So, who is accountable for all this security stuff? Of course, we have been fed that “Teamwork makes the dream work,” and that the whole organization shares the responsibility for revenue generation, customer satisfaction and now security. Well, great, but the author believes a better approach to all these issues is for each individual, employee or otherwise, to take on 100% responsibility for security throughout – not just where their own little piece stops. It’s a mindset shift that transforms companies.

Just to get your attention, board chairs, CEOs and presidents: I love this point made by John Kindervag, creator of the Zero Trust movement:

• CEOs fire their IT, security & department heads if ransomware happens.
• CEOs get fired by the board when data breaches happen!

This book’s biggest challenge is to get active buy-in to holistic cybersecurity as an executive level imperative. According to Gartner Cybersecurity is seen as such by 88% of corporations. That’s great but (a) the perception is that it’s just an IT problem and (b) the survey is focused on the biggest companies.

1.3      Security Policy

Now we have your attention, let’s get to the number one priority for the executive team: creating and executing an organization-wide security policy. No matter how large or small you are, if you don’t have one, then stats and surveys say that you will likely lose this game. The heart of the people & organizational issues to be addressed are around commitment and integrity – ensuring that the work is whole and complete.

• Most attacks happen because people don’t have security policies or have policies not driven from the top of the organization. Perhaps they haven’t adopted container security or DevSecOps, best practices. Think of DevSecOps as having a parrot in the room that only knows one word (Security) and won’t shut up.
• If they had policies, they were often manual, not automated, not actually followed and not policed, for example not applying the latest software or security fixes, etc., as previously covered.
• For GDPR/CCPA, the privacy policies were just words on a web site and actual implementation was not policed and not kept current.

It’s likely known that it’s essential to develop, implement and execute an organization-wide security policy. Yet they often don’t exist or are not executed for three critical reasons. All of which are addressed in this work:

1. You can’t commit to the cost of creation and execution of a security policy without curating your assets, assessing the value if protected or lost and assessing the risk of their loss/theft.
2. You can’t assess the risks of losing your assets without having and executing appropriate security policies that can be sensibly implemented in your organization.
3. Even if this dilemma is handled, you also need to have a model for the sensible adoption of any new disruptive technologies or new management organization.

It’s not surprising therefore, that Cybersecurity is just an irritation, thought of purely as an IT issue with the appointed CSO, IT person responsible for it all and no ownership of the issue beyond that. “Get on and deal with it and don’t interrupt the business. Give us a regular report and we’ll try to look concerned and interested.” Ditto GDPR statements posted publicly or put on a web site are mostly – to put it politely – positioning. Even the word “policy” can be sleep-inducing which is why I considered not putting it in the title of this section!

To transform this situation and create lasting impact for the organization, we next address security policies: policies, roles and commitments.

1.4      What is an Information Security Policy?

It is usually regarded as a high-level view of what should be done with regard to information, and physical security.

“It’s the baseline that executives use to define what is secure enough for their company,” says Bryce Austin of consulting firm TCE Strategy and the author of the book Secure Enough: 20 Questions on Cybersecurity for Business Owners and Executives. He explains that it’s not “supposed to solve all the problems, it’s to declare the problems you’ll take on – and to provide guidance on how seriously you take them.”

However, to be effective, yes, it may begin with high level statements but must also include a top-down approach where each relevant department person, supplier or partner takes ownership of security as it relates to their role and accountabilities and be measured as part of what corporations love to call Key Performance Indicators (KPIs).

1.5      Simple Overall Security Policy

1. Assess critical business assets
   • Curate, measure for value if protected, lost or stolen.
2. Assess risks vs. asset value.
   • People, data, information
3. Assign & delegate responsibilities, goals, ownership.
   •  All mitigation, including incident response, continuity, recovery and contingency plans, etc.
4. Continuous progress measurement
   • Report, adapt and re-assess policies, ownership.
5. Executives
   • Permanent report to executive level meetings
6. Chief security officer
   •  Owns overall security policy and its implementation.
   • Reports to the board, president or CEO
   • Organization-wide not limited to IT

• Actually, the actions in section 11 of this work can be thought of as a comprehensive and implementable security policy but may be too detailed for the purpose of a simple-to-communicate policy. It may be possible to delegate creation of your security policy to a third party, but it seems critical to add this as an essential corporate responsibility.
• 1.6      Security Strategy
• As you develop the way of handling security that works for your organization, you might try answering the question: “What is our security strategy?” Just like a sales elevator pitch, a few short sentences would cover its intention, why you are doing it and how it will impact the company and which stakeholders will benefit. Now you will have a context for your actions.
• 1.7      Chief Security Officer
• What’s in the title Chief Security Officer (CSO) or Chief Information & Security Officer (CISO).
• The answer may lie in the reporting. Burying the CSO under the CIO or as CISO under the CIO seems a recipe for disaster as it defeats the whole point that Security is a holistic issue beyond the walls of IT. It matters less what the title is than its function and reporting. This should not become an emotional decision, however but the separation of security from IT seems a fundamental point of holistic security. If there are politics, history or budget at work that are not worth fighting over then so be it – but my point stands, I would assert. Finally, in smaller or medium size companies the point may be moot since the IT function can be limited or filled as a junior position. The scope of this work will show that Security is not a junior function.
• Let’s get to some important Chief Security Officer responsibilities:
• Owning the overall security policyand its implementation, events and exceptions across organization functions. This includes written departmental approval especially from the organization’s legal counsel.
• Creating a roadmap with simple steps to get started with a first deliverable.
• Curating all policydocuments, their variants and audits of the process.
• Appointing security representative for each company function, i.e., finance, legal counsel, sales, marketing, IT, support, development, manufacturing, R&D, contractors, HR.
• Assisting each representative to curate the assets for which they are accountable including their value and risk as covered in section 6.
• Collaborating to form and monitor implementation of agreed departmental policies that the departments own, refine and share with colleagues.
• Reporting to CEO or board chair
• Tracking latest developments on Policy.
• Responsible for the security of Systems, People, Data, Information and a decision maker on related business decisions such as Cloud migration, etc.
• Establishing minimum levels of security expertise appropriate for the organization including certification whether new or existing staff or otherwise for Human Resources.
• Assessment and budget. With others:
  1. Conducting risk assessmentusing public and proprietary tools.
  2. Working with key executives to evaluate the value of the asset protected and the financial impact of loss or theft.

• Determining the risk/reward and agrees the level of protection to be undertaken.
  Note: unlike personal property insurance where the cost of ensuring a gemstone might outweigh its value to the owner, this will determine the security budget without which any policy will be meaningless.
•  
• Outsource?
• Having no dedicated oversight on security is a significant risk but if you can find a security consultant or company to take on this task it is possible to function without one. If I had to choose between having an inhouse security resource or IT resource I would try to select one that understood both disciplines and could author all the CSO work listed here.