Securing the Organization: Creating a Partnership Between HR and Information Security

Transcription

1 Securing the Organization: Creating a Partnership Between HR and Information Security A White Paper from (ISC) 2 Securing infrastructure is one of the most critical issues facing business and governments today worldwide, as it becomes conventional wisdom that the health of the collective cyber community is vital to the growth and stability of the global economy. As an outgrowth of that realization, it is becoming widely accepted that information security professionals are critical to protecting the trusted environment in which global Internet communications, instant information access, and business transactions are made possible every day. It s become conventional wisdom among information security professionals that people are the most critical part of effectively securing an organization. From the staff accountant end user to the Board of Directors, every person involved in an organization plays a role in that organization s security. This includes having first-rate information security personnel to create policies and oversee implementation, obtaining management buy-in and support for the security program, and ensuring employees throughout the enterprise understand, respect and evangelize security policy. Why are people so important in the security equation? They are highly unpredictable, and even the most comprehensive awareness program cannot ensure that all employees will make the right security choices 100% of the time. Conscious or not, employees are faced with decisions every hour that can impact the security of an organization s or its customers data. The most expensive intrusion detection system in the world can be breached by an employee simply divulging their password over the phone to a company impostor. And employees take laptops home every day that may contain sensitive customer data. Technology cannot prevent or protect against human error, which is the cause of up to 42 percent of all data breaches 1. It is only with a careful balance of people, policy and processes that an organization can effectively manage its risks. While information security professionals are obviously integral to managing an organization s risk, they alone cannot corral the human variable present in all organizations. That s why many information security professionals believe there is a critical need to partner more closely with the one department that deals exclusively with the human component of the organization human resources. Why HR and Information Security? If information security and HR professionals looked closely, they would see several commonalities between their roles and responsibilities. Both professions communicate with every member of the organization, both need communications skills in addition to expert knowledge, and both share a common goal the security of the organization, its customers and staff. 1 CompTIA 5 th Annual Security Study, September 2007

2 Security best practices must be woven into the organization s consciousness and culture at every level. As the arbiter of this culture, HR is in an ideal position to drive security messages, policies and procedures. In addition, information security professionals need to rely on the savvy and tools of HR to help them recruit, hire and retain premier employees that are not only the most qualified but a strong fit for the organization. HR professionals can also launch and support internal campaigns to spread the word about information security throughout the organization. As privacy, securities and other regulations increase, it s critical that HR departments partner with information security professionals to ensure their internal practices are secure and that the organization is compliant with all industry regulations and requirements. Information Security Profession Overview The goal of this white paper is to help HR professionals understand the full scope of the burgeoning information security profession and how it affects every aspect of the organization. The international standard for information security management, ISO/IEC 17799, describes information security as the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. If not mitigated, these threats can destroy a company s reputation, violate a consumer s privacy, result in the theft or destruction of intellectual property, and, in some cases, endanger lives. Twenty years ago, the field of information security was in its infancy. Many companies did not take threats to their infrastructure seriously. For those companies that did, the majority of people responsible for protecting information assets did not have a formal background or education in the field and obtained their experience in information technology or related disciplines, transferring into information security only as the need arose. Information security professionals frequently reported to someone in IT and did not carry much weight with upper management. Today, driven by increasing regulations and the desire to maximize global commerce opportunities, protecting information assets has become one of the most important functions within any organization, public or private. For this reason, organizations increasingly rely on information security professionals to implement a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, and continually monitored, reviewed and improved to ensure that the specific security and business objectives of the organization are met. The 2006 Global Information Security Workforce Study (GISWS), sponsored by (ISC) 2 [pronounced ISC-squared ], reported that the number of information security professionals worldwide in 2006 was approximately 1.5 million. This figure is expected to increase to slightly more than 2 million by 2010, displaying a compound annual growth rate (CAGR) of 7.8 percent 2

3 from 2005 to 2010, compared to 4.6 percent of projected growth in the number of IT employees globally in the same timeframe. After surveying more than 4,000 information security professionals worldwide, the GISWS indicated that more than 37 percent of respondents work for organizations with annual revenue of one billion or more, and more than 62 percent work for organizations with at least 1,000 employees. Often, information security professionals are found in the greatest numbers in organizations whose mission is to safeguard critical infrastructure, such as government defense agencies, telecommunications and the financial industry. Because the profession is still relatively new, many small to medium businesses do not have a security department at all. A common misconception of information security is that is a function of IT. While it may have begun in the IT department, information security is a highly specialized function, and its influence has grown exponentially in recent years as executives have seen both the necessity for and return on investment in information security. Today, information security professionals often have a seat in the executive boardroom, enabling them to make valuable recommendations during the earliest stages of business initiatives. Another common misconception is that the information security professional s job functions are similar to those of IT professionals. In fact, information security responsibilities can run the gamut, from risk management to computer forensics. Each responsibility can require vastly different skill sets and experience beyond the bits and bytes of IT. Areas of expertise within information security include: Access control systems and methodology (how people enter and leave the system) Applications and systems development security (creating new computer programs to protect an organization) Business continuity planning (BCP) and disaster recovery planning (DRP) Cryptography (the coding and decoding of data and messages) Law investigation and ethics Operations security Physical security Security architecture and models (building the security infrastructure for a complex organization) Security management practices Telecommunications and network security A few typical information security job titles include: Security auditor Security specialist Security consultant Security administrator Security analyst/engineer Director/manager of security Chief security officer (CSO)/chief information security officer (CISO) 3

4 Smaller organizations that may not have a dedicated information security department may assign security responsibilities to the head of IT, such as the director/manager of IT or the Chief Information Officer (CIO) or Chief Technology Officer (CTO). According to the GISWS, the average salary for an information security professional is US$93,872, with more than 35 percent making US$100,000 or more. In many parts of the world, salaries are rising with the increasing demand for information security professionals as consumers, business-tobusiness customers and others become frustrated with the loss of private data due to security breaches. Some typical salaries are: Manager, Information Security = US$101.2K average base salary (U.S. national) Security Analyst = US$80.4K average base salary (U.S. national) Security Administrator = US$74.2K average base salary (U.S. national) According to the 2006 Salary Survey conducted by Certification Magazine, IT and security professionals who possess at least one certification saw their average salary increase beat the national average by more than 12 percent, thus demonstrating the positive effect certification has on salary. The top certification salary belonged to those with the CISSP-ISSAP credential at US$114,210. Of all the specialized disciplines within IT, security remains the hot-button specialization for a variety of reasons, including increases in cyber crime, emerging regulations affecting the extent to which systems need to be secured, and a trend toward better accountability in information security extending throughout organizations. So it comes as no surprise that salaries for U.S. information security specialists remain on top, with IT pros in this field reporting they earn $93,500 a year on average, $14,590 higher than in There are a variety of educational, technical and general skills an information security professional may need. Generally, most have at least a bachelor s degree in information technology or a related discipline, such as computer science. They should also have a working knowledge of network systems and security protocols, security software programs and implementation, and best practices for developing security procedures and infrastructure. Increasingly, information security positions require business knowledge and communications skills, especially if the applicant is working outside the IT department. Many are now being asked to effectively relate security-related concepts to a broad range of technical and non-technical staff across the organization. In many ways, security and HR are the two departments that interface with the most employees on a regular basis. A typical job path for the information security professional would be: 2-plus years experience Information security administrator 4

5 5-plus years experience Information security analyst/engineer 7-plus years experience Information security manager 9-plus years experience Director of IT or information security, chief security officer (CSO) or chief information security officer (CISO) Certification is also a key component of any qualified information security professional s résumé. Certifications fall into two categories those that measure understanding of vendor security products, such as Microsoft or Cisco, and those that are vendor-neutral and measure a broad understanding of information security policies and processes. Information security has evolved into a profession with recognized best practices so people working at many levels can understand each other and have confidence in each other s level of knowledge and competency. Certification helps identify those that have reached this level of competency, which can aid HR staff during the recruiting process. As organizations seek to find qualified individuals to perform the critical task of securing the information infrastructure, the importance of certification, which provides a baseline of knowledge, skills and abilities, continues to increase. According to the 2006 GISWS, 85 percent of hiring managers believe that information security certifications are either somewhat or very important when making hiring decisions. (ISC) 2 certifications are based on the CBK, a continuously updated taxonomy of information security topics developed and maintained by the organization with the input from its certified members. The CBK establishes a common framework of information security terms and principles that allows information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding. (ISC) 2 certifications include the Certified Information Systems Security Professional (CISSP ), considered the gold standard in the profession and the first certification designed to validate the knowledge, skills and abilities of information security professionals and managers and to be accredited under ANSI/ISO/IEC Standard The CISSP is a credential for information security managers with responsibility for strategic security planning and writing and enforcing policies. Candidates must have at least five cumulative years of relevant work experience in two or more of the 10 domains of the CISSP CBK and receive an endorsement of their application by a CISSP or other (ISC) 2 credential holder. For veteran professionals, there are also CISSP concentrations in management, architecture and engineering. Another (ISC) 2 certification is the Systems Security Certified Practitioner (SSCP ) for those that enforce implementation of, monitor and maintain requirements and policies for information security, as well as for IT or physical security personnel who encounter information security issues on a regular basis. A vendor-neutral information security certification ensures an organization s security staff can demonstrate a broad knowledge in information security and professional judgment, has professional access to a network of global industry and subject matter/domain experts, and is committed to 5

6 continuing professional education to maintain certification. In many cases, salary increases often result immediately after an employee earns his/her CISSP or other vendor-neutral certification. Other organizations offering security certifications include the SANS Institute, validating technical understanding of security issues, and ISACA, validating security auditing functions and risk assurance. (ISC) 2, founded in 1989, was the first information security certification body and maintains the most rigorous standards in the industry in professionalizing the information security workforce. Today, there are more than 54,000 (ISC)²-certified members working in private industry, government and academia in 135 countries who are recognized as the world s pre-eminent information security professionals. Companies with the most (ISC)²-certified members on staff include Cisco Systems, Microsoft Corporation, IBM, Booz Allen Hamilton, Symantec, SAIC, EDS, Citigroup, Deloitte & Touche, and Raytheon. How HR Can Help the Information Security Department With organizations now making information security a high priority, assuring the right professional talent is in place to manage the responsibility has become a key initiative. There is a key role the HR department can play during this process. In the early days of information security, many professionals were recruited from the IT department. However, the skills required today range from business expertise, communications and presentation skills, and people management in addition to technical knowledge. The profile of the people choosing to work in information security is changing as well. There are many more young professionals choosing information security as a career, bringing a post-graduate degree and little experience. Those coming over from other professions are coming from a broader set of backgrounds. These trends present both an opportunity and challenge for the security hiring manager and HR department. While there is an increasingly rich and growing talent base to recruit from there are also a broader set of requirements to be assessed. In addition, the market value for specific security roles has yet to be well established. HR professionals surely understand the requirements and skills needed for an IT, accounting or marketing position, but given the immaturity of the information security profession, may not be aware of what s required to fill an information security position. Screening candidates for credentials such as the CISSP can bring HR and information security to the same page, streamlining and improving the hiring process for both parties. As people are the key to a secure organization, HR and the information security department working together ensures not only a targeted, efficient hiring process but effective communication and enforcement of security policies. HR and the information security department can in essence act as extensions of each other. HR can also help shape job descriptions to include security requirements. If every description included a security component, all employees would feel ownership for the organization s security. 6

7 Regardless of your organization s hiring process, HR and the hiring manager can work together to define the breadth of traits that go into defining a good fit for this team, helping the hiring process be more efficient and targeted. While the hiring manager will generally know the desired qualifications such as education and vendor and vendor-neutral certifications that he or she wants from a potential employee, HR is in the best position to screen for the personal characteristics that would be of value to the department, such as individuals who can readily handle a fast-paced environment, and overall fit for the organization. A working relationship with HR also gives the security hiring manager links to an organization s entire recruitment portal of resources, allowing him or her to cast a wider net for finding the right candidate. Key questions an HR professional can ask the security hiring manager to better define a position include: Is the role operational or strategic? Management or delivery? Compliance or operations? Centralized or business unit-specific? Tied to an application or general to the enterprise? Will the person be focused within a small team or reaching out to business unit leaders? Are there internal and external communications expectations? The answers to these questions will go a long way in helping qualify potential candidates. Understanding the unique requirements of the many positions now associated with information security can be helpful in recruiting candidates. There are information security sales and service positions that require all the elements of a good salesperson, such as presentation and closing skills, with security knowledge. There are security architects who must not only be able to ensure that the solutions they re designing meet regulatory and compliance objectives but also possess interpersonal and project management skills since they work on projects that span their organization. Computer forensics specialists may require legal training or experience because they are often called into court during prosecutions. The list goes on and on. Outside of the hiring process, HR can help track the market value of skills that will be required by the security department and advise on the employment market, competitive salary landscape, etc. An understanding of salary requirements will give the security department a better opportunity to forecast staffing budgets. Unfortunately, there are relatively few credible sources for salary trends in information security. It is best to rely upon studies conducted by objective analyst firms, such as the GISWS or an annual salary survey by Foote Partners. For HR and security departments to truly work well together for the benefit of the organization, it makes sense for HR to share accountability for the hiring decisions that are made. Shared accountability means HR will be more invested in providing the best service based on real communication with the security department. HR is also in a unique position to understand and evaluate a candidate s background and how they meet the requirements of the job and the organization. Performing detailed background and reference checks may be the most critical component of hiring an information security professional. Areas that should be mandatory include the following: 7

8 Criminal checks, including misdemeanor offenses Confirming government clearances (if applicable) Confirming employment history Talking with at least three previous employers (direct manager) or independent character references (e.g., not a relative or personal friend) Verifying certifications held The HR team can and should conduct these same background checks on security contractors as well. Through its conversations with the information security hiring manager, HR should learn what level of clearance the position will entail. This will aid in assessing how thorough a background check should be and how many years back are necessary to gather data on the candidate. HR can also help retain a search firm that specializes in information security. Ask them qualifying questions such as: How long have you specialized in the field? How many searches have you conducted at this level? What is your placement success ratio and time frame? Have your searches been focused on specific industry sectors? Ensure that the recruiting firm is well-respected by the information security community by determining whether they participate in industry events, associations and forums. Most importantly, check client and candidate references. Spend the necessary time introducing them to the management team, corporate philosophy and structure. Select the firm that provides the highest level of confidence. Once they have a solid understanding of the needed requirements, they will be able to provide a focused, well-managed and effective search. Retention is another area in which HR can assist security departments. Retention programs customized for the information security professional can go a long way toward reducing turnover. Because the field of information security changes rapidly and new threats/vulnerabilities arise every day, most professionals would like to continue their professional development through ongoing educational opportunities. Many hold certifications that require continuing education to maintain their certifications. Information security professionals who wish to have successful career progression and reach executive status must have knowledge of and experience with management best practices and business-related skills, as well as an understanding of policy, processes and personnel, in addition to the obvious IT skills and technical knowledge. Investing in the professional development of information security staff is worthwhile, as is ensuring salaries are commensurate with industry standards. How the Information Security Department Can Help HR Information security departments can also assist HR in many areas, including security awareness training, ensuring the HR department is following legal and regulatory security requirements and best practices, disciplining employees who don t follow security policy, and more. Given that more and more employers are being held liable for identity theft that occurs in the workplace and in light of the rapidly growing number of identity theft and confidential information data loss/corruption incidents that result in the misuse of data such as employ salaries, benefits, 8

9 social security numbers, names, addresses and more, it s critical that HR and information security departments collaborate to ensure the organization and all its stakeholders data is protected. It s in everyone s best interest to ensure staff cyber safety and cyber savvy. It s the nature of the HR function to deal daily with confidential information candidates backgrounds, salaries, health information, disciplinary actions, etc. Even the fact that someone has applied needs to be protected. Information security departments can conduct non-threatening, internal audits of security best practices, ensuring such simple activities as a clear desk policy are enforced. The Information security department can also assist HR by providing materials to ensure that new employees are fully aware of information security policies, thereby reducing the risk of theft, fraud or misuse of data by employees, contractors and third-party users. When the terms and conditions of employment fail to incorporate the security requirements for the use of information systems, the organization could possibly suffer damage with minimal legal redress against the individual(s) concerned. To protect itself, the organization ideally should construct employment terms and conditions of employment that: Incorporate the need to comply with current statutory regulations; Reflect the security responsibilities of employees outside the workplace; Refer to any disciplinary procedures that would be applied if security policies and standards were breached; Confirm that it is the organization s responsibility to provide appropriate training and education in the subject of information security. In addition, HR and information security can collaborate to ensure employees are constantly reminded of security best practices. All employees and, when relevant, contractors and third-party users, should receive appropriate awareness training in and regular updates of organizational security policies and procedures relevant to their job functions. Training could involve: A formal induction process that includes information privacy and security training, prior to being granted access to information or information systems; Ongoing training in security control requirements and generally accepted security procedures, suitable to the person s rules and responsibilities; Virtual sources of information on security policies such as , screen savers or a local Intranet, as well as global, tangible materials such as posters. Key elements of any information security training program include: Requirements to act in accordance with the organization s policies, including execution of all processes or activities particular to the individual s role; Requirements to protect all information assets from unauthorized access, use, modification, disclosure, destruction or interference; Requirements to report security events, potential events, or other risks to the organization and its assets; 9

10 Assignment of responsibility to individuals for actions taken or, where appropriate, for actions not taken, along with appropriate sanctions; Ensuring awareness of information security threats and concerns, and the necessary steps to mitigate those threats; Equipping all persons to support organizational privacy and security policies in the course of their normal work through appropriate training and awareness programs that minimize human error; Relevant industry regulations the organization must comply with; and Ensuring that persons exit the organization, or change employment responsibilities within the organization, in an orderly manner. Regular employee surveys can determine the training program s effectiveness. When new technology comes online, the security and HR departments can ensure the correct rules and procedures are communicated. Information security can and should work closely with HR in any investigation and resulting disciplinary action in the misuse or theft of company data. In fact, information security and HR teams should meet immediately when the first sign of potential trouble is noticed, and then meet regularly afterward to discuss progress. If it comes time to speak directly with the employee, a security official should be present to ensure the offending employee fully understands his/her security responsibilities and the liabilities of his/her behavior. The security manager and HR professional should discuss sanctions that appropriately take into consideration factors such as the nature and gravity of the breach, its impact on operations, whether it is a first or repeat offense, whether or not the violator was appropriately trained, and whether or not the violator exercised due care or exhibited negligence. Whenever an employee is terminated, the security department should also work with HR to make certain that the termination process includes removal of access to all information resources. This includes the return of information and physical assets in their possession upon termination of the employment relationship or contract. In addition, a formal process for return of the organization s hardware, software and data media as well as the return or destruction of organizational data should be established. The removal of access rights to information and information processing facilities should be removed immediately upon termination of the employment or contractual relationship. Managers should be given extra training as well as extra responsibility for security. This helps them become advocates of security programs instead of merely end-users. They serve as examples for the rest of the company; if they do not take security practices seriously, no one will. Managers should be required to maintain policies and to provide recurring training within their respective departments. This not only spreads out the workload, but it also creates a pool of devoted managers to ensure the long-term viability of an information security program. About (ISC)² The International Information Systems Security Certification Consortium, Inc. [(ISC) 2 ] is the internationally recognized Gold Standard for certifying information security professionals. Founded in 1989, (ISC)² has certified over 54,000 information security professionals in 135 countries. Based in Palm Harbor, Florida, USA, with offices in Washington, D.C., London, Hong Kong and Tokyo, (ISC) 2 issues the Certified Information Systems Security Professional (CISSP ) and related concentrations, Certification and 10

11 Accreditation Professional (CAP CM ), and Systems Security Certified Practitioner (SSCP ) credentials to those meeting necessary competency requirements. The CISSP, CISSP-ISSEP, CISSP-ISSAP and SSCP are among the first information technology credentials to meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)² also offers a continuing professional education program, a portfolio of education products and services based upon (ISC) 2 s CBK, a taxonomy of information security topics, and is responsible for the annual (ISC)² Global Information Security Workforce Study. More information is available at 11