Joachim Schmitz,
Trusted Advisor bei Diplomatic Council (UNO reg.)
We, meaning all of the information security experts worldwide, always had a good idea for information security. An idea in which a competent manager was responsible for the entire topic of information security and at the same time managed IT-security, privacy, data protection and compliance. Schmitz wrote on his blog.
There are still companies that believe this great greenfield idea: the idea of information security - one manager, a CISO, to rule them all.
„But why is information security so often underestimated in companies?“
First and foremost, it‘s about people who see information security as a homogeneous task with harmonized goals. Secondly, people underestimate the influences, dependencies, and needs of different parties involved. Thirdly, it is about the idea of considering information security as a tool and handling process. Unfortunately, this attitude and these thoughts are put to the test by the harsh reality of business requirements. And they fail: an idea meets reality.
The German translation problem…
Apart from that, especially German companies have a translation issue with consequences: the English data protection is translated (word by word) as “Datenschutz”. Where “Datenschutz” in Germany actually is the word for privacy. Meaning: the most conflicting sections of information security, which are data protection and privacy, are synonymous words in a English to German translation.
Information Security
Information security as a whole is divided into four main areas: IT-security, data protection, privacy, and compliance. Obviously, there are similarities between these headlines. But it requires a closer look at the details to see what happens when business requirements come into play.
IT-security
IT-security is basically the power to combat vulnerabilities and attacks. These include DMZ operation, firewall, endpoint protection, IAM and PIAM, technical VPN and RMA, protection against unauthorized data flow, SIEM, SOC and ISMS operations, hardening, IP protection, virtual digital and physical access control, SLA and KPI reporting, DRP and other tasks related to storage and protection activities.
While much more could be written about IT-security, it all boils down to that: IT-security is responsible for the operational processes, security enhancements, and operational security manuals, as well as all security operational activities.
IT-security is the most important partner for the company, the IT-governance, provider management, internal/external support organization and production (IoT Security).
Privacy
The privacy is for customer data, employee data.... and much more. In principle, privacy governs all of the company‘s data collections, which relate to personal data of natural and legal persons. It is about indexing and privacy procedures - process directories on privacy.
Privacy develops and sets up rules, acceptance criteria and controls for any external data processing. In addition, privacy is the direct contact for customers, employees as well as for public and government agencies. The tasks also include the development of deletion rules for data and the establishment of rules to define the privacy level. Apart from that, privacy is also responsible for the PDA documents.
The most important partners for privacy are the human resources department, the web and marketing department and the CEO, especially for reporting.
Data Protection and Security
The main task of data protection is to make data reliable. In general, data protection is responsible for the confidentiality, integrity, and availability of data.
Therefore, data protection is responsible for the user role model and the definition of access requirements based on business requirements. In addition, the data classification concept must be developed and controlled by data protection. Similarly, the tactical VPN and RMA rules have to be defined.
In addition, data protection is responsible for the definition of rules for retention, backup and recovery, and cybersecurity. Data protection is also in the lead for setting up awareness programs for employees together with the other three parts of information security.
This makes data protection the most important partner for corporate and business operations, for development and operations management, for the ITSM and DevOps teams (including the applications officer), and for the legal department, particularly according customer contracts.
Compliance
Compliance is responsible for linking external requirements with internal needs and adapting them to local, regional and international laws, regulations, standards and obligations based on the company‘s business activities.
Most of the tactical process and risk analysis is performed by the compliance office. The compliance office is also responsible for conducting internal assessments and monitoring external audits. It manages contacts with local, regional and international regulatory authorities.
Compliance also supplies the NDA document and updates it regularly. Another aspect of compliance is the development of rules for SOC, DC, and infrastructure. Compliance is also responsible for developing the reporting models and drawing up the employer and works council agreements.
Compliance is thus the most important partner for the internal legal department, for customer contracts and for external public and government agencies.
CISO - an idea doomed to failure
So far this has been a general idea of the responsibilities, views, needs, requirements, and dependencies of IT-security, privacy, data protection and compliance with each other. In general, this is still seen as a one-man-show, the CISO. But in fact, it cannot be operated by one person.
In reality, all these views are different and follow different goals. In addition, all these topics have to comply with different laws, rules, and regulations. More than often, the obligations in one topic conflict with the obligations in another.
Simply because business and external requirements sometimes even require conflicting needs and objectives. Compliance with a business requirement to disclose employee data internally may conflict with data protection. Like data protection may also conflict with privacy in IT-operations. And much more.
So why do so many companies still rely on one information security job description? The fact is, that it is necessary to solve these problems and to implement appropriate risk mitigation based on the best knowledge of all those involved.
Conclusion
All four topics of information security are not coordinated as soon as business requirements come into play. In fact, a conflict between those responsible in each topic is necessary to reach a consensus on how to proceed. Apart from the above remarks, it is also necessary to integrate security by design into the development process. It is also important to ensure that all contracts with other suppliers, customers, and support companies meet the company‘s security requirements.
The information security managed by one person, the CISO, is not a one-trick pony. All this requires a maturity analysis and an appropriate organizational structure in terms of the size, business, internationality, and diversity of the company.
PS: In case you are German, please never again mix up data protection (Datensicherheit) with privacy (Datenschutz) due to translations.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
