Striking a balance between functionality and risk mitigation in a company can be a challenging task. Especially in an area like Information Security (IS), where the risks are often complex mixes between business and IT. The risks are less easily understood and therefore more readily accepted by many people in the organisation. [See also: Chief Information Security Officer salary and job description - What's the CISO role and who does the CISO report to?]
An IS officer specialises in the understanding of these threats and will consequently classify them much higher than others in the organisation. The pitfall of the IS officers is that they understand the risk, but not necessarily the benefits of taking the risks. As a result, the IS officer will want to lock down much more than colleagues responsible for the revenue generation of the Group. Neither party should be the sole decision maker on an organisation's policy; a more balanced approach to information security is with the whole firm's involvement. For example, the HR division cannot be the only ones that decide on different HR processes within a company and likewise it is the same with IS - there are people within the business with needs beyond those of the HR department. We understand that a healthy business needs to take risks to prosper. As the IS team it is our responsibility to help the organisation understand the information security elements of risks and thereby prevent the organisation from taking reckless ones.
Our IS governance model is not common for organisations, but, in my experience it has worked well. We have established a governance structure with a steering committee that is represented at board level, and an IS authority that defines the company's security policies and rules. This authority is made up of representatives across all departments. Working as a team for the common goal of strong but functional IS, these representatives bring perspective from various operations such as finance, compliance, security, IT, HR, marketing etc., and are ultimately able to find a balanced approach that allows for accessibility but also information control.
This multi-jurisdictional operating model adds an interesting level of complexity to our IS approach. On the one hand, many software services are now cloud-based, and this cross-border technology is growing, while on the other hand nations slowly tighten their data protection legislation and financial regulations. It leads to a complex balance between IT efficiencies, legal compliance, client expectations and IS control. The balance can change from one moment to the next as legislations are introduced. A good example for us in the past year, has been with our business in the Russian Federation where we put in significant effort to migrate their IT environment to our regional data centres only to have to move them back in-country as a result of new data protection legislations.
Further more the EU High Court declaration of invalidity on the Safe Harbour agreement, the difficulties in the ratification of its successor, the EU Privacy Shield and the ratified EU General Data Protection Regulation are just some of the developments in the legal arena that will dictate what the future of our information protection is going to look like. We will continue to look at cloud technology to support us and will undoubtedly see shifts to this technology in the years to come. It remains difficult for our organisation and organisations like ours, to strike the right balance between efficiencies and cost savings via cloud-based services on the one hand, and compliance to local law and contractual obligation on the other. The correct interpretation of law requires a whole different expertise, and we are glad with our strong relationship with our Group Legal department in which we discuss these situations on a regular basis and continually evaluate the developments.
What we have found in the service industries, is the usefulness of the ISO 27001:2013 standard. It provides a solid approach to the design of an information security management framework, so we can continually improve on our security in a way that is justified and balanced for the organisation. As an audited and internationally-recognised certification, it shows that the security measures that a company takes are adequate, and that it has the right methodology to stay in control. Our methodology involves a "plan, do, check, act" cycle in which we strive to identify all the risks, classify and treat them accordingly or accept the risks as may be applicable. The ISO27001:2013 is all about methodology and continual improvement in security.
Global compliance challenges haven't slowed the increase in the use of digital services. Submitting a document in paper form or via upload to a remote site is being replaced by online portals that have a significantly different IS risk. From a security perspective, these online portals are black boxes, and while there are a lot of good information technology security measures out there, hackers are just as clever at avoiding them. Since these online portals are concentrates of valuable information for many companies, hackers are attracted to them like bees are to honey. The results of these hackers' interests can be found regularly in the media. Ironically enough, many of these hacks are not the direct result of exploitations of technical vulnerabilities in the system, but of compromised access accounts to these system using sophisticated social engineering tactics. Social engineering is skyrocketing in the world, and scammers are now quite creative - bogus emails are very professional and authentic-looking, attracting many more inadvertent clicks. To me, this sophistication is why social engineering and consequently building a security culture within the organisation is one of the most important areas we need to address in the coming years.
As an example, I've been investigating three different incidents of fake LinkedIn accounts just in the past year that are trying to gather information through invites to colleagues. I often get feedback from colleagues that it is not such a big deal because it is all public information anyway. What people often don't realise is that all this information can subsequently be used to learn a lot about us; our company, our clients and other relations. On top of that, all of that information is then used to create targeted malware.
The best way to combat threats is to educate the people they're directed to, and encourage them to be part of the solution. Last year our company saw a rise in the number of security incident reports received. However, rather than being an increase in actual threats, it was a result of people being more aware and reporting them. This is a key achievement in controlling our information security and it can only be accomplished by a culture that rewards acknowledgements of mistakes in favour of penalising failures. A good security culture is one where people want to participate as opposed to a culture where people fear the consequences if they do not participate. It is my sincere hope that we will build that culture within this company in the coming years.
A further advantage of building a security culture is that we are not just protecting our organisation, but at the same time we are arming people with knowledge that they can take outside of the office and also apply in their personal lives. If you have something that is sensitive, be careful with it. Click wisely and protect the data you have. We have set up a dedicated reporting structure where our colleagues can report potential malicious communications whenever they doubt the authenticity of a message. Employees are encouraged to verify authenticity of messages using alternative means of communication such as a direct contact number of the alleged sender, obviously avoiding any contact details that are mentioned in the suspected message.
Doing business implies taking risks. The key is to understand the risks you take and deal with them to the level that they become acceptable and can be controlled. Understanding risks is not a solitary mission. TMF Group is filled with experts in all sorts of areas. All of these experts help their colleagues and business relations to understand the risks in their own areas of expertise. Information Security is our area of expertise. Everyone in the IS team is happy to share the knowledge they have and to support colleagues in creating a safe and secure working environment.
Michiel Benda is Chief Information Security Officer at TMF Group