Security is not the CISO or CIO’s job…
As reported in Sans NewsBites from July 18:
The House Veterans Affairs Committee is pushing forward a new bill that would make the VA CIO an Undersecretary, giving him status equal to the other departmental leaders. It also creates another position, Undersecretary for Information Security. Additionally, it details response to data breaches, risk analysis and notification and credit monitoring services for those affected.
I imagine this kind of response is a common reaction to data security concerns. Create a CSO, or elevate the responsibility of the CIO, and make them responsible for “fixing the problem.”
The problem isn’t a security issue, it’s a mismanagement problem.
The objectives of the organization must justify the application of security. Security is only one tool an organization must use to achieve its identified business objectives. Security must be seen not as a feature that must be provided by IT, it must be seen as a key requirement for an organization to achieve its strategic mission.
A key business objective of the VA, as with any health organization, is to protect the medical and personal information of its patients. This objective can only be achieved through the proper application of processes and procedures. Technology can be an enabler here.
Instead many organizations take the opposite approach. “We need encryption to protect our user information.” This is insufficient. It applies a band-aid to a problem. It’s installing a gate, but failing to erect the fence.
Businesses must understand the implications to their bottom lines of improper business policies and procedures. Risks to key business objectives must be identified. For each risk, threats must be analyzed and decomposed. Policies and procedures, coupled with application of technology can help the company achieve a satisfactory level of mitigation.
Solve the problem, and put the band-aids away.
Bill