User Representative – The users are one of the main keys to the success of any security program. The user representative ensures that concerns including

mission, cultural, frontline operational, environmental, and user acceptability are included in any system security solution. Additionally, they become the conduit for communications between management and the user com munity to facilitate security promotion to the users and provide alternative solutions back to management.

All of these vary in title and description of duties from one organization to another. Examples of these are:

■ Senior Management – Can serve as a member of the Board of Directors, who are ultimately responsible for the overall health of the enterprise, or the General Managers in officer level positions (like CEO and COO), who are responsible for daily decision making and the infusion of values and culture throughout the organization. Senior management must establish that security is a non-negotiable, essential component of business activity

■ Approving Authority – In some financial organizations this is the Chief Financial Officer (CFO); in other organizations it is the newly designated CSO; but in the majority of cases it is the CIO.

■ Verification Entity - Has been one or a combination of internal and external audit and information system security professional functions, sometimes called the Inspector General, Auditing, Compliance, Certifier, or Certification Agent/ Group.

■ System Owner – Is the person who is in charge overall of directly managing the information system’s operations and is called by a variety of titles in different organizations or during different phases of the SDLC. Some of these are Business Functional Manager or Director, or Project or Program Manager.

■ User’s Representative – Can be anyone from a representative appointed by the users to the systems administrator.

Understanding the roles of each of the above, the ISSMP can now see why the level of security education and awareness with each of these individuals is very important to the success of any system security program. This will be discussed more at the end of this chapter.

Some organizations have additional professional personnel who support the above individuals in establishing and maintaining the security for a system. The following are examples of some of these:

■ Risk Analyst – The Risk Analyst is responsible for overall risk management activities that can include fiduciary, legal, regulatory, investment, health and safety, and security. Additionally, this person knows the standard methods for calculating risk and how to determine the various values for risk equations.

■ Chief Information Security Officer (CISO) – The CISO is responsible for developing, implementing, and overseeing the information security program, policies, standards, and guidelines, and conducting risk assessments, identifying practical security solutions, and promoting security awareness to all levels of an organization.

■ Information System Security Officer (ISSO) – The ISSO is responsible for direct oversight of the system’s security by conducting routine reviews of system security logs and operations, and he or she provides security advice to the system owner. Sometimes the ISSO is called the Business Unit (Information) Security Officer (BSO/BISO) because he or she reports to a business unit manager. The ISSO or BISO sometimes has an additional reporting structure to the CSO or CISO for receiving additional guidance, tasking, and reporting.

With the exception of the ISSO, who typically works with the System Owner, the others can work for any number of senior managers. In some organizations the Risk Analyst is a general staff person who works for single or multiple business units, providing risk assessment support to a broad variety of reviews and decision making processes, while in others, this individual is the Chief Risk Officer (CRO), providing risk analysis to the General Managers and the Board of Directors on compliance and business issues. The CISO can work for one or more General Managers or the CIO, CFO, or CSO, depending on the internal structure, his tory, cultures, business focus, personalities, and politics within an organization. In the majority of cases, the CISO works for the CIO because system security is viewed as an information technology function. In some cases, the CISO works for the CFO because the organization is viewed as being a financial business, and information systems are viewed as only a support element. In others, the CISO works for the CSO where there is one because information

Securit y L eadership & M anagemen t

70

security is viewed as an organizational requirement that requires the integration of all security disciplines (personnel, computer, and physical). Sometimes the CISO does not work for the CIO because there is a concern for conflict of interest, e.g., the CIO could be more concerned with availability, whereas the CISO is concerned with all security functions (availability, integrity, and confidentiality). Another reason could be a senior management concern that the CIO does not fully respect the priority of business requirements over technology.

Each of the above roles holds a key responsibility for ensuring that an information system maintains an adequate level of security, but the most key roles are the system owner and ISSO because they are the ones who are supposed to be monitoring the system’s security status on a daily basis and have the most security knowledge. They are also responsible for making sure that the system’s needs are reflected in the organization’s budget and the approving authority is aware of any security concerns related to its systems. The latter is accomplished by providing reports and presentations to senior management, so they can take actions to resolve any security issues.

An ISSMP has the potential to support or be in the position of any of the above roles because the ISSMP’s professional expertise is needed for ensuring the success of each role. To become qualified for any of these roles does require experience and additional qualifications and knowledge. To be successful in an organization, all of the above need to understand how to successfully gain resources and present them to management.

Resourcing Security

To understand how to gain additional resources requires an understanding of several additional concepts and processes.

■ Maslow’s Hierarchy of Needs

■ Project Management

■ Planning, Programming, Budget, and Execution

■ Needs Justification

Hierarchy of needs is the result of Maslow’s theory of what motivates individuals to take the actions that they do. Maslow identified five levels of needs – physiological, safety, love, esteem, and self-actualization. Figure 1.12 provides a visual representation of the five levels and some of the actual needs at each level.

Figure 1.12 – Maslow’s Hierarchy of Needs

CASE STUDY

Maslow’s theory is that one must achieve, maintain, and satisfy the lowest levels before one can take on the next level of needs. This theory is not as rigid as it seems because an individual’s priorities can fluctuate from minute to minute (for example, if one cannot breathe, one quickly refocuses on the physiological level, or if one’s home is lost, one refocuses on the safety level until shelter is obtained), but for the most part individuals are subconsciously at one or two levels. Knowing which need levels individuals are at is very important to the ISSMP because understanding what motivates individuals is one of the keys to developing strategies for influencing, managing, leading, selling, and convincing other individuals. For example:

Situation – A manager of a profit center supported by an information system is in fear of losing his job. Which level is he at and how do you convince him to buy a firewall?

Strategy – He is focused on the safety level, so explain how the lack of a firewall can adversely impact the success of the profit center and that a security incident can be highly embarrassing to the organization, which will result in the loss of clients.

Situation – A project team of professionals is working on a project in a very high growth industry with a lot of competitors paying higher salaries. Which level are they at, and what do we do to motivate them to stay working on this important project?

Strategy – In general, the team is financially stable and educated, so they can be at the love level or the esteem level. If the members are at the love level, the ISSMP will need to take actions to improve the group dynamic to increase the individuals’ sense of belonging. Increasing group interaction by holding meetings with interactive exercises would be one solution; another action could be to generate a name for the team, create a logo, and produce a banner, caps, buttons, or shirts. If some or all of the members are at the esteem level, an appropriate action would be to compliment individuals on providing good ideas or compliment the group for successes.

All too often, when a manager is asked, “How do you motivate someone?” the manager’s immediate answer is, “More money!” Usually the best answer is to determine what level the person is at and take an action appropriate for supporting the need at that level.

(Source – Maslow, A. H. A Theory of Human Motivation. Psychological Review 50 (1943) – 370–96)

Securit y L eadership & M anagemen t

72

Figure 1.13 – PMI Body of Knowledge

Project management principles need to be understood if an ISSMP is going to be successful in managing or assisting in any medium or major effort. One good source of knowledge about how to manage a project is the Project Management Institute (PMI), which has chapters and learning facilities around the world. According to the PMI model, project management consists of understanding dozens of processes that are required for successfully managing projects. These processes consist of five basic process groups and nine knowledge areas (see Figure 1.13).

The basic process groups are defined by PMI as follows:

■ Initiating Process group – Defines and authorizes the project or a project phase

■ Planning Process group – Defines and refines objectives and plans the course of action required to attain the objectives and scope that the project was undertaken to address

■ Executing Process group – Integrates people and other resources to carry out the project management plan for the project

■ Monitoring and Controlling Process group – Regularly measures and monitors progress to identify variances from the project management plan so that corrective actions can be taken when necessary to meet project objectives

■ Closing Process group – Formalizes acceptance of the product, service, or result and brings the project or a project phase to an orderly end

(For more information please see: A Guide to the Project Management Body of Knowledge (PMBOK^® Guide; 5th edition)

Note that the above groups are similar to the other security cycles using different names but very similar functions (see Figure 1.14).

As can be seen from Figure 1.14, the nine knowledge areas have processes that are about managing specific key functional elements, some of which were identified in previous security

cycles. Scope, quality, and risk management are areas that are very similar. Others related to managing costs, time, personnel, procurement, and communications between groups are areas in which successful management skills could very much support the various actions that need to be managed in any of the development and security cycles previously discussed.

The success of ISSMPs can depend on how well they understand the above 45 processes because this knowledge will allow them to manage projects and work with project managers more effectively.