Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jul 31, 2008

Systemic security management:: the ICIIP model

I don't know about you but models have intrigued me ever since I was a kid playing with Meccano and Lego. There's something fascinating about the structure and relationships making the whole thing greater than the sum of its parts. So when I heard about a new model linking people, process, technology and organizational design/strategy in the context of information security, I couldn't resist a look.

A PDF presentation of the ICIIP model gets off to a good start, representing it as a nice symmetrical three-dimensional tetrahedron rather than so many other flat two-dimensional tabular models. It even has information labels on the six connections (described as "tensions") between the four nodes as well as on the nodes themselves. The tensions are governance, architecture, culture, human factors, enabling and support, and 'emergence' (representing the inherent complexity and emergent properties of any organizational system).

Digging a bit deeper, authors Laree Kiely and Terry Benzel explain slide-by-slide the labels on the model. In each case they outline what they mean by the labels, fair enough, and then follow up with 'recommendations' ... and here I start to wonder how they came up with the specific recommendations. The authors' previous works are cited but not properly referenced in the paper, so readers are left guessing.

For example, their recommendations for the governance tension are as follows:
• Understand the criticality of security issues
• A different attitude regarding governance role and duties
• Emergent, cross-industry communities of interest and communities of practice who could develop standards
• New security knowledge and criteria for CEO selection, performance review, and compensation
• Require development and education for Boards and C-Suite as part of new self-regulating standards
• Criteria implemented corporation-by-corporation
• Hold vendors and suppliers accountable for implementing these standards/criteria

Standards, education and accountability seem reasonable if not exactly Earth shattering proposals, but why did they pick these out and how do they relate to the management of information security.

There's a lot missing from the presentation slides (such as how the "tensions" relate to the nodes) which, presumably, the authors fill-in when presenting. However, there are several other materials from Dr. Kiely and Benzel on the USC Marshall website which I shall enjoy exploring at my leisure.