High-level corporate, project and personal objectives are often very vague - “A trusted partner”, “A safe pair of
hands” or “The best!”. Same thing with corporate mission statements
(“Don’t be evil”), marketing/branding (“Just do it”), politics (“Vive la
revolution!”) and more. To act on and
hopefully achieve them in a rational, directed or controlled manner involves
understanding what they really mean,
peeling back the layers, exploring the meanings and interpretations in more detail
– a process that is inherently uncertain i.e. risky. The upside risk (opportunity) arises from the
understanding, insight, specificity and consensus generated as they are
discussed, amplified and clarified, while the downside risk includes the opposites
e.g. misunderstandings, hand-waving generalities and fragmentation of
objectives.
ISO/IEC 27001 tries to persuade organizations to
think through their corporate or business objectives, elaborating on the
information risk and security implications which form the main drivers for the
Information Security Management System. I’m not entirely sure it succeeds
though! Section 4 on the context for the ISMS is extremely
important to the ultimate success of the ISMS but the standard's wording is succinct and
complex, open to a wide variety of interpretations. It’s a topic we often discuss on the ISO27k Forum.
It’s a tricky thing to do at the outset of an ISMS design and implementation … and, by the way, something that ought to be actively reviewed and updated as time goes on, not least because if it ISMS itself materially changes the organization. A sound ISMS affects not just achievement of the corporate objectives in this area, but opens up further possibilities for the business. A secure organization has more options.
It’s a tricky thing to do at the outset of an ISMS design and implementation … and, by the way, something that ought to be actively reviewed and updated as time goes on, not least because if it ISMS itself materially changes the organization. A sound ISMS affects not just achievement of the corporate objectives in this area, but opens up further possibilities for the business. A secure organization has more options.
Aside from personal
or individual objectives, all the others involve groups of people working towards shared/common objectives
(hopefully), and of course that creates room for differences of interpretation,
approach, priorities etc. Hence communication is another risky aspect
to this – not datacoms but expressing, discussing, understanding and agreeing
on complex issues. It includes
persuasion, possibly even social-engineering-type manipulation. This very email is an example: I think I know
what I’m trying to say, but I’m certain
not all of you will read it, get it and agree with every word! I’m taking a small risk by even expressing
it.
In the information
security context, we have numerous objectives, some of which are hard to
express and pulling us in different directions (e.g. strong
authentication and access controls reduce the availability of information to
legitimate/authorized users as well as to the illegitimate/unauthorized ones;
strong compliance can be costly and counterproductive). I maintain that exploring and elaborating on
them, emphasizing in particular the infosec objectives that most obviously and
directly align with and support the organization’s business/strategic
objectives is a powerful approach. It
certainly makes it harder for anyone to block or interfere with the achievement
of security objectives. It can be
career-limiting to be seen to be acting against
the organization’s interests. Resisting
without being obvious about it remains a possibility however!
No comments:
Post a Comment