Information Security Management and the Connectivity Gap: Solving for the Missing Links in Enterprise Information Security

Originally published by Tentacle.

Written by Danielle Morgan, Tentacle.

Let’s start with the basics: a foundational definition of Information Security management is the process of developing, maintaining, and continuously improving processes aligned with the main goal of ensuring sensitive data is not compromised, lost, or stolen. Information Security at the large, enterprise level, however, is quite the layered onion; expanding far beyond this ‘foundation’ and morphing into a complex puzzle with moving pieces.

Spend any time working in this space and you’ll likely understand why Information Security presents challenges for any business, especially for the enterprise and for the professionals tasked with managing the efforts. From the larger employee populations to the vast network of vendors, successfully tackling Information Security as a whole requires a nimble and comprehensive strategy.

Why can it be complicated to manage information security at a large organization?

Large organizations face unique challenges when it comes to managing information security. The not-so-simple profile of an enterprise alone gives plenty of clues into the variety of obstacles. A few key characteristics of the large enterprise that lead to complication include the size of the employee population, the internal structure of the organization, and the extended networks of vendors and partners.

More people, more (potential for) problems

Large organizations by nature have more employees; more people using business assets and applications on the network, more people accessing more data, and in today’s workforce, more people in more locations than ever. According to Verizon’s 2022 Data Breach Investigations Report, human factors like mistakes in system configuration, compromised passwords, and successful phishing scams play a role in 82% of data breaches. More people simply means more opportunities for breach. This challenge of ‘more people’ presents specific hurdles to the security-related teams within the organization. Larger and more dispersed teams can result in inconsistencies and dilution of information, protocols, awareness, etc.

More pieces to the puzzle

Additionally, large organizations commonly have multiple divisions, business units, subsidiaries or other entities owned by or affiliated with the enterprise. This structure results in decentralized Information Security. Different divisions, business units, product lines, etc. can make the maintenance of consistent, organization-wide practices related to information security, compliance, and risk management very difficult. Varied reporting structures for information security functions such as vulnerability management, disaster recovery planning, and identity access management create yet another layer of complexities faced by the enterprise.

More support in keeping the boat afloat

As the enterprise grows, so too does the ecosystem of vendors and partners necessary to keep operations moving smoothly. With the average cost of a data breach due to vulnerabilities in third-party software totaling over $4.5 million (according to IBM’s 2022 Cost of a Data Breach report) an expansive network of vendors can mean not only more opportunities for breach, but high costs to the enterprise to recover.

More games of ‘security posture telephone’

It’s no secret that an organization’s security posture is more than just the activities carried out each day to protect the enterprise. An organization’s security posture is woven into countless other functions focused on sustaining success and on business growth. Winning new business, appealing to consumers, maintaining and achieving compliance, all requires seamless, transparent, and effective communication of the methods in place ensuring information security. The security professionals are no longer the only communicators; top-level executives, marketing teams, sales organizations, and human resource departments alike, all need access to reliable, comprehensive, and up-to-date information security details. This requirement creates another challenge security professionals must solve for - how to enable these pathways of communication without compromising the integrity and accuracy of the program details?

What are the missing links in enterprise information security management?

The examples mentioned above are likely just the tip of the infosec challenge iceberg, and someone actually tasked with managing the security posture of an enterprise organization would probably say that we don’t even know the half of it. These examples, however, expose common missing links that create a larger connectivity gap; hindering broader collaboration for larger security teams, limiting on-going and expanded ecosystem visibility, and slowing real-time communication from a centralized source of truth. Filling this ‘connectivity gap’ would not make the enterprise infosec posture less complex, but just might ease the management of a complicated beast, while keeping everyone more secure. So, what are the specific missing links?

Lack of Centralization

Remember more people, more problems? Well, more people, more tools, more methods of storage, more communication channels, and on and on and on. Despite the best efforts of the enterprise to streamline necessary tools, those available and used by employees seem to multiply by the day. Critical information security details are often stored across a variety of tools and formats - Sharepoint, Google Docs, desktop folders, spreadsheets, audit reports, and so many more. It’s nearly impossible to compile a comprehensive program overview (or even find the answer to a single question) in any short amount of time, much less do so with confidence the information gathered is up-to-date. This decentralized method for housing information significantly inhibits the ability to easily collaborate as a unified security team. Without one place to reference how an enterprise aligns with specific industry frameworks and standards, how the enterprise satisfies individual controls, to access key policies and procedures, to review program analytics, etc., security teams and their closely related functions are left uniformed about the most foundational aspects of the information security posture.

Lack of Visibility

‘Lack of Visibility’ probably sounds like a very broad missing link - it is broad. This missing link is not due to ambiguity around what the enterprise needs visibility into, but rather, due to the expansive size of that list. As mentioned before, Information Security is woven into every layer of the organization therefore, an enterprise must create and maintain the pathways for transparency. But these pathways can be hard to come by. This is especially true when considering the enterprise’s network of third parties. Evaluation of third parties is often done initially only to be followed by occasional check-ins, and often only for the most critical or largest suppliers. Even for organizations with a solid cadence of re-evaluation of their third party network, detailed analysis of each requires a lot of resources and is commonly reduced to a ‘check the box’ method. Enterprises lack on-going and real-time insight into their extended networks, relying on a moment-in-time assessment to deliver information that is constantly evolving.

Lack of Communication

The successful communication of a highly-complex topic poses a challenge for any organization, especially when many responsible for delivering the communication aren't always the individuals specialized in the field. Additionally, Information Security has historically been a ‘locked down’ topic, perceived in its entirety as ‘sensitive’, only to be shared under NDA and shared by the infosec professionals representing the organization. More recently, businesses are beginning to alter this mentality, if only doing so slightly, by making more general information related to the structure of the infosec posture more readily available. With this shift, first-hand communicators in various departments such as sales, marketing, etc. need access to reliable and up-to-date information to share confidently. Beyond protecting the organization from threat, Information Security can now be the determining factor in a business deal won or lost, an individual consumer’s decision to purchase a product, therefore easy access and the accuracy of information shared is critical. Information Security professionals cannot be expected to manage all of these pathways of communication nor can they be a bottleneck to business growth, so organizations must implement the channels for effective communication of an ever-changing program.

Filling the gaps: a pathway for stronger enterprise information security

To address the missing links related to centralization, visibility, and communication, the enterprise must make a commitment to move away from processes that create these gaps in the first place. This is easier said than done and unfortunately, no matter how great the ‘sales pitch’, procedural changes within an organization do not happen with the flip of a switch. Fortunately for the enterprise, however, technology does exist to close these gaps - and today’s technology enables the implementation of these tools in a way that is frictionless, cost-effective, and easier than ever before. When looking to address the connectivity gaps, an effective solution should offer:

• Centralized ‘source of truth’: The multi-layered nature of an Information Security posture requires extensive formal responses to applicable framework controls, requires documented policies and procedures, requires artifacts or ‘proof’ of procedures in place, and much more. This information should be stored, updated, and maintained in one place.
• Built specifically for Information Security: While many tools exist to satisfy content management needs, very few of those tools are designed specifically for managing Information Security. Technology for managing InfoSec programs should align with the InfoSec industry with indexed frameworks/standards, risk and threat analysis, tools for enhancing the posture of the organization, to name a few examples.
• Communication tools for showcasing Information Security: The security posture of an organization can be illustrated in a variety of ways - beyond the confines of the spreadsheet. An effective tool should offer a variety of methods for communicating necessary information depending on the receiving party from high-level but informative program summaries to extensive assessment responses complete with applicable documentation and artifacts.
• Ecosystem Connectivity: Truly enhancing the security posture of an enterprise requires extended visibility into the entire network of vendors and partners. One-time assessments simply do not provide this visibility so the right tool will deliver the mechanisms for connecting an infosec ecosystem; promoting ongoing transparency and enhanced security.
• Actionable analytics: From developing a program to responding to an individual assessment, today’s methods do not provide useful insights in return to be leveraged in making programmatic decisions and improvements. Technology should be the pathway to these improvements and for Information Security programs, the right technology platform should provide detailed analysis to support the user in prioritizing the best steps towards a more comprehensive InfoSec posture.

An enterprise’s choice to properly invest in the right technology will empower Information Security professionals to close the connectivity gaps in the programs they manage, resulting in a better communicated and more secure InfoSec posture.

About the Author

Starting out as an elementary school teacher, Danielle made a transition into the technology start-up world and was quickly hooked. She is energized by the 'every day is something new' vibe, loves to help others solve challenges, and is passionate about building successful teams that truly enjoy what they do.