Roles and Responsibilities

In fact David Lynas, managing director of the David Lynas Consulting Group and COSAC chairman, says the CIO has a number of different roles to play in protecting critical infrastructure, including those of owner, custodian, service provider and communicator/facilitator. Of all of those roles, it is the last that most closely determines the CIO's ability to succeed in the other three. Lynas says CIOs must start with a clear understanding of what defines "success" in protecting the infrastructure.

"The infrastructure exists to support the business mission and enable achievement of the business goals, for if it is not doing that then what else can it be doing but wasting investment? Protection is therefore a business-driven issue so in order to answer the CEO or stakeholder question: "Is the infrastructure protected?", we must first define what exactly the business means by protected, he says.

"The word protected like the word secure has no absolute scale. It has no intrinsic value other than as a property of the specific business and cultural context that is unique to each organization. So a CIO should start by asking the question: 'What do we mean by protected? Do we mean available? Do we mean integrity-assured? And if so, does that apply to the integrity of the data stored on the infrastructure, the integrity of the code providing application and operating system services on the infrastructure, or the integrity of the messages carried by the infrastructure in terms of authenticity of content, source and delivery?

"Do we mean non-repudiability of transactional data? Do we mean confidentiality of data stored or in transit? Do we mean auditability? Do we mean compliant with legislation, regulation or technical standard? Do we mean certified as appropriate under definitions provided by agencies such as DSD? And how much of each of those properties is required (what are the metrics and the measurement approach) in order for our stakeholders to consider the infrastructure to be successfully protected?

"Each CIO's challenge is unique because the definition and volume of each protection attribute will vary from organization to organization, from business process to business process and from infrastructure entity to infrastructure entity," Lynas says.

Then there is the CIO as infrastructure owner. Ownership of the infrastructure brings responsibility and liability - not least the responsibility for managing risk to the infrastructure. Risk in this scenario is defined as a factor of threat (what could go wrong), vulnerability (why it could go wrong) and impact (in what way it would hurt us and to what extent). Lynas says the CIO's risk management strategy must address all three. CIOs must realize risk management is not about the total elimination of risk but rather its effective management, he says. Eliminate all risk and you will likely kill the business. Without taking manageable risks business cannot develop new services or products, introduce new infrastructure, or effect meaningful change.

Next, the CIO must evaluate the investment in controls by which the risk will be managed, Lynas says. "The CIO needs to ask: 'Do I invest in managing the threat (deterrent controls), the vulnerability (preventative controls), the impact (recovery controls), or in a series of detective controls that provide audit trails, evidence and an ability to communicate and respond to risk?'

"Best practice in this area recommends providing strength-in-depth across all areas of control," he says, "but this is expensive so a CIO has to understand the value proposition provided by each potential solution."

In many cases while the CIO owns the infrastructure he or she is not the information owner. Lynas says here the CIO's abilities as a communicator and motivator come into play because he or she has a vital role in communicating these responsibilities to the business owners and ensuring that achievable and realistic targets are set.

Finally, the CIO as service provider must clearly understand the segregation of duties between owner and custodian, drawing on both the attributes profile and the metrics applied to it to facilitate that understanding. "This creates a service level target for delivery and support of protection that is clear and unambiguous and empowers the CIO to set priorities, gain support and buy-in, and obtain the budget and resources required to fulfil their responsibilities as a service provider to the business," he says.

Culturally, Lynas says, CIOs in Australia, particularly in government, compare well with Europeans and Americans with respect to understanding the required protection targets. They tend to have a greater focus on the customer than similar officials in other countries and this causes them to think more accurately about defining real-world requirements.