Roles and Responsibilities
In fact David Lynas, managing director of the David Lynas Consulting Group and COSAC chairman, says the CIO has a number of different roles to play in protecting critical infrastructure, including those of owner, custodian, service provider and communicator/facilitator. Of all of those roles, it is the last that most closely determines the CIO's ability to succeed in the other three. Lynas says CIOs must start with a clear understanding of what defines "success" in protecting the infrastructure.
"The infrastructure exists to support the business mission and enable achievement of the business goals, for if it is not doing that then what else can it be doing but wasting investment? Protection is therefore a business-driven issue so in order to answer the CEO or stakeholder question: "Is the infrastructure protected?", we must first define what exactly the business means by protected, he says.
"The word protected like the word secure has no absolute scale. It has no intrinsic value other than as a property of the specific business and cultural context that is unique to each organization. So a CIO should start by asking the question: 'What do we mean by protected? Do we mean available? Do we mean integrity-assured? And if so, does that apply to the integrity of the data stored on the infrastructure, the integrity of the code providing application and operating system services on the infrastructure, or the integrity of the messages carried by the infrastructure in terms of authenticity of content, source and delivery?
"Do we mean non-repudiability of transactional data? Do we mean confidentiality of data stored or in transit? Do we mean auditability? Do we mean compliant with legislation, regulation or technical standard? Do we mean certified as appropriate under definitions provided by agencies such as DSD? And how much of each of those properties is required (what are the metrics and the measurement approach) in order for our stakeholders to consider the infrastructure to be successfully protected?
"Each CIO's challenge is unique because the definition and volume of each protection attribute will vary from organization to organization, from business process to business process and from infrastructure entity to infrastructure entity," Lynas says.
Then there is the CIO as infrastructure owner. Ownership of the infrastructure brings responsibility and liability - not least the responsibility for managing risk to the infrastructure. Risk in this scenario is defined as a factor of threat (what could go wrong), vulnerability (why it could go wrong) and impact (in what way it would hurt us and to what extent). Lynas says the CIO's risk management strategy must address all three. CIOs must realize risk management is not about the total elimination of risk but rather its effective management, he says. Eliminate all risk and you will likely kill the business. Without taking manageable risks business cannot develop new services or products, introduce new infrastructure, or effect meaningful change.
Next, the CIO must evaluate the investment in controls by which the risk will be managed, Lynas says. "The CIO needs to ask: 'Do I invest in managing the threat (deterrent controls), the vulnerability (preventative controls), the impact (recovery controls), or in a series of detective controls that provide audit trails, evidence and an ability to communicate and respond to risk?'
"Best practice in this area recommends providing strength-in-depth across all areas of control," he says, "but this is expensive so a CIO has to understand the value proposition provided by each potential solution."
In many cases while the CIO owns the infrastructure he or she is not the information owner. Lynas says here the CIO's abilities as a communicator and motivator come into play because he or she has a vital role in communicating these responsibilities to the business owners and ensuring that achievable and realistic targets are set.
Finally, the CIO as service provider must clearly understand the segregation of duties between owner and custodian, drawing on both the attributes profile and the metrics applied to it to facilitate that understanding. "This creates a service level target for delivery and support of protection that is clear and unambiguous and empowers the CIO to set priorities, gain support and buy-in, and obtain the budget and resources required to fulfil their responsibilities as a service provider to the business," he says.
Culturally, Lynas says, CIOs in Australia, particularly in government, compare well with Europeans and Americans with respect to understanding the required protection targets. They tend to have a greater focus on the customer than similar officials in other countries and this causes them to think more accurately about defining real-world requirements.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. - White PaperView this webcast and discover the drivers for changing network design practices, why many organisations are changing their approach to network architecture and how enterprises should be moving forward with open architecture multi-vendor network solutions. Register now and learn how your business can maximize the business value of the enterprise network.
- White PaperJoin industry expert Martin Tuip to discover best practice strategy for the archival and removal of .PST files using email archiving. Learn how to ensure long-term email records are there when needed, and reduce the risk to your business and clients.
- White PaperJoin industry expert Bob Spurzem and Chuck Arconi of Fox Hollow to discover how to reduce Exchange total storage and keep it at a manageable level. Learn how Exchange storage growth can be contained without sacrificing security and accessibility.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Chris Hoff on Virtualization and Cloud Computing 20 November, 2008 10:55:00
Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board, is one of the biggest critics of virtualization security out there. Not because it isn't important - but rather because it is vital and needs to mature rapidly. - +
Cybersecurity is focus of new start-up incubator 20 November, 2008 07:19:00
Texas uni announces the Institute for Cyber Security.The University of Texas at San Antonio Tuesday announced a technology incubator aimed at fostering IT security-based start-ups within the state. - +
Dilip Sarangan on Physical Security M&A 20 November, 2008 11:18:00
Dilip Sarangan tracks physical security companies for Frost & Sullivan. He expects the industry's "need to have" products to weather the economic storm well, with the big players (now including IBM and Cisco) looking for value-priced acquisitions. - +
International Challenges in PCI Security 20 November, 2008 09:15:00
In a country that's seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective. - +
PCI council sharpens oversight of security auditors 19 November, 2008 10:53:00
Quality assurance plan targets security assessors and scanning vendorsThe PCI Security Standards Council Monday unveiled a plan to sharpen oversight of the hundreds of security-service providers now authorized to evaluate merchant networks under the organization's Payment Card Industry data standards.
Vignette Announces 2008 Excellence Awards 21 November, 2008 10:50:00
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 20 November, 2008 17:34:00
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 20 November, 2008 12:06:00
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 20 November, 2008 12:04:00
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 20 November, 2008 12:02:00
|
||
|
||
|
|
||
|
Solve Exchange Mailbox Storage Issues Once and for All
Join industry expert Bob Spurzem and Chuck Arconi of Fox Hollow to discover how to reduce Exchange total storage and keep it at a manageable level. Learn how Exchange storage growth can be contained without sacrificing security and accessibility.
Buying Guides
Latest Products
Buying Guides
