Information Security – How Should it be Governed?
Information security has become a significant governance issue as a result of increased dependence on IT, increased sophistication of threat agents and exploits, increased regulations and legislations, rapid technological innovation and change, and an extension of banks beyond their traditional boundaries.
The framework for information security governance will consist of the following amongst others:
- Guiding policies approved by the board of directors that provides direction for information security activities and responds to changing risks in banking (for example news risks associated with mobile payments).
- Institutionalized process for information security operations that ensures compliance with policies and provides feedback (and escalation where necessary)
- Effective security organizational structure that ensures the bank thrives and critical security issues are brought to the attention of the senior management and board of directors.
The last point raises a question which this article will focus more on: Should the IT department be put in charge of information security?
Putting the IT department in charge of information security responsibilities may have stunted the growth of information security in many banks. Information security is NOT the same as IT security. Information security has a much broader scope, where technology is not the focus but a means to the end. The priority of information security being the application of appropriate protection to the organisation’s various types of information whether that is stored electronically (including on portable media) or on paper or even in individuals’ heads.
In the past, there were discussions around who should be in charge of information security management. Some posit that the IT department is strongly placed to take this responsibility. But a review of what the function entails may suggest otherwise. To be responsible for information security means taking the lead enterprise-wide in topics such as risk management (defining how to evaluate risk and what protection to apply), information security policies, procedures, standards, guidelines, baselines, information classification and security education and awareness. This is not the forte of IT professionals, as they are not trained Risk Management professionals. Furthermore, more often than not, putting the IT department in charge of protecting the information assets they setup usually puts them in a situation of conflict.
For instance, when an external consultant is engaged to perform a Penetration Test and grave security issues are discovered, the IT department would typically ‘sit on’ the report and try to manage it ‘inhouse’. They typically would not permit the consultant to present findings to those charged with governance.
Information Security – Driven by a C-Level Officer
The most important point is that information security is driven by a C-level officer who understands the risks and issues involved and has no conflict of interest. Given the structure in most banks in Nigeria, the information security function is better led and driven by the Chief Risk Officer (CRO). In this case, the CRO either holds the Chief Information Security Officer (CISO) role or has a direct report that holds the position. Some bank CROs shy away from this responsibility because they feel they do not understand Information Technology. They feel more comfortable with credit, liquidity and operational risk. Bank CROs must wake up to the reality that not only have IT and Payment Systems risks come to stay, they will keep on growing. IT and Payment Systems risks may in the future pose more threats to the organisation than credit, liquidity and operational risks.
Any CRO that does not have IT and Payment Systems risks on his/her dashboard or include it in Board packs is sitting on ‘a keg of gun powder’, which could explode anytime.
Like the ‘protective layers of the onion skin’, when information security governance is addressed, technical issues will be resolved because they will always get boardroom attention. It is noteworthy to mention that a few banks already recognised Information security as a journey and not a destination. They did approach their PCI DSS compliance the better way- putting in place the right governance structure, ensuring a reputable consultant was selected to assist them and ensuring that controls were properly implemented in line with security requirements.
For further details on this, please feel free to contact Joleen Young, Associate Director Africa Payments Advisory – Africa on firstname.lastname@example.org