The most important thing to remember from this book may very well be that there should be no more information security projects, but rather programmes. What we, as information security professionals, are ultimately delivering are programmes of change across our organisations. All the security breaches that have dogged the second decade of the 21st century appear to have been as a result of operating at odds with the importance of the key elements of security (i.e. maintaining the integrity, confidentiality and availability of information assets). This book will not repeat detailed definitions of information security per se – there are many, many resources available out there to do just that. In particular, the reader is referred to the 10 domains of the common body of knowledge (CBK) for information security, maintained by the International Information Systems Security Certification Consortium ((ISC)²). But for the sake of clarity, here is a quick reminder of what are considered to be information assets.

While it is true that the role and its functions started out in technology, as data security has matured into information security the skills and role profile have matured too. For an organisation to benefit from the possible outcomes of dealing with the plethora of information-related challenges being faced on a daily basis, the ISM role needs to be one with a broader reach and a broader skill set.

So, the idea in these chapters is to provide an insider’s view of what it is really like to operate as an ISM, in a real organisation dealing with everyday challenges. By using the role of ‘project manager’ on a programme of change we will highlight all the various incidents and issues that arise on an almost daily basis – many of which often go unnoticed. Consider reading this book as the equivalent of a training ground of things to watch out for, in case you ever find yourself blinkered and starting to miss the smaller things. This is very much akin to missing the flapping of the proverbial butterfly wing and, thus, not spotting the fact that a storm is coming down on you, as a result of having missed the small detail earlier on.

When you are set the task of delivering a particular project, your team members will always be a significant part of the success or failure of that project. One of the key failures of security change management is that it is perceived as a project, and, thus, by its very nature is assumed to have a beginning, middle and an end. In reality, security is something that needs to be baked into an organisation and, thus, embedded into its fabric – and because of this, it lends itself more to a programme than a project because there is no real end to these activities; security will ultimately be constantly changing in order to adapt to the information risks that present themselves along the journey.

When an organisation has a project focus all of the time, it seems that there are ‘meetings about meetings’ plus project plans and reports to be maintained constantly, usually at the expense of doing the actual job that needs to be done. It’s a very difficult path to be negotiated, between playing the political animal and delivering on the requirements of the job. It is better if the ISM stays focused on actually seeking to implement controls that will provide the best protection possible for the information assets of the organisation employing them.

Another key challenge continues to be the issue of finding information security ‘buried’ in IT, when the clue is in the ‘information’ bit, rather than the ‘security’ bit, as it were. The realm of information security cuts across all aspects of the organisation and its operations, therefore you need to have a degree of influence and oversight across all elements of operations that rely on information sources in order to deliver and progress. What, in reality, does that leave out?

By now, most organisations should already have information security best practices implemented to some degree in the organisation. However, there are still many who have it buried in IT in such a way that the struggle to implement the necessary safeguards is an ongoing one, and new projects are set up to try and achieve compliance with external legislation, regulations, standards, contracts or government-led requirements that must be adhered to. In order to be truly effective, these initiatives require constant explanation as to why you need to be linked into various activities and other change-related projects that you may stumble upon along the way.

The ISM role also requires a level of listening. At this stage, in so many organisations, there have been many, many change programmes. This can lead to fatigue being experienced, so people can tend to be resistant to any further attempts at delivering on change programmes. Therefore, the best way to ease the forward momentum required is often to allow people a short period of time to get those issues that they feel are blocking progress at the present time off their chests. Early scheduling of introductory meetings helps to get this listening phase out of the way. The ISM cannot afford to be either a wallflower or a shrinking violet! You need to be out there, amongst the people, as it were! Once you have heard the issues you can usually implement solutions that you already had in mind, as the concerns are usually not difficult to address; or, indeed, you can frequently point out to people that there are already controls and safeguards in place that may not have been adequately explained thus far, but that are likely to be appropriate for providing protection.

You have to show a certain level of commitment to delivering on the change in order for people to start to buy into the idea that things are going to be different. The ISM has to be seen to realise some quick wins as early as possible in the life cycle of the intended change programme. Actually, the ISM has to be seen to live and breathe security in all that they do, day in and day out: always wearing their employee (or equivalent) badge; always encrypting their data; always backing it up, etc. If you consider all the controls we ask our users to bear in mind on a daily basis, the ISM really must be seen to be doing them, and doing them well and with ease in order to prove that security need not be a hindrance and to evidence that it has both value and meaning. You also need to have almost a superpower of awareness – we will continue to delve into this in the forthcoming chapters.

Given how much ‘transformation’ everyone has been going through for more than a decade now, it is always helpful to ensure that you have adequate background information on the organisation and its cultural make-up and challenges, including what’s worked before and what hasn’t in the realm of change management. You will need help in galvanising the resources, communicating the changes, etc., including from those folks in human resources, training, corporate communications, etc. You’ve got to make links and friends across the entire organisation, way beyond the expected IT/ICT restrictions.

In larger organisations there are usually people responsible for the issuance of corporate policy, who also need to be positively engaged. If this is not the case, some level of governance review of policy must occur at your information security management forum (ISMF) meetings, which you should schedule on a regular basis. All updated documentation should be required to have some level of management sign-off prior to release into the operational environment.

Writing policy in isolation from people will render it doomed to failure, so it is vital that this work is done in conjunction with key stakeholders. You need a wide portfolio of support across the organisation. With any element of security change to your secure infrastructure amendments to policies, procedures or controls are usually required, and it is vital that these changes are made in order for them to be embedded into the fabric of the organisation and accepted as things that are connected to the disciplinary process. There need to be obvious and active consequences for failures to adhere to policy. The ISM cannot administer this, as that is tantamount to marking your own homework. This is why, in particular, you need to have engagement with colleagues in human resources. They need to understand the requirement to ensure that employees have job responsibilities identified for information security and that these are measurable within their annual personal development plans (or whatever your equivalent is). This may also require the input of colleagues from training to ensure that relevant learning objectives are measured by individuals and updated annually.

An interesting source of assistance is the ICT help/service desk – or whatever it is called in your organisation. Get the management of this area on side early, understand how many people are normally operating it, and establish what their level of understanding is with regard to information security issues. Is it, for example, that they get increased calls for password resets after significant holiday periods (Christmas, summer, etc.)? What other key issues are they constantly receiving queries on? You need to identify these key elements and frame them in language that explains that they are part and parcel of delivering good information security for your organisation. This will enable the help desk staff to see where you are coming from (your paradigm), and hopefully to better understand if your change agenda ultimately involves increased help-desk calls as a result of confused users not quite understanding the message you are pushing. This is so often the case, usually in spite of the hours you have spent painstakingly explaining the changes to their managers, and to them, through e-mail notifications, newsletters and intranet bulletins, etc. – i.e. doing all that you can! You can further help the help desk by providing them with cheat sheets and FAQs to make sure that they have the right answers to hand for each phase of your security change programme. This will help both their understanding and the level of service they are giving to the user population – a win-win all round.

Befriend the installations team, too. Depending on your organisational set-up, you may have the luxury of still having one based internally; otherwise, it may be an outsourced function. Either way, it is valuable to get to know the teams who are actually going out to your various office locations and having interaction with your users. They should be able to provide some level of interesting feedback with regard to how your infrastructure is being used ‘in the wild’, looked after (or not), treated, handled, managed, etc. They may have many war stories they can recount that will provide you with a wealth of information regarding the reality of your user base in terms of their level of PC literacy, and such knowledge can pay dividends when it comes to key changes you may wish to implement further down the line.

Make friends with the database administrators (DBAs) too. They hold great insights into the systems that they guard with regard to user behaviour, incidents and experiences. Equally, the DBAs will need to be kept abreast of back-up and recovery strategies and requirements, and will need to ensure that they have documented their activities and best practice with regard to system management for the systems for which they are responsible. Such input and resources will be invaluable to the ISM.

You need to make sure you are closely aligned with the other compliance functions in the organisation: data protection, freedom of information, risk, ethics, legal, records management and information governance. These may be separate or combined functional resources. If you are lucky, you will have some responsibility in all these areas. While this can sound daunting, it is ultimately where the profession is heading, as oversight of all the elements of information asset protection provides the best chance of ensuring you can provide the required amount of information assurance for all involved.

External providers may also be important to the delivery of a successful infrastructure security change programme, e.g. kit providers, and recycling and destruction providers. We will return to the latter, in particular, in Chapter 3.

The corporate communications team is a really important strand in all this. If you are lucky, it will be large enough to have marketing and communications people amongst its number on a permanent basis and will be well used to structuring messages (both good and bad) and understanding the kind of tone and delivery that suits your organisation. You are going to be expecting a change in behaviour from all your users (or at least that’s what you should be aiming for) and, thus, you need to engage with them from a number of vantage points – i.e. what’s worked in the past, what hasn’t and, thus, what might work in the future as part of your communications roll-out. You need a theme, a strap line, a motto, an avatar, etc. All these elements can make your programme of activity appear more real, tangible and visible across the organisation. The users need to feel that they are part of something. Belonging is a core human nee...