Governing Information Security

Following the much publicised MSD breach last year, the Government CIO initiated a review of publicly available information systems in all of the NZ Government agencies.

We expect the recommendations of that review to be published in the coming weeks (or months) but we have some thoughts on what we hope it will endorse. In our collective experience at Axenic both here and overseas, what separates those who have good information security from those who don’t in almost all cases is good governance and an appreciation of information risk management as a business discipline. Boards and senior leaders who understand that protecting information assets is about making decisions based on consistently measured risk and a understanding of the business risk appetite are at a distinct advantage because they are then able to fully exploit their information resources to drive business success, confident that they have a sound control environment. The challenge is educating this top tier in what their responsibilities are and how to discharge them.

The report into the MSD breach was interesting because it identified the risk management process as the cause of the incident because senior management were not aware of the risk with the kiosks. For me this confuses cause and effect. The flawed risk management process was the effect of absent governance that did not demand full disclosure of risk and promote a culture of risk awareness and management, but this isn’t unusual as many executives do not know the questions they should be asking.
As an executive or board member I would want to see risks and broad treatment plans or strategies for those risks already deemed too high to tolerate based on the appetite set. I would want to see metrics and management information that assured compliance with defined control sets and I would want evidence that portfolios of change were subject to quality gates which ensured that risk identified in change programmes were managed and handed over as part of operational readiness rather than forgotten in the rush to delivery. Finally I would want confidence that on my senior management team I had the skills and experience necessary to make these things happen and to lead and advise the board on information security issues.

So back to the recommendations from the Government review, if you hadn’t guessed we’re hoping for a focus on better governance and risk management.