Warning: this interview with Marco Koelmans (CISSP, CISA, CISM) will tell you exactly where ITIL misses the security boat.
1) In the past 10 years many ITSM/ITIL practitioners have been talking about IT Security Management, but it sounds like chicken Little “the sky is falling!”. In your opinion – what is it that ITIL/ITSM practitioners are missing about IT Security Management?
I don’t want to make general assumptions but I find IT Security Management isn’t understood very well. Maybe that is because the name doesn’t really do the profession justice.
IT Security Management isn’t about IT, nor about Security. It’s all about business and risks.
As soon as you start doing business, your organisation faces risks. We have laws to abide by, and if we don’t abide those we’ll get fined, lawsuits, bad publicity etc. In addition, when we work with customer data, like medical data or bank account information, we might attract attention of cybercriminals.
And what about that employee that you let go last week and who decides to take revenge by copying your customer database and sell it to your opponents? There are many risks which can threaten your business, causing financial loss or damage to your reputation.
Most of these risks relate to confidentiality of data, integrity of data and continuity of your business processes. There is no point in putting security measures in place without first assessing what risks they might mitigate.
If you truly want to help the business: help them in defining the value of IT systems and components to their business processes, then help them to determine what actual risks they face.
Photograph by Marco Koelman
Next, help them to determine which countermeasures are possible and which countermeasure gives most value to the business while you will be managing their risks.
THIS is what IT Security Management is all about. If you don’t take those steps: then you will act as if the sky is falling. So, help the business in facing their actual risks, and examine and mitigate those instead of acting on fear alone.
2) In your experience – where does the ITIL V3 framework help with the awareness and realisation around IT Security Management?
Assuming ITIL is implemented well, we can add Security Services to the Service Catalogue.
By integrating the Security Management process with the ITIL processes and overall Service description, we assure that there is enough attention given to the Risk Management process. Security is an aspect that we have to think about in all facets of IT Services. It starts with our architectural design but security should also be part of our software development (and programming) as well as our Change Management process and our Incident Management process.
Consider a Service Desk employee. He is supposed to be of service to the customer, however I can easily contact him to request a new password for the company’s computer system if I know a name and an address and maybe a date of birth. (Oh wait… I just could find all those things in my social networking site…). I don’t even have to be an actual employee of the company to achieve this!
Every ITIL Process has security aspects in it. Therefore security has to be in our everyday consciousness because IT enables good things but also bad things. Never in the history of business could we so easily process the amounts of data we do now. And never before were we in a situation where the amount of data that could be misused was as big as today. ITIL is all about processes and doing the right thing at the right time.
That is how Security Management should be implemented; it has to be related to all other processes.
3) And where is ITIL V3 missing the mark? What other frameworks / standards / methodologies are a must have for security smart Service Managers?
I’m not sure about ITIL V3, but when Security Management was introduced within ITIL V1 by the CCTA after Pink Roccade (amongst others) lobbied for it, I was excited. At last Security was getting the weight it deserved within ITIL Security Management had its own process – this had to be good.
Unfortunately when I attended the Security Management Practitioner course (I already was ITIL Service Manager certified) I was extremely disappointed.
Within Availability Management we had a subprocess called Security Management. This didn’t change.
Security Management was talking about aspects that were also addressed within Availability Management, Business Continuity Management and Software Control and Distribution.
These aspects and this sub-process however weren’t changing anything in the other processes. That meant that the original purpose of ITIL (working in process manner and doing the good things at the right time and not doing them twice) was ruined. That was a disappointment for me. I would recommend to take the original goals of ITIL and abide by those.
Rather than only relying on the Security Management sections from the ITIL framework, I recommend that a “Security Smart” Service Manager has a good Security Manager in the neighbourhood.
A good Security Manager has a thorough knowledge of standards for Security Management. The worldwide standards for Security Management are ISO 27001 and ISO 27002. They are founded in the British Standard 17799 which in turn was based on a Dutch best practice; the “Code voor Informatiebeveiliging”.
Security Professionals also work a lot with the Cobit framework so if one knows that, that is a benefit. A Service Manager would benefit from overall knowledge of both the standards and Cobit.
4) From your experience – what is the top 3 things small to medium businesses should worry about in relation to IT Security Management? And how is this different for large enterprises?
-
Know your business processes
-
Know the value of your assets to your business process
-
Know the risks your are facing (vulnerability and probability)
That is the same for all businesses. Security measures should be in balance to the risks they mitigate. If a security measure costs you $100,000 and it mitigates a financial loss or reputational damage of $50,000, don’t take the measure. If security measures take up 80% of your total IT budget and if they mitigate 10 times as much loss, then take them.
Current developments are also causing new security problems. For instance: If you put your data in a cloud environment through a SaaS provider, you need to ask yourself a number of extra questions:
-
Where are its data centres?
-
What legislation do they work under?
As an example: look at the difference between European legislation and US laws. It can be against European legislation to store certain data in US data centres. It is important to know what happens with your data and what laws you have to adhere to. This is just an example but it shows aspects that many of the smaller businesses don’t think about when choosing these kind of solutions.
5) We did the IT Service Management training together; What made you switch to Security Management?
Well, I guess I answered part of that in question 3. I know one of the things that attracted me to ITIL was the bridge it was trying to make between business and IT. Make IT create value for the business. Deliver the agreed (and the not agreed but obvious) quality to your customers.
When you look at IT Security there are several gaps between groups of people. Technicians think in Firewalls and User repositories, Auditors think in compliance. They don’t speak each other’s language. Business talks about commercial opportunities, risk managers talk about horrible risks (but what are the chances?). They also don’t speak each other’s language. There are a lot of gaps that have to be bridged. That is one hell of an interesting job.
Marco, thank you very much for your input and to help us understand more about the specifics of IT Security Management.
Marco can be followed on Twitter: http://twitter.com/mkoelm
The photo of they lady with the candles was made by Marco – for more examples of his photos, please visit his gallery.
Advertisement
