I was going through a few different RFPs (Request for Proposal) and was again struck by the complete lack of non-functional requirements embedded within most RFPs. The descriptions of desired functional requirements are all there in excruciating detail; however, there are no specifications for information security (beyond a statement in one RFP that security is important).
Why are organizations missing out on specifying the information security requirements to the same level of detail as functional requirements? What is missing within the internal processes for RFP production at most organisations? Are organisations really only paying lip service to Information Security or do they really have their head in the sand?
I’m not sure what the problems are at all the various organisations, but it wouldn’t surprise me if the problem starts at the Board of Directors. Boards need to take responsibility for Risk Management and specifically IT Risk Management. Most boards have an audit committee, but they either don’t have a Risk Management committee or if they do, IT Risk Management is just not on the agenda. Without this senior oversight, I’m pretty sure that RFPs will continue to miss some key non-functional requirements including risk management, information security, and business continuity.
The other significant contributing factor is the lack of an independent Information Security function. When the Information Security function (a risk management function) is embedded within IT (an operations/delivery function), information security will play second fiddle. Compounding this problem is that when Information Security is buried within IT, usually you will find a more junior practitioner in the position who lacks the business acumen to articulate the risks and bends to the will of the operations side of IT. This is particularly dangerous when the Board and Senior Management are not taking an active responsibility to understand and manage IT Risks.
What’s the answer? I think it is pretty clear that Boards need to become more active around performing their fiduciary responsibility to their stakeholders and improving the state of IT/Information Risk Management. I also think that organisations need to move Information Security out of IT. Just like Internal Audit is not buried within Finance so that Internal Audit can perform its independent role to protect the organisation, Information Security cannot be buried in IT so they can perform their critical role to identify and manage the risks to the organisation and perform independent security oversight of IT (especially those IT personnel with full access to everything stored on computers – privileged users).
Eric Svetcov joins Datacraft Asia to develop our Forensics business in Asia in conjunction with Guidance Software. He is also an Information Security Management and Digital Forensics thought leader as well as, an avid blogger and writer.
