IT Systems Security Manager – Just a Pretty Signboard

For some time already, the normative acts of the Republic of Latvia lay down that institutions which possess state information systems shall appoint a security manager or shall ensure such a function via outsourcing.

The implementation of this requirement is in general directed towards raising the general state information systems security level as well as drawing attention of the institutions to the importance of information systems security and exploring the overall impact of it in the daily work of an institution. Therefore, an institution, involving its information safety manager, should ensure the increase of safety level of information and information systems in its possession, development of its internal and external control system, as well as raise the knowledge level of its employees about the importance of information security, at the same time providing all the necessary support for implementing and putting an information security management system into effect on a daily basis at work.

It all looks good and correct on paper. Unfortunately, practical experience shows that the majority of institutional management employees to whom this requirement of normative acts of Latvia applies, sees it as unnecessary bureaucracy and a waste of resources.

As a result, (although one can find very good examples too) at a major part of state government administration bodies there is a situation when information security managers are engaged formally, but in practice:

1. their work gets a very limited or no support at all from the management of an institution;
2. an information security manager is involved only “on paper”;
3. an information security manager in practice carries out the duties of an IT specialist;
4. an information security manager is not appointed at all.

This situation totally debases the role of an information security manager and leads to a situation when a security manager is just a signboard for showing when an institution is audited, but in practice the importance of this role doesn’t give the desired result.

Being aware of this situation, a logical question arises: how to achieve that a security manager really carries out the functions and duties of the position?

In this case you shouldn’t point at the normative acts of the state and start thinking what should be changed there. Regulations of normative acts are adequate and provide enough support for introducing information and information systems security management.
The primary focus should be set on changing the understanding of institutional management about security management issues and their importance in daily work, because, if a connection “institution management – security manager” is established, where the security manager gets the necessary support for carrying out his duties, then also the rest of the existing problems will disappear or their influence will be essentially reduced.

Unfortunately, here we come to another question: how to change the attitude of institutional management?

It seems that there are two possibilities. The first of them can be considered the good one, but the second – the evil one. The good one provides that institutional managers are obliged to attend conferences on information and information systems security topics at least once a year, for instance, conferences organized by CERT.LV or ISACA; therefore, understanding of information security for the institutional management would be facilitated. The evil one, however, prescribes the accountability of institutional managers in cases when essential shortcomings in information system security management issues are discovered during an audit.

Of course, the implementation of the evil scenario sounds like an appeal to punishing, but unfortunately I must conclude that the practice shows that, while there are no concrete cases when institutional managers are punished for certain discovered shortcomings which could be brought to light, top managers turn a deaf ear to information system manager’s warnings about the potential information security risks and the possible consequences for the institution.

Consequently, I would like to keep my conviction that the situation in Latvia still could be changed with methods of the “good scenario” and that institutional managers will be able to keep in mind that also information of their institutions can be an interesting goal for unwelcome guests.