Welcome to part two of our critical infrastructure podcast series with Raj Samani, Vice President and Chief Technology Officer for McAfee EMEA. Raj previously worked at the Chief Information Security Officer for a large public sector organization in the U.K., and during this podcast, we discuss the question of accountability within critical infrastructure. If you haven’t already, be sure to go back and read or listen to part one here in the blog, and check out the full part two podcast on YouTube and at the end of this post.
Raj, last time, we talked about cloud computing for critical infrastructure. Now, let’s really move into this whole notion of accountability. The simplest question I can think of is: Who really owns the risk?
[Laughs] That’s a controversial question. I guess it depends on who you ask. We had a number of issues with some very high-profile data losses in the United Kingdom. Certainly in the US, you probably saw some of these come out.
If we look at it from a standards perspective and from a regulation perspective within public sector, the senior information risk owner invariably is the business. That’s the question: Can you really ever outsource the risk? If we look at the legal definitions of data processes and data controllers, I’d say probably not.
I would say invariably, it is the business, but I have been called naive. I was at a dinner last week with about fifteen CSOs, and I actually made that comment. I made the statement that I believe it’s the business that owns the risk, and that the information security department is effectively a consultant to the business. They all kind of looked at me and said, “Yeah, but that doesn’t really happen.”
OK, fair enough, fair enough. Let’s dig into this a little bit. What are some of the regulatory requirements that you’re seeing not just in Europe, but in the US and elsewhere, associated with accountability, especially as it relates to public sector?
I’m going to really embarrass myself and not be able to name the specific control within the ISO standard. The ISO 27000 Series, is I think the first control that basically says that you need to have the support from senior management with regards to an information security management system.
That says a lot… I think it is the first one, and I’m sure people can jump on Twitter and say, “No, you’ve got it wrong.” That really sets the scene. When it comes to information security, as anybody that’s been practicing security will tell you, your job is almost impossible if you don’t have the buy in and the support from senior management.
As we know, the ISO 27000 Series is effectively one of the most widely used standards out there. More specifically, though, there has been some work done, certainly in the UK, with regards to the data handling review. What that’s kind of saying is, “Well, when it comes to information risk, who is the ultimate owner?” What was proposed there is that organizations should nominate a senior information risk owner, in other words, the buck stops here.
But interestingly, the recommendation that was made was that there should effectively be somebody on the board – likely, the CIO, the chief information officer. Then, of course, you have a cascading system whereby you would have individual information asset owners and those individual asset owners would then report the risk up to the senior information risk owner.
In my mind, it is certainly the business that owns the risk. Now, it’s interesting you talk about standards and you talk about regulations. Principal 7 of the Data Protection Act says that you, the data controller, have to ensure that the data processor has the appropriate organizational and technical measures in place. What that means is even if you, for example, use a data processor, even if you use a third party to process the data that you have in your organization, you still have to perform the due diligence to ensure that they have the appropriate controls in place.
This kind of comes back to my catchphrase, which is a pretty sad catchphrase: You can outsource the work, but you can never outsource the risk.
Raj, again, thanks so much for your input on this topic.
Thank you, Brian.