Rethinking Information Security: Align vs. Govern

There is little doubt that information is fast becoming ubiquitous. In its digital form, you can have access to information over your desktop PC at home or work, your mobile laptop, your phone or even your entertainment system in your living room. The virtual boundaries between “home” and “work” and other environments are fast disappearing. There are even exciting technologies to help “mesh” everything together so everything is available to you instantly on a wide variety of devices. And the trend is not showing any signs of slowing down with new ways of interfacing with devices that open a new gateway to this cloud of information; can’t help but plug the very exciting and recently introduced Project Natal right here! :)

Naturally for us, as the information security group, the question was one of trying to ensure the security of all this information. How do we ensure the right information security risks are being identified and managed effectively? From here, it’s very easy to start down the road asking questions around the enforcement and governance of controls to manage these risks in compliance with our policies. However, we took a slightly different route.

Instead of trying to govern the business, we decided to try to align with the business to help manage information security risk. The difference is subtle but an important one for us. What this essentially meant is that we had to stop looking for just the problems and instead start looking for the opportunities that the businesses are trying to capitalize on and partner with them to achieve success. There are two things we did to help solidify this concept and to drive this as a culture within our group. The first was to set an appropriate mission statement: enable secure and reliable business for Microsoft. Second was to come up with what we call the R3 Model for our execution.

The R3 Model outlined the 3 key pillars or priorities for us that we operate by:

  • Risk
  • Reputation
  • Fiscal Responsibility

The risk pillar is the most obvious pillar. We are an information security group and are responsible for managing information security risk for Microsoft. The reputation pillar meant for us that we are going to actively prioritize the customer experience. Tactically what this means is that we of course survey our customers to gauge satisfaction levels and also reach out for testimonials to figure out what we need to improve on and learn what we do well. Fundamentally though, what this means is that our culture is not to “rule with a stick” or just go around enforcing policies. Instead, we want to earn the trust of our partners that allow us to provide services for them in an effort to help manage the information security risk within their business. Third of course is fiscal responsibility. We have certain fiscal obligations that come with our budget which restrict what we can and cannot do. If we aspire to exceed our commitments, we have to convince our business partners to invest in us.

The key in R3 is that neither one of the pillars is a priority: we consider each pillar to be equally important. And it’s easy to see why:

  1. If we are managing all the information security risks that come our way and have a stellar reputation but aren’t meeting our fiscal obligations, we’re not going to be in business.
  2. If we are managing all the information security risks and managing to our budget but have a horrible reputation, we’re not going to stay in business.
  3. If we have a stellar reputation and are meeting our fiscal responsibilities but aren’t managing risk, we’re in the wrong business.

Examples of success with R3 include cases when business units come to us and fund us to conduct assessments or develop solutions for their needs. There have even been cases where we were funded to develop awareness campaigns for business units in helping drive messaging around key information security risks. Under R3, we are given the opportunity to realize win-win situations with the business where we can align with them rather than trying to govern them from outside.