T 2.66 Inadequate security management

The large number of methods and procedures for handling, processing, and storing information in business processes can quickly result in incorrect estimates of the protection requirements of business-critical information, and therefore to the inadequate protection of this information. For this reason, it is essential to use an organised approach for the planning, execution, and monitoring of the security process. Experience shows that it is not enough just to require security safeguards to be implemented because the individuals concerned, and especially the IT users, are often overwhelmed due to a lack of technical expertise and a lack of time. As a consequence, they often fail to implement the security safeguards at all, which means the level of security reached will be unsatisfactory. Even when an adequate security level has been achieved, it is still necessary to continuously adapt and improve the security process so that it can be maintained at all times during ongoing operations.

An inadequate security management is often a symptom of poor overall organisation of the security process. Examples of specific threats resulting from an inadequate security management include the following:

• Lack of personal responsibility: If an organisation does not assemble a security management team or does not appoint an IT Security Officer and personal responsibility for the implementation of individual safeguards is not clearly defined, then it is likely that many employees will deny their responsibility for information security by pointing out that the next level in the organisational hierarchy is responsible. As a result, the security safeguards are not implemented because their implementation is almost always considered at first to be an additional load on top of their routine work.
• Lack of support from management: The IT Security Officers are not usually members of top management. If the persons responsible for security do not receive unconditional support from management, then it may be difficult to effectively require the necessary safeguards to be implemented by the people directly above them in the organisational hierarchy. In this case, it is impossible to fully implement the security process.
• Inadequate strategic and conceptional specifications: Many organisations will create a security concept, but in many cases only a few insiders will be familiar with its contents. As a result, the specifications are knowingly or unknowingly not followed in locations where organisational time and effort would be required. When the security concept contains strategic security objectives, these objectives are often simply considered to be a collection of declarations of intent, and adequate resources are not provided for their implementation as a result. In many cases, it is incorrectly assumed that security is produced automatically in an automated environment. Damage events in the organisation or in similarly structured organisations will occasionally trigger more or less fervent activity in which only some sub-aspects at the most are actually improved upon.
• Inadequate or misdirected investments: The management of an organisation must be informed regularly of the security status of the business processes, IT systems, and applications as well as on existing shortcomings in security reports containing clearly defined priorities. Without adequate information, management will make decisions based on the wrong assumptions. It is likely in this case that management will not provide enough resources for the security process or that these resources are not used properly. The improper use of resources can result in a situation where one area will have an excessively high security level while other areas have serious security shortcomings. It is commonly observed that expensive technical security systems are used incorrectly and are therefore rendered ineffective or even pose a security risk.
• Inadequate enforcement of security safeguards: To reach a consistent and adequate level of security, it is necessary for various areas of responsibility in an organisation to co-operate with each other. A lack of strategic guidance statements and unclear objectives can lead to different interpretations of the importance of information security, among other things. Consequently, it is possible that the areas of responsibility required to co-operate with each other will not assume the task of providing information security due to a supposed lack of necessity or poor prioritisation, and therefore that it is impossible to enforce the implementation of the security safeguards.
• Failure to update the security process: New business processes, applications, and IT systems as well as new threats are constantly affecting the security status of an organisation. If there is no effective auditing concept available that also increases awareness of the new threats, then the security level will drop accordingly. As a result, the security level actually achieved will slowly drop and result in a dangerous illusion of security.