1

Changing the Conversation Articulating the Value of Programmatic, Holistic Security

by Kim L. Jones CISM, CISSP, M.Sc.

“An organization does well only those things

that the boss checks or causes to be checked.”

-GEN Bruce C. Clarke

“The boss ‘checks or causes to be checked’

only those things which he deems to have value.”

-Kim L. Jones

The discussion started out innocuously enough….and frankly seemed like the start to a bad joke.

“Fifteen security professionals walk into a bar…”

I founded the informal CISO group in Phoenix many years ago, to allow local CISOs to network,

share ideas, and commiserate about issues and challenges under Las Vegas/Chatham House rules.

No vendors allowed (unless they’re buying the beer), and others allowed by invitation only.

At one of these gatherings, one of our colleagues brought his friend: the CIO of a manufacturing

company here in the town. He had a problem and was looking for advice and counsel from people

who spoke and understood security. The basic issue was that the company was getting ready to

sell their product into the federal space and needed to certify its operations against NIST 800-53 –

a fairly exhaustive and comprehensive standard. While the sales strategy had been approved, the

CIO was struggling with how to sell this initiative into a very freewheeling, innovative culture.

As CISOs, we jumped at the problem and provided what we thought were good and reasonable

answers. We talked of strategic alignment with the business objectives…return on

investment…protection of intellectual property…shoring up overall confidentiality-integrity-

availability within the organization…risk management…competitive advantage. To every solution

we offered, the CIO responded with the same phrase:

“I hear what you’re saying, but we value the ability to freely innovate in our company.”

In the end, we were forced to fall back on requirements for market entry – in other words,

compliance – as the only solution we could offer. This left the CIO unsatisfied…as it did me. Think

about it for a second: fifteen senior security leaders with a combined two centuries of experience,

and we weren’t able to come up with a credible and compelling answer to offer a senior

technologist who was asking for help.

I chewed on this problem for a long time, as to me it typified some of the conversations that we

regularly have with business executives in our various roles. After several weeks, I realized the

2

subtext of concerns that I and my colleagues were failing to answer. If I were to summarize the

between-the-lines conversation that was occurring, here’s what the CIO was really saying:

Security is counter-intuitive to the existing values of our culture

Implementing security requires us to change our culture significantly

The value/ROI gained by this implementation might not outweigh the values lost or impeded

by implementing security.

I’m not certain, though, because you have yet to articulate the value of security in a language

that I both understand and find compelling.

That last bullet is of particular importance. Despite the CIO’s high value on the culture’s ability to

freely innovate, this freedom did not include, for example, allowing new engineers to unilaterally

make a $1 million commitment on behalf of the company without appropriate process, checks, and

balances. Clearly there are competing values at play within the company that are viewed as having

merit to the leadership team. As security professionals, we failed to express the value of

programmatic, holistic security in a language and manner that was truly meaningful to the audience

(the visiting CIO) …

…and I would contend that this is often the case.

I am proposing that we change the conversation with our leadership to one of value and begin to

discuss injecting the security values which we champion into the DNA of our organization’s

operating models and culture. If we can have this conversation freely and openly, then discussions

around tactical implementation measures become less contentious. More importantly, we can now

move the discussion to issues of security versus compliance and the value of focusing on this larger

issue.

What follows is an attempt to define the values of a good security program in clear, easy-to-

understand language. I have also provided operational tenets and statements around those values

in order to promote and ease the conversation. It is my hope that this material can be used to change

the dialogue around security into a more constructive and thoughtful discourse.

The Concept of “Value”

The definition of “to value” is something upon which most individuals can agree. When you

discuss “the value,” though, things get a little fuzzy. Everyone talks of values and their import; ask

people to define what a value is and people tend to provide a circular definition which provides

little clarity to the discourse. For the purposes of this dialogue, I did some research into the topic.

I do not claim to have the be-all-and-end-all answers to this question, but hopefully my definitions

and terms can be seen as reasonably accurate.

At its most basic, a “value” is a concept that is fundamentally important to someone – with someone

being defined as an individual, group or organization. If I were to go to something a little more

3

structured, I would look to the definition offered by Dyer and Dyer: “a value is the embodiment

of what an individual or organization stands for.1”

Organizational values may either be stated or implied – and are usually some combination of both.

An organization or group may have stated values of Quality, Innovation, Integrity, and Customer

Service; however, there may be other unstated values such as Candor, Legality, Safety, and Speed-

to-Market.

Figure 1

The interrelation between values within an organization is always interesting. No set of values

wholly aligns with one another when operationalized; there is a healthy and (hopefully) supportive

tension between the values of any organization – though when stated and unstated values enter

into unhealthy conflict, it is usually the unstated (implied) value that wins.

1 Dhar, Santosh and Dhar, Upindor (editors). Value Based Management for Organizational Excellence. New Delhi, Indian Society for Training

and Development, 2009.

4

Figure 2

For example, if the stated value is Quality, whereas the unstated/implied value is Speed-to-Market,

organizations will more likely sacrifice quality assurance and testing in order to get their product

out the door faster.

Values are an important part of any culture, where culture is defined as “the philosophies,

ideologies, values, assumptions, beliefs, expectations, attitudes and norms that knit an organization

together.2” It is important for security professionals to remember that deploying or changing a

security implementation, by definition, changes the culture (even if only to a small extent). This is

why something as simple and straightforward as implementing a shredding policy or badging

policy can meet heightened levels of resistance within an organization.

Having a value is one thing, but what does this value mean in our day-to-day lives? Most

individuals and organizations create a set of operational tenets based upon their values which

allow us to take the somewhat esoteric concepts embodied within a value and provide us with

guidelines for action and behavior. If the value is Safety, for example, the operational tenet might

be “do it safely or don’t do it at all.” If the value is Quality, then one of the operational tenets

might be “there is always time to do it right.” Operational Tenets are the directional statements of

belief which are designed to directly influence behavior, attitudes, and outcomes within an

organization.

It is important to remember that every decision an organization makes is influenced by its

collective values. No organization or individual willingly acts against the totality of its values

system (what I call its values construct).

2 http://academlib.com/3030/management/organiational_culture

5

Security and the Values Construct

Most organizations have security as at least an implied value if not a stated one; after all, most

organizations do lock their doors and keep their intellectual property out of the public domain.

Programmatic, holistic security, however, is something with which most organizations struggle.

This might manifest itself as either the lack of willingness to create a function focused on security,

or a desire not to make improvements to an existing security posture. Whereas a business might

be comfortable locking their doors, they might balk at the concept of having a minimum standard

set for that lock and inventorying the keys to that lock every six months as part of a programmatic

approach.

When security professionals are confronted with the (reasonable) question of why improvements

are needed to the current security posture, our answers invariably link back to the concepts of

availability, confidentiality, integrity, and/or risk management. These answers do not completely

satisfy our critics, as they do not address the unasked questions of, “Why is what I am doing now

no longer good enough?” When our critics press us for the answer to this implied question, many

security professionals default to answers centered around regulation or compliance.

Figure 3

This conversational paradigm converts the value of our security programs to that of achieving

compliance, versus making our environments secure. In other words, the implied value achieved

by programmatic, holistic security is to avoid fines and adhere to regulations. Without compliance,

our changes provide no value…

…or at least no value that we as a profession have consistently and compellingly expressed to date.

6

It is no wonder that our changes and implementations meet with resistance within organizations.

By defaulting to compliance-based explanations, we fail to place security as a value within the

organization’s value construct. Security does not become a driver the organization’s decisions in

such circumstances; compliance does. Any changes, therefore, that we make/recommend which

go beyond the minimal compliance standards are considered unnecessary and excessive. Worse,

if these changes interfere with the organization’s business objectives in even the slightest manner,

they are perceived as obstacles and roadblocks to the organization – in other words, they are

deemed to have no value and must be avoided.

The Security Values Construct

What follows is my view on dissecting and expressing the values embedded in programmatic,

holistic security.

Figure 4

Each value is broken into two components:

A statement of the goals/objectives of the value. Every value that we place within our

personal or professional values construct serves a purpose; the goal/objective statement

reflects that purpose. Candor, for example, might serve the purpose of ensuring the free

exchange ideas and viewpoints in order to stimulate of innovative thoughts and ideas.

A list of the operational tenets of the value. These tenets form the basis of our dialogue

around these values and can serve to hone in on differences of belief within an organization

regarding the value itself.

It should be noted that all operational tenets associated with a particular value must be

accepted/adhered to in order for the value to be seen as relevant to an organization. In many cases,

disagreements regarding a portion of the security values construct center around an organization’s

lack of belief/agreement with a specific operational tenet. Changing to a values-based dialogue

allows for more finite identification of such disagreements and can better focus efforts for

achieving compromise or understanding.

7

Access Control

Goal/Objective: Enabling access to that which is required to perform one’s duties

Operational Tenets:

Personnel should have access to the tools and facilities necessary for them to perform their

job functions.

Not everyone should have access to everything.

Notes:

This value applies to thing-to-thing access as well as person-to-thing access. Thus,

application-to-application access; system-to-system access; and person-to-building access

are also impacted by this value.

Most organizations have little problems with the first operational tenet for this value; the

second operational tenet may be problematic for more open environments such as

universities.

Business Continuity & Disaster Recovery

Goal/Objective: Ensure timely continuity of operations in the event of a potentially catastrophic

event.

Operational Tenets:

In order for the business to thrive, we need to keep doing the things that we do from both

a process and technological standpoint.

Failure to appropriately plan for an operational failure will result in an inability to service

our customers in a timely manner, which will negatively impact our business.

a. “Failing to plan is planning to fail.”

Not everything that we do needs to come back instantly in the event of an operational

failure.

Everything that we do needs to come back eventually after an operational failure.

Incident Management & Response

Goal/Objective: Ensure the timely and accurate ability to detect, measure, and appropriately

respond to potentially harmful events impacting the environment.

Operational Tenets:

No matter one’s security posture, there will be events and incidents within the environment

An unmanaged event has the potential to cause substantial harm to our business and our

organization

Lack of preplanned incident response procedures will result in an inefficient (if not

ineffective) response to the situation.

8

Notes:

This value is closely related to the BCDR value, as a business continuity situation is the

extreme instance of Incident Management & Response.

Information Protection

Goal/Objective: Ensure that all corporate information is protected at an appropriate level

Operational Tenets:

We have information that is unique to our business and/or critical to our success as an

organization

This information exists in many forms in our organization – and not all of them electronic.

If this information is exposed to the wrong people/the wrong time, it will limit/impair our

ability to thrive as a business

It is important that our information not be erroneously or maliciously altered.

Notes:

This value addresses the principles of confidentiality, integrity, and nonrepudiation. It also

addresses the importance of information in non-electronic forms.

There is a concept of timing of data exposure addressed within this value as well. Earnings

data, for example, are considered extremely sensitive prior to their public release date (at

which time they become freely and openly available).

Physical Security

Goal/Objective: The physical protection of corporate assets

Operational Tenets:

Personnel should be safe from violence or threat of violence from external or internal

personnel.

Corporate assets should not be subject to theft or damage by external or internal personnel

Personal property should not be subject to theft or damage by external or internal personnel

Facilities should not be subject to damage or destruction by external or internal personnel

Policy Framework

Goal/Objective: Ensure clear understanding of the security processes and control withing the

environment

Operational Tenets:

Every process is based upon “rules.” Policies codify and document these rules.

In order to ensure understanding, policies should be written down and easily accessible to

all members of the organization.

Policies reflect the desires, values, and objectives of the organization and its leadership.

Notes:

9

While the overall objective of this value is to ensure understanding of processes and

controls, the operational tenets also clarify the role of policy in reflecting the desires of the

leadership

Risk Management

Goal/Objective: Create and maintain a risk balanced operational environment

Operational Tenets:

Some risks are worth taking

We should know the full extent of the risks we are taking

We should make decisions only with full knowledge of the risk

Risk decisions should be made at appropriate leadership levels within an organization

Risk should not be the only reason for selecting or rejecting a specific course of action

We should remain fully aware of the risks in our environment

Where existing risks are deemed excessive, we should take steps to limit or eliminate those

risks.

Notes:

There is a danger of the “risk management” value becoming a catch-all for all of security.

I have tried to cull as many specific items and areas out into separate entities within this

values framework to avoid this trap.

Where I have found the risk management value of particular use is when mapping specific

regulatory compliance items to the values framework. There are certain areas within most

regulatory requirements which (to date) are difficult to explain/justify within a values

construct for reasons other than pure risk management.

Benefits to a Values-Based Approach

The organization and the security professional can reap a multitude of benefits from adopting a

values-based approach to a security conversation.

Clarification of Concerns. A values-based discussion of security can lead to a clearer

understanding of the positions and concerns of all parties involved. If, for example, a concern

exists over access control measures within an organization, then a values-based discussion can

determine whether an individual has a fundamental disagreement with one of the operational tenets

of the access control value, the mechanics of the access control process, or the outcome of said

process. In other words, does the individual:

Believe that all information within the company should be available to everyone;

Disagree with a how or how rapidly the access process works;

Disagree with the implementation of access control (e.g., multiple, complex passwords

changed every 90 days); or

Disagree with the removal of their access from some particular room/building/application?

10

Values-based discussions allow the security professional to more quickly identify fundamental

differences with a value, versus a challenge with the mechanics or personal disgruntlement

regarding a particular outcome.

Identification of Cultural Dissonance. I use the term “cultural dissonance” to describe potential

differences in beliefs between the organization and its individuals en masse. As organizations

evolve, there can be large disconnects between the direction of the leadership and the desires of its

people. Such dissonance around security can add an additional layer of difficulty when

implementing programmatic changes. Surveying the environment to determine where dissonance

exists – and the type of dissonance – can dramatically reduce program implementation risk.

Take, for example, the area of physical security. After conducting a simple survey, you find that

the organizational leadership values physical security at a “10” (very important) on a ten-point

scale, whereas the individual rank-and-file value it at a “1” (very unimportant) on the same scale.

In such an environment, the rank-and-file would view any augmentation to the physical security

posture as stifling and restrictive; some might even compare their work conditions to that on

imprisonment. If the numbers were reversed, however, the CISO would have difficulty

implementing even the smallest changes to what is probably a minimalistic physical security

structure…whereas the rank-and-file would welcome such changes and probably feel that their

current work environment is lacking and possibly unsafe. Understanding the level of agreement

with the security values construct and what dissonance (if any) exists increases the probability of

implementation success.

Rising Above Compliance. Regulatory compliance standards may be mapped to the security values

construct in order to show and express the value of various compliance components. Appendix A

contains an example of such a mapping.

Conclusion

The outdated paradigm of a security framework based upon a tug-of-war between the CISO and

the rest of the business needs to shift into a more balanced, holistic partnership. To fall back on

the notion that security is merely compliance with the myriad of laws and standards does both the

security profession and the business a disservice. We as security professionals must do more to

change the conversation and integrate security into the values construct of our supported

organizations.

11

About the Author

Kim L. Jones is a 29-year intelligence, security, and risk management professional with expertise in

information security strategy; governance & compliance; security operations; and risk management.

A sought-after speaker and industry thought leader, Professor Jones is a former Chief Security Officer

who has built, operated, and/or managed information security programs within the financial services,

defense, healthcare, manufacturing, and business outsourcing industries.

Jones holds a Bachelors Degree in computer science from the United States Military Academy at

West Point, and a Masters Degree in Information Assurance from Norwich University. He also

holds the CISM and CISSP certifications.

Professor Jones may be reached at kimjones.cism@asu.edu.

12

Appendix A: Mapping the Values Construct to Compliance Regulations

This appendix contains a sample matrix mapping a regulatory framework (in this case, NIST 800-

53 version 3 ) to the security values framework.

13

14

15

16

17

18

19

20

21

22

23

24

25

26