Most of my information security focus these past few years has concentrated on management and governance, but this was not always the case. I came into this profession as a technologist and manager who focused on team building, turn-arounds and doing a lot with few resources. But as my career moved from technology operations to security it also moved from technology to governance. I chose this path on purpose, and as I tell the few techies who have asked, I did it for one main reason; while technological security risks are always a possibility, management security risks are a certainty.
I was reminded of this decision this past week when a professional I have strong respect for bumped up against a misunderstanding of security regulations and, with her best intentions, sapped the time and energy of five professionals from two organizations responding to what they thought was a HIPAA violation. It turns out that there was no violation. But there was an impact; the wasted day of five highly competent and valuable professionals. And the threat that caused the impact? Management’s misunderstanding of the HIPAA Security Rule and of their Business Associate contracts. The organization made a cultural decision to make their personnel hyper-vigilant to the point of paranoia, causing over-reactions to allowable use of protected health information.
When HALOCK works with our clients on information security projects, we help them understand the relevance of their security concerns in terms of impact. So you had a DoS? What was the impact, the time for the team to respond? Damage to your reputation? Inability to reach a service level agreement? When we talk about information security in terms of impact, management starts to understand their role in planning security priorities and investments.
But as tempting as it is to focus on technical threats, management security threats are a certainty because of the consistent and measurable impacts that result from management’s imperfect relationship with security and compliance.
Management security threats come in a few varieties. Perhaps the most obvious management security threat is ignoring security and compliance altogether. There are many causes of this threat, including denial of obligations and the denial of the reality of threats. But the results are the same; a vulnerable organization that gets into trouble.
A less obvious management security threat occurs in the organization that over-controls. HALOCK has too often responded to information security breaches that occurred because personnel were trying to get their work done in an unsafe way because they could not get it done in the designated safe way. Sometimes security controls are so strict that they prevent personnel from performing normal work activities. Personnel who have a motivation to work efficiently in inefficient environments will create their own efficiencies, even if they create new vulnerabilities along with them. This is why we have risk assessments; to be sure that security controls are reasonable and appropriate to avoid these misplaced security controls.
The least obvious management security threat on our list is misinformed management; people who assert their misunderstanding of regulations and security requirements as if they are true. While it is bad enough to misunderstand compliance requirements, things get even more complicated when contradictory information surfaces. This is why I always insist on quoting the applicable regulations and contracts. When we have a debate based on the authoritative documents, then our disagreements are narrow. When we have fact-free debates, then we are left with fear, uncertainty, and doubt, which is a killer of time, innovation, morale, and certainty.
Sources for this threat of misinformed management are commonly found in:
- Web sites and articles that purport to have the right interpretations of regulations, but do not back up their interpretations with source material, such as the regulations they are referencing.
- Off-the-shelf information security and awareness training kits. I have never seen an off-the-shelf training package that addressed the unique risks and responsibilities of each organization that used them. So how could they be providing personnel with practical and accurate information about how to make security work in their unique organization? They can’t.
- Word-of-mouth. Enough said.
- Compliance by Audit. Mistaking an auditor’s questionnaire for an authoritative list of required security controls.
- Certification programs that imply that they make you compliant with a security regulation. Check with the regulatory body that oversees the regulation in question before falling for this trick.
- Not reading the source material, and not checking it again and again to be sure you remember it correctly.
A good place to find the authoritative source of regulatory requirements is actually in the regulation. Sadly, “authoritative” does not also mean “easy to read” or even “easy to find.” Try going through the latest CFRs (Code of Federal Regulations) about protection of health information. Can you tell where the commentary ends and where the requirements start? It’s not easy the first few times.
But working with an expert who lives, eats and breathes the regulation (and regularly cites the regulations’ text and the regulators’ guiding documents) is a good start. And if the expert insists that you start your compliance with a risk assessment, then you know you are onto something good.
In the case of my clients last week, I was able to carefully walk them through their assumptions, helped them read through and interpret their contracts, policies and the regulation and showed them that they were well within their regulatory limits and helped them avoid disclosing a violation that didn’t happen. During our wrap-up I let them know I was a little disappointed that they had been steered the wrong way about their obligations. Their reply was that they had been so consistently trained into believing that HIPAA was unforgiving and hazardous that they thought they were responding correctly in their over-reactions. “Management security risks are a certainty,” I thought.
If you suspect that you may be experiencing management security risks then be aware that the business impacts will be real. There will be loss of productivity, damage to reputation and delays of your organization’s mission. Information is now a regulated asset and organizations need to treat it that way. Your one best way to recover from and avoid management security risks is to address it head on and make sure your organization actually knows what these security regulations are asking us to do.
Have you seen examples of the misinformed or over-zealous manager creating their own security and compliance impacts? Send me comments below. I’d love to hear about them.