The poem “The Blind Men and the Elephant” was written by John Godfrey Saxe (1816-1887). The essence of the poem is that their reactions were:
- The first felt the side of the elephant and said: It’s a wall
- The second got hold of a tusk and said: It’s spear
- The third felt the trunk and said: it’s a snake
- The fourth put his arms around a leg and said: it’s a tree
- The fifth touched the ears and said: it’s a fan
- The sixth grasped the tail and said: It’s a rope
The last stanza of the poem is: “And so these men of Indostan disputed loud and long, each in his own opinion exceeding stiff and strong. Though each was partly in the right, and all were in the wrong!”
In the corporate environment, information security is akin to the elephant. The parties involved in decision making are likely to have different perspectives on what “information security” means to them and use familiar words that mean different things to different people:
- The Information Security manager looks for technical solutions, selects standards and best practices to adopt (or not) and suggests areas where policies may be needed;
- The Chief Information Officer coordinates the multiple activities that support information security (configuration management, change management, incident management, etc.) and needs to justify the resources needed to get everything done;
- The Data Owners are not concerned with technology. Their role is ensuring the quality, confidentiality and integrity of the data and the tasks this involves, such as data classification;
- The Enterprise Risk Manager expects a a ranked and quantified Risk Register and supporting plans to deal with the highest priorities (within existing resources, of course);
- The Human Resources manager has a major role to play in the approval of policies, their distribution, building security awareness amongst the staff, etc.;
- The Finance Manager primarily concerned with cost control and cost reductions to protect data resources of often unknown value;
- The Legal Counsel and Compliance Officer who need to ensure that the policies and the management of information security comply with applicable legislation and meet regulatory compliance requirements;
- The Executives whose primary concern focus on avoiding business disruption and reputational risk – on top of their many other responsibilities;
- Staff representatives and other parties that may have concerns about the impact of policies and compliance issues on the workforce.
While such a group may not be “blind”, none of them has a holistic view of the information security “elephant” and this makes discussions ineffective and frustrating due to confusion and misunderstandings. The end result: weak information security governance.