Discussion: View Thread

  • 1.  Help in identifying relevant research to address an ongoing issue

    Posted 01-19-2009 14:21

    I would appreciate help in identifying research that will help answer a disagreement that has implications for a policy change regarding the appropriate organizational home for cyber security staff.  The organization positions follow---both are plants in the critical infrastructure sector.  

    Organization A's Position

    Organization A would like cyber security specialists to be assigned to their plant's Security organization. They see the potential for a conflict of interest when an IT organization assigns its own staff members to evaluate and regulate the cyber security of the IT organization's own programs and systems. Anecdotal reports from several plants indicate that IT staff members assigned to perform cyber security assessments are feeling pressure to minimize their evaluation of cyber security risks, particularly for high-visibility programs that are being championed by their IT management. Even if there is no overt pressure to downplay security risks, IT staff members are afraid that raising concerns about existing or proposed programs/systems could negatively impact their annual performance evaluations. As a result, the NRC would prefer that cyber security specialists with security review and oversight responsibilities be assigned to the plant's Security organization. This would allow them to "safely" crack down on IT and operational excesses without fear of management reprisals. Organization A also believes that the plants need to start addressing both physical and cyber threats in an integrated manner and that could best be accomplished by putting both physical and cyber security specialists into the plant's Security organization.

    Organization B's Position

    In contrast to the above position, Organization B wants to see cyber security specialists remain in their current IT organizations. There are several reasons for this, including:

    (1) many cyber security functions are currently performed by IT staff who have both security and non-security assignments. Placing these staff in the security organization would impact their ability to continue their non-security IT assignments.

    (2) at present, the Security organization is focused on its physical security mission and they don't understand or want to take on an additional cyber security mission.

    There are also unspoken reasons, involving organizational politics, costs, and control issues -- but these can be addressed elsewhere.

    The bottom-line is that Organization B has challenged Organization A to show evidence from "organizational psychology" or other research studies to support Organization A's position that the current placement of cyber security oversight within a plant's IT organization might represent a potential conflict-of-interest.  Organization B wants to see relevant, independent studies before it will accept Organization A's position.

    We've been asked to do a quick search to see what 'relevant, independent studies' exist. 

     

    Thanks,  Mary Z.

    __________________________________________________
    Mary D Zalesny, PhD
    Pacific Northwest National Laboratory
    1100 Dexter Avenue NE
    Seattle, WA  98109 USA
    Tel:  206-528-3275
    Cell: 206-437-9616 
    mary.zalesny@pnl.gov
    www.pnl.gov

     


  • 2.  Help in identifying relevant research to address an ongoing issue

    Posted 01-19-2009 17:39
    Hi Mary Z.,
     

    How much research is necessary in this situation where more than ever before security must be understood as a very comprehensive problem?  When it comes to security, whether in the private sector or in government, cyber crime or concerns should be an integral part of the whole process or efforts dedicated to guarantee the integrity of the organization. All police departments and many other security agencies at all levels are doing just that.  Any security organization which is not considering the potential for cyber attacks should be rendered as ineffective (Reason 2 in Org. B's position). There is no reason for an organization to have someone who should be paying attention to security issues, in the digital world or in the physical one, being distracted by responsibilities outside the safety and protection of the organization.  And by the way, cyber crime could come from outside of the organization, or from inside it which might include IT personnel.

     

    Thanks,

    Ivan

     

    Dr. R. Ivan Blanco                                                
    Department of Management
    McCoy College of Business Administration 
    Texas State Univeristy - San Marcos
    San Marcos, TX 78666
    Voice (512) 245-1842  -  Fax (512) 245-2850 
    E-mail  rb39@txstate.edu
     
    "Las naciones marchan hacia el término de su grandeza, con el mismo paso que camina su educación."
    "Nations march toward their greatness at the same pace as their educational systems evolve." -- Simon Bolivar

    From: Organizational Behavior Division Listserv [OB@AOMLISTS.PACE.EDU] On Behalf Of Zalesny, Mary D [mary.zalesny@PNL.GOV]
    Sent: Monday, January 19, 2009 1:21 PM
    To: OB@AOMLISTS.PACE.EDU
    Subject: Help in identifying relevant research to address an ongoing issue

    I would appreciate help in identifying research that will help answer a disagreement that has implications for a policy change regarding the appropriate organizational home for cyber security staff.  The organization positions follow---both are plants in the critical infrastructure sector.  

    Organization A's Position

    Organization A would like cyber security specialists to be assigned to their plant's Security organization. They see the potential for a conflict of interest when an IT organization assigns its own staff members to evaluate and regulate the cyber security of the IT organization's own programs and systems. Anecdotal reports from several plants indicate that IT staff members assigned to perform cyber security assessments are feeling pressure to minimize their evaluation of cyber security risks, particularly for high-visibility programs that are being championed by their IT management. Even if there is no overt pressure to downplay security risks, IT staff members are afraid that raising concerns about existing or proposed programs/systems could negatively impact their annual performance evaluations. As a result, the NRC would prefer that cyber security specialists with security review and oversight responsibilities be assigned to the plant's Security organization. This would allow them to "safely" crack down on IT and operational excesses without fear of management reprisals. Organization A also believes that the plants need to start addressing both physical and cyber threats in an integrated manner and that could best be accomplished by putting both physical and cyber security specialists into the plant's Security organization.

    Organization B's Position

    In contrast to the above position, Organization B wants to see cyber security specialists remain in their current IT organizations. There are several reasons for this, including:

    (1) many cyber security functions are currently performed by IT staff who have both security and non-security assignments. Placing these staff in the security organization would impact their ability to continue their non-security IT assignments.

    (2) at present, the Security organization is focused on its physical security mission and they don't understand or want to take on an additional cyber security mission.

    There are also unspoken reasons, involving organizational politics, costs, and control issues -- but these can be addressed elsewhere.

    The bottom-line is that Organization B has challenged Organization A to show evidence from "organizational psychology" or other research studies to support Organization A's position that the current placement of cyber security oversight within a plant's IT organization might represent a potential conflict-of-interest.  Organization B wants to see relevant, independent studies before it will accept Organization A's position.

    We've been asked to do a quick search to see what 'relevant, independent studies' exist. 

     

    Thanks,  Mary Z.

    __________________________________________________
    Mary D Zalesny, PhD
    Pacific Northwest National Laboratory
    1100 Dexter Avenue NE
    Seattle, WA  98109 USA
    Tel:  206-528-3275
    Cell: 206-437-9616 
    mary.zalesny@pnl.gov
    www.pnl.gov

     


  • 3.  Help in identifying relevant research to address an ongoing issue

    Posted 01-19-2009 22:20

    Hi Mary.

     

    There are a number of issues that stand out when surveying the two points of view.  I am wondering what industry best practices have already been reviewed?  Also, what is the size of the IT organization and is it large enough and mature enough to absorb a discrete operation whose objectives are solely dedicated to mitigating IT security risks such that they are not involved in conflicting matters like those you described below.  What is priority? With regard to the pressure Organization A is feeling such that reports of risk may be minimized, it would seem that a third party IT risk management consultancy engagement might be in order for assessment and facilitation purposes.  If baselines have already been established for this type of risk mitigation operation already someone could come in and assess where they are and determine what it would take to get them to where they want to go?  Once this type of analysis has been completed, short and long range plans based upon risk level can be developed (what is the risk if we do nothing? What is the risk if we wait six months?, etc., etc.).  With regard to the question of centralization or decentralization this depends greatly upon the level of risk ascribed to the different types of access, total number of locations and their proximity, as well as what resources would be required to carry out the IT security objective.  Some of the assessment can be sorted out fairly quickly by a third party depending upon the frequency and depth of past internal audits and the level of risk potential exposures reside upon.  The foregoing is process-driven rather than subjective, as it currently seems to be.

     

    From the literature perspective, there are a number of publications that may offer insight including Information & Management, Decision Support Systems, Computers in Industry and IBM Systems Journal (of course there's Gartner as well).  While the model right for the overall organization may not be discernable from any one literature contribution (i.e. these configurations are highly tailored and specifically designed for that very organization and would not likely be a cookie-cutter type solution without some adaptation) it could be that there are trends contained in these major publications that point to enough similarities in practice that a solution could be fashioned. 

     

    Based upon the level of conflict already inherent in the situation, it would seem that bringing a third-party into the process could potentially diffuse some of the organizational conflict problems already in play.  Issues with power bases and scarce resources could be ferreted out and navigated in an analytical fashion rather than in emotionally charged and potentially engagement damaging ways.  In this case, relying on as much of an objective, systematic analysis is critical. 

     

    Hope this is helpful.

     

    Best regards,

     

    Cori

    *******

    Colrain M. Zuppo, Doctoral Fellow

    PhD in Technology Management,

        Specialization: HRD & Industrial Training

    Indiana State University

    College of Technology

    101 North Sixth Street

    Terre Haute, IN 47808

     

     

     

    From: Organizational Behavior Division Listserv [mailto:OB@AOMLISTS.PACE.EDU] On Behalf Of Blanco, R Ivan
    Sent: Monday, January 19, 2009 5:39 PM
    To: OB@AOMLISTS.PACE.EDU
    Subject: Re: Help in identifying relevant research to address an ongoing issue

     

    Hi Mary Z.,

     

    How much research is necessary in this situation where more than ever before security must be understood as a very comprehensive problem?  When it comes to security, whether in the private sector or in government, cyber crime or concerns should be an integral part of the whole process or efforts dedicated to guarantee the integrity of the organization. All police departments and many other security agencies at all levels are doing just that.  Any security organization which is not considering the potential for cyber attacks should be rendered as ineffective (Reason 2 in Org. B's position). There is no reason for an organization to have someone who should be paying attention to security issues, in the digital world or in the physical one, being distracted by responsibilities outside the safety and protection of the organization.  And by the way, cyber crime could come from outside of the organization, or from inside it which might include IT personnel.

     

    Thanks,

    Ivan

     

    Dr. R. Ivan Blanco                                                
    Department of Management
    McCoy College of Business Administration 
    Texas State Univeristy - San Marcos
    San Marcos, TX 78666
    Voice (512) 245-1842  -  Fax (512) 245-2850 
    E-mail  rb39@txstate.edu
     
    "Las naciones marchan hacia el término de su grandeza, con el mismo paso que camina su educación."
    "Nations march toward their greatness at the same pace as their educational systems evolve." -- Simon Bolivar

    From: Organizational Behavior Division Listserv [OB@AOMLISTS.PACE.EDU] On Behalf Of Zalesny, Mary D [mary.zalesny@PNL.GOV]
    Sent: Monday, January 19, 2009 1:21 PM
    To: OB@AOMLISTS.PACE.EDU
    Subject: Help in identifying relevant research to address an ongoing issue

    I would appreciate help in identifying research that will help answer a disagreement that has implications for a policy change regarding the appropriate organizational home for cyber security staff.  The organization positions follow---both are plants in the critical infrastructure sector.  

    Organization A's Position

    Organization A would like cyber security specialists to be assigned to their plant's Security organization. They see the potential for a conflict of interest when an IT organization assigns its own staff members to evaluate and regulate the cyber security of the IT organization's own programs and systems. Anecdotal reports from several plants indicate that IT staff members assigned to perform cyber security assessments are feeling pressure to minimize their evaluation of cyber security risks, particularly for high-visibility programs that are being championed by their IT management. Even if there is no overt pressure to downplay security risks, IT staff members are afraid that raising concerns about existing or proposed programs/systems could negatively impact their annual performance evaluations. As a result, the NRC would prefer that cyber security specialists with security review and oversight responsibilities be assigned to the plant's Security organization. This would allow them to "safely" crack down on IT and operational excesses without fear of management reprisals. Organization A also believes that the plants need to start addressing both physical and cyber threats in an integrated manner and that could best be accomplished by putting both physical and cyber security specialists into the plant's Security organization.

    Organization B's Position

    In contrast to the above position, Organization B wants to see cyber security specialists remain in their current IT organizations. There are several reasons for this, including:

    (1) many cyber security functions are currently performed by IT staff who have both security and non-security assignments. Placing these staff in the security organization would impact their ability to continue their non-security IT assignments.

    (2) at present, the Security organization is focused on its physical security mission and they don't understand or want to take on an additional cyber security mission.

    There are also unspoken reasons, involving organizational politics, costs, and control issues -- but these can be addressed elsewhere.

    The bottom-line is that Organization B has challenged Organization A to show evidence from "organizational psychology" or other research studies to support Organization A's position that the current placement of cyber security oversight within a plant's IT organization might represent a potential conflict-of-interest.  Organization B wants to see relevant, independent studies before it will accept Organization A's position.

    We've been asked to do a quick search to see what 'relevant, independent studies' exist. 

     

    Thanks,  Mary Z.

    __________________________________________________
    Mary D Zalesny, PhD
    Pacific Northwest National Laboratory
    1100 Dexter Avenue NE
    Seattle, WA  98109 USA
    Tel:  206-528-3275
    Cell: 206-437-9616 
    mary.zalesny@pnl.gov
    www.pnl.gov

     



  • 4.  Help in identifying relevant research to address an ongoing issue

    Posted 02-15-2009 14:59

    Hi Mary,

    Sorry for the delay, I was ill for a period due to a nasty case of food poisoning. I do not know of any studies that would support the position of B. I have since checked with two professors in our Accounting and Information Assurance department who work in cyber-security. They did no know of any studies. They indicated that there are often auditing functions performed by individuals outside of IT. Some organizations are designating a CISO (Chief Information Security Officer) who more often reports to the CIO (Chief Information Officer), but may report to the Chief Financial Officer or even the CEO. They mention this in their book (Gordon, Lawrence A. and Loeb, Martin P. (2006). Managing cyber-cecurity resources: A cost-benefit analysis. New York: McGraw-Hill.)

    I had a bit of a discussion with them. Since I have been a computer project manager, it is difficult for me to see how the security function could be managed on a day-to-day basis outside of IT. Systems are so complex that they can be difficult for outsiders to fathom sufficiently. In my case, there was so much detail in the system that I was managing that even my immediate boss was somewhat clueless due to the impossibility of keeping up with all of the ins and outs of specific systems.

    Hope this helps. Sorry it was not sooner. Hope all is well with you.

    Best,

    Kay



    Kathryn M. Bartol, Ph.D.
    Robert H. Smith Professor of Management and Organization
    Department of Management and Organization
    Robert H. Smith School of Business
    4512 Van Munching Hall
    University of Maryland
    College Park, MD 20742-1815
    301-405-2249 TEL
    kbartol@rhsmith.umd.edu
    http://www.rhsmith.umd.edu
    "Zalesny, Mary D" <mary.zalesny@PNL.GOV>



    To

    OB@AOMLISTS.PACE.EDU

    cc


    Subject

    Help in identifying relevant research to address an ongoing issue

    I would appreciate help in identifying research that will help answer a disagreement that has implications for a policy change regarding the appropriate organizational home for cyber security staff. The organization positions follow---both are plants in the critical infrastructure sector.

    Organization A's Position

    Organization A would like cyber security specialists to be assigned to their plant's Security organization. They see the potential for a conflict of interest when an IT organization assigns its own staff members to evaluate and regulate the cyber security of the IT organization's own programs and systems. Anecdotal reports from several plants indicate that IT staff members assigned to perform cyber security assessments are feeling pressure to minimize their evaluation of cyber security risks, particularly for high-visibility programs that are being championed by their IT management. Even if there is no overt pressure to downplay security risks, IT staff members are afraid that raising concerns about existing or proposed programs/systems could negatively impact their annual performance evaluations. As a result, the NRC would prefer that cyber security specialists with security review and oversight responsibilities be assigned to the plant's Security organization. This would allow them to "safely" crack down on IT and operational excesses without fear of management reprisals. Organization A also believes that the plants need to start addressing both physical and cyber threats in an integrated manner and that could best be accomplished by putting both physical and cyber security specialists into the plant's Security organization.

    Organization B's Position

    In contrast to the above position, Organization B wants to see cyber security specialists remain in their current IT organizations. There are several reasons for this, including:

    (1) many cyber security functions are currently performed by IT staff who have both security and non-security assignments. Placing these staff in the security organization would impact their ability to continue their non-security IT assignments.

    (2) at present, the Security organization is focused on its physical security mission and they don't understand or want to take on an additional cyber security mission.

    There are also unspoken reasons, involving organizational politics, costs, and control issues -- but these can be addressed elsewhere.

    The bottom-line is that Organization B has challenged Organization A to show evidence from "organizational psychology" or other research studies to support Organization A's position that the current placement of cyber security oversight within a plant's IT organization might represent a potential conflict-of-interest. Organization B wants to see relevant, independent studies before it will accept Organization A's position.

    We've been asked to do a quick search to see what 'relevant, independent studies' exist.

    Thanks, Mary Z.

    __________________________________________________
    Mary D Zalesny, PhD
    Pacific Northwest National Laboratory
    1100 Dexter Avenue NE
    Seattle, WA 98109 USA
    Tel: 206-528-3275
    Cell: 206-437-9616
    mary.zalesny@pnl.gov
    www.pnl.gov