Selling IT Security to the Board: Changing the Corporate Mindset - Article for ComplianceExecutive.com

01/01/2012

 

Article for ComplianceExecutive.com
March 2007

Selling IT Security to the Board: Changing the Corporate Mindset



In most organizations, there is a clear divide between the information security technologists, on the one hand, and business users and managers, on the other.



This divide is most commonly characterized by a combination of contempt and despair – on both sides of the divide. Technologists have no idea why business users are so uncaring about the threats – both internal and external - that surround information and IT assets; the business users don’t understand why the technologists seem to want to make it difficult for them to do their jobs.



This divide is both unproductive and costly; it also usually reflects a long-term board failure to engage effectively with the modern business environment. When boards have a clear understanding of the role of information and information assets in their organizations, and when they are able to take a firm governance grip on how information technology is deployed and managed, then business users and information security technologists quickly coalesce around the linked concepts that information must be confidential, that its integrity must be assured, and that it must be available to those authorized to access it as and when they need to access it.



Boards can change the status quo inside their organizations, but they need to have a broader understanding of the importance of information security, both to their own organizations and globally.

 

As we’ve shifted from a manufacturing to an information economy, the structure of organizational value has changed dramatically. The intangible assets (mostly intellectual capital) of most OECD organizations are now worth substantially more than their tangible assets and this trend is unlikely to reverse.


 

Information is the life-blood of the modern business. All organizations possess and use critical or sensitive information. Roughly nine-tenths of businesses now send e-mail across the Internet, browse the web and have a website; and 87% of them now identify themselves as ‘highly dependent’ on electronic information and the systems that process it. Information and information systems are at the heart of any organization trying to operate in the high-speed wired world of the 21st Century.



Business rewards come from taking risks; managed, controlled risk-taking, but risk-taking nonetheless. The business environment has always been full of threats, from employees and competitors through criminals and corporate spies to governments and the external environment. The change in the structure of business value has led to a transformation in the business threat environment.



The proliferation of increasingly complex, sophisticated and global threats to this information and its systems, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is forcing organizations to take a more joined-up view of information security. Hardware-, software- and vendor-driven solutions to individual information security challenges no longer cut the mustard. On their own, in fact, they are dangerously inadequate.

 

News headlines about hackers, viruses and online fraud are just the public tip of the data insecurity iceberg. Business losses through computer failure, or major interruption to their data and operating systems, or the theft or loss of intellectual property or key business data, are more significant and more expensive.

 

Organizations face criminal damages, reputation loss and business failure if they omit to adequately secure their information. Directors face loss of personal reputation and jail time if they fail in their duty to protect the information their organizations are holding.

 

But computer security technology, on its own, simply does not protect information. On its own, it just wastes money, gives a false sense of security and decreases business efficiency. What organizations need is a structured method for identifying the real information risks they face, the financial impact of those threats, and appropriate methods of mitigating those specific, identified risks. Securing information is not rocket science, whatever the technology vendors might say. Information is at risk as much through human behavior (and inattention) as it is through anything else. Securing information therefore requires an approach that is as much about process and individual behavior as it is about technological defenses.

 

And no organization has either the time or the resources to try and work out, on its own and from first principles, how to do this effectively. Apart from anything else, the time and error profile is likely to be unattractive.

 

No organization needs to. ISO27001 already exists. This standard, which contains current information security international best practice that has already been successfully implemented in more than three thousand organizations around the world, gives organizations a reliable and effective framework for deploying an information security management system that will preserve its assets, protect its directors and improve its competitiveness.

 

It will also enable business users and information security technologists to collaborate for the benefit of the organization.

PROTECT YOUR
BUSINESS
THIS WINTER