Jasjit’s Cyberoughts

Traditionally, information security has been handled by deploying technology solutions and through information technology management and governance processes. Rarely, has any organization looked at this subject as an extension of overall business and as a contributor to bottom line by assessing and managing information security related risks proactively.

Most of the professionals handling information security for various organizations are either technology professionals or from similar background. The success of an information security program depends on their ability to communicate with other departments and bring them on board by highlighting the benefits and positive impact it may have on company profits. Most of the information security professionals are overwhelmed with operational issues like updating patches and compliance related issues. Some of them either lack the vision or simply do not have the time to project the information security benefits in effective manner.

Majority of the information security programs ignore the business benefits of assessing risk proactively and use this information for maximizing returns. However this mindset is changing. Information Security professionals are increasingly looking beyond technology solutions and information security management processes to focus on the business benefits of information security and take steps to build information security best practices into organizations work culture.

Thomas Raschke has the same viewpoint as reflected in his article InfoSec 2008: Key takeaways from Europe’s biggest security event.

He believes that, for security professionals a key challenge lies in understanding that there is a paradigm shift happening outside of the technology/vendor realm which will require out-of-the-box thinking for many of us. As per him, technical aspects of information security can either be operationalized or outsourced.

The key success factors responsible for a successful information security program include:

1. Communication in business language rather than technical terms
2. Building partnerships and ushering into a positive relationship with other departments for handling information security
3. Articulating business benefits of addressing new security challenges
4. Ensuring the technology is perceived as an enabler and not as an end solution for information security objectives

Thomas says that “If you then learn how to demonstrate that a new data security product or a fresh start on identity management is going to help your company add to the bottom line - then you are on the right track to the nirvana of security and risk management.”

I cannot agree with him more.

The initial success of information security program can be easily gauged by studying, how it has impacted the organization’s overall work culture to address information security needs. An ideal information security program is one which is designed to provide inputs on information risks, their impact on business along possible risk mitigation / management options to enable informed decision making for maximum benefit.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.