Changing Information Security Paradigm
Traditionally, information security has been handled by deploying technology solutions and through information technology management and governance processes. Rarely, has any organization looked at this subject as an extension of overall business and as a contributor to bottom line by assessing and managing information security related risks proactively.
Most of the professionals handling information security for various organizations are either technology professionals or from similar background. The success of an information security program depends on their ability to communicate with other departments and bring them on board by highlighting the benefits and positive impact it may have on company profits. Most of the information security professionals are overwhelmed with operational issues like updating patches and compliance related issues. Some of them either lack the vision or simply do not have the time to project the information security benefits in effective manner.
Majority of the information security programs ignore the business benefits of assessing risk proactively and use this information for maximizing returns. However this mindset is changing. Information Security professionals are increasingly looking beyond technology solutions and information security management processes to focus on the business benefits of information security and take steps to build information security best practices into organizations work culture.
Thomas Raschke has the same viewpoint as reflected in his article InfoSec 2008: Key takeaways from Europe’s biggest security event.
He believes that, for security professionals a key challenge lies in understanding that there is a paradigm shift happening outside of the technology/vendor realm which will require out-of-the-box thinking for many of us. As per him, technical aspects of information security can either be operationalized or outsourced.
The key success factors responsible for a successful information security program include:
- Communication in business language rather than technical terms
- Building partnerships and ushering into a positive relationship with other departments for handling information security
- Articulating business benefits of addressing new security challenges
- Ensuring the technology is perceived as an enabler and not as an end solution for information security objectives
Thomas says that “If you then learn how to demonstrate that a new data security product or a fresh start on identity management is going to help your company add to the bottom line - then you are on the right track to the nirvana of security and risk management.”
I cannot agree with him more.
The initial success of information security program can be easily gauged by studying, how it has impacted the organization’s overall work culture to address information security needs. An ideal information security program is one which is designed to provide inputs on information risks, their impact on business along possible risk mitigation / management options to enable informed decision making for maximum benefit.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
July 10th, 2009 at 12:29 am
Hi Jasjit,
I agree to the fact that Information Security is often limited to the realm of IT/Technology controls. This is also due to the fact that the so-called Information Security consultants still address Information Security from an IT point of view and not from a business point of view.
There aren’t many consultants who completely understands their client’s business model before addressing their information security requirements.This eventually leads to a scenario where the same framework getting deployed at all client locations invariable of their business model.
Another reason for this is the fact that the ROI on IT controls could be demonstrated quite tangibly but there are very few professionals who are capable of demonstrating ROI on processes & people hygiene to their clients.
When I say ROI, it has to be demonstrated from a business value point of view and not just in terms of metrices. I know professionals who blindly copy and paste some generic metrices to their clients without even understanding their releavance to their client’s business.
Hence, there has to be a industry wide movement to change this outlook on Information Security and it has to be oriented towards practicality instead of blindly following frameworks provided by ISACA, ITGI etc.
Best Regards,
Suresh Srinivasan
July 10th, 2009 at 2:42 am
Thanks Suresh for reading blog and for your valuable comments.
Information security definitely needs to be a lot more context oriented rather than general framework oriented models that we have now.
I guess the key challenge is to understand the frameworks provided by organizations like ISACA, ITGI and aligning the information security services practices while taking care of business need, in the context of operating conditions.