Information security definitely needs to be a lot more context oriented rather than general framework oriented models that we have now.

I guess the key challenge is to understand the frameworks provided by organizations like ISACA, ITGI and aligning the information security services practices while taking care of business need, in the context of operating conditions.

I agree to the fact that Information Security is often limited to the realm of IT/Technology controls. This is also due to the fact that the so-called Information Security consultants still address Information Security from an IT point of view and not from a business point of view.

There aren’t many consultants who completely understands their client’s business model before addressing their information security requirements.This eventually leads to a scenario where the same framework getting deployed at all client locations invariable of their business model.

Another reason for this is the fact that the ROI on IT controls could be demonstrated quite tangibly but there are very few professionals who are capable of demonstrating ROI on processes & people hygiene to their clients.

When I say ROI, it has to be demonstrated from a business value point of view and not just in terms of metrices. I know professionals who blindly copy and paste some generic metrices to their clients without even understanding their releavance to their client’s business.

Hence, there has to be a industry wide movement to change this outlook on Information Security and it has to be oriented towards practicality instead of blindly following frameworks provided by ISACA, ITGI etc.

Best Regards,

Suresh Srinivasan