Information security matters
Why you might ask?
Let's start with a little questionnaire: What do you think are a companies’ most valuable assets?
- Employees
- Customers
- Companies data
- Physical assets (e.g. facilities, devices etc.)
You probably got it right, although it is a deceptive question: All of them - and some more make an enterprises value.
Not so many years ago IT security was primarily the responsibility of the IT staff - by implementing technical security measures (e.g. firewalls, network security, antivirus, IDS etc.). Physical security was the obligation of the facility manager, personnel security the liability of human resources. To be clear, that's not wrong, the question is, should these obligations be treated apart or aligned under, let’s say, the information security management discipline? If so, what is information security management now all about?
Today’s role of information security has changed dramatically. It is driven by business needs, has to support business activities and to be directly supportive of or enable a particular avenue of business. In most of today’s companies, information is the business. This includes mayor players but also countless others large and small. Hence information must be treated with the same care and caution than any other asset would receive.
Information security is a complex discipline with many aspects - see this example:
Employees work with data, which is processed and stored on local and central units, carried over private and public networks, accessed from almost everywhere with different devices. Access controls are needed to prevent unauthorized access to facilities, offices, processing units, networks and so on. IT assets need to be operated and maintained in a safely manner, business continuity and recovery plans must assure the availability and recovery of business processes. Risks need to be identified, assessed and managed to reduce the impact of threats exploiting vulnerabilities. Finally, legal and compliance must be assured.
In consequence, information security governance has been established to show the necessity and importance for today’s businesses. The five basic outcomes of effective security governance should include:
- Strategic alignment
- Risk management
- Resource management
- Value delivery
- Performance measurement
Security governance is part of corporate governance and needs to be sized to business needs. It is a complex but essential part of management duties and responsibilities.