Information security, as a recognised business activity,
has come a long way in the past decade. Various factors have caused
the discipline to mature and it has now attained its "licence to
operate" within the corporate and public sector environments,
becoming one of the core business and organisational
enablers.
However, there is little room for error, as the consequences of
insecure systems and information are almost always costly and
distracting.
The challenge now for senior security specialists is to develop
an ongoing dialogue with the board about the importance of
information security in the context of organisational goals.
Information is the engine of global enterprise, and
fit-for-purpose information security is fundamental to managing
global enterprise risk. The regulatory environment, especially the
requirements of Sarbanes-Oxley, has pushed security onto the
board's agenda.
Security standards and frameworks, such as the international
standard ISO 17799, are increasingly being adopted by third parties
and business partners as proof of security credentials.
Users are waking up to security rights and expectations, causing
public-facing organisations to tighten privacy policies. And the
commercial imperative for information security is gaining momentum
as more companies outsource or offshore operations and demand full
mobility of their staff.
Organisations that are the most effective at information
security tend to demonstrate three characteristics.
First, they are driven by results rather than activity.
Second, they earn credibility by candidly educating company
management about security risks and basing their security
investment on realistic assessments of risk.
Third, they are committed to independent standards and to
measuring their departments' compliance with those standards.
Recognising that security should form part of overall business
risk management, many organisations are now structuring and
managing information security as part of operational risk
management.
In other cases, it is seen as part of corporate security
management which deals not only with physical threats, but also
problems such as brand fraud.
Information security should, of course, have in place a
framework for responding to incidents and threats. But it must also
be prepared to take longer-term action to proactively defend the
business against future threats and enable it to take full
advantage of changing business opportunities.
Ultimately, a company's information security must be effectively
integrated and aligned with the corporate strategy, objectives,
business structure and style.
But to get that prize, security professionals must speak the
business language and persuasively make the business case for the
tangible and strategic dividends that strong security can
undoubtedly provide in this global environment.
l Richard Brown is leader of technology and security risk
services at Ernst & Young