Security is an enabler of governance, risk and compliance (GRC)
in organisations because it puts processes around information, says
an IT governance expert.
"Security drives organisations to identify what information is
important," said Lynn Lawton, international president of
ISACA and IT Governance Institute.
Security also determines who has access to information, ensures
that it is accurate and makes an organisation trusted to hold and
use information, she said.
IT security chiefs can support
GRC programmes by providing leadership in the organisation's
structures and processes to safeguard key information.
The biggest contribution IT security chiefs can make, said
Lawton, is to help the board understand the importance of GRC by
keeping it simple and relevant.
All these functions of security inform the management of
information, resources, performance and value within GRC
programmes.
"Many people perceive security as a barrier to doing things, but
it is important to GRC because it encourages people to use
information properly," said Lawton.
Another important role of IT security chiefs is to keep policies
and practices in line with the goals and aspirations of the
business.
"If IT is locking down information internally, but business
strategy is to give suppliers more access to get better service,
there would be a mismatch," she said.
Aligning IT security with business strategy is also an important
way of ensuring the board takes an interest in IT security before
things go wrong, said Lawton.
IT security professionals can ensure they are in tune with the
business by talking to people outside IT and taking in interest in
the organisation as a whole.
"The message is get out of the IT department to see what the
business is doing and how they are using what you are giving them,"
she said.
Lawton is a member of a panel to discuss the role of security in
governance, risk and compliance at
Infosecurity
Europe 2009 at Earls Court in London on 29 April.
Infosec 2009: an essential guide for IT professionals
>>