A breakdown in communications between information security, IT and the business is undermining efforts to tackle the risk of security breaches, research has revealed.
Instead of working together toward common goals, different parts of the business often fail to understand each other's roles, according to a joint study by PricewaterhouseCoopers and (ISC)².
The results of the study into why business leaders underestimate information security risk were unveiled at the RSA Europe 2010 conference in London.
The security of corporate information depends on the ability of the organisation's various functions to communicate clearly and effectively with one another, and it takes all teams to sustain a meaningful dialogue, so a change in mindset is needed from all sides, the study found.
Miscommunication lies in the different languages understood by the three departments, so the research concludes that there are five parallel steps that business and information security leaders should take to close the gap.
John Colley, managing director EMEA at (ISC)², said the information security function is hampered by the uneasy relationship with both the IT and the business areas they are tasked to support.
"They increasingly understand they need to become enablers and speak the language of business operations, opportunities and risk. It is time for the rest of the business to wake up and support them in their endeavours," he said.
How to close communications gaps
• Business leader: Highlight risks to the board on current and emerging threats as the context for needing world-class information security standards.
• Information security leader: Avoid using complex technical language and describe business risks and the relevant controls in straightforward business terms.
• Business leader: Discuss future strategic technology choices and trends at board level to assess the impact and implications.
• Information security leader: Continually scan emerging devices and cyber threats from the perspective of the business's strategic objectives and opportunities.
• Business leader: Rank the organisation's business units on a scale of low to high risk. For those that are high risk, consider introducing incentives for the successful implementation of security standards.
• Information security leader: Analyse the organisation's underlying business processes from an information security perspective, and develop business cases for more relevant, cost-effective controls.
• Business leader: Initiate ongoing workshops with representatives from information security, the business and IT, to brainstorm the threats and opportunities and to debate solutions.
• Information security leader: Forge strong links with 'natural allies' in the business, such as legal, compliance, risk and internal audit, to align business-focused language.
• Business leader: Over the longer term, engage the security leader more deeply in the strategic agenda and future plans, enabling that function to plan proactively into the future rather than reacting to emerging events.
• Information security leader: Ensure that information security's relevance is understood throughout the organisation, so it is viewed as a source of business-enabling solutions rather than a barrier to doing business.
Sign-up to Computer Weekly to download the full PWC report