Security is an enabler of governance, risk and compliance (GRC) in organisations because it puts processes around...
information, says an IT governance expert.
"Security drives organisations to identify what information is important," said Lynn Lawton, international president of ISACA and IT Governance Institute.
Security also determines who has access to information, ensures that it is accurate and makes an organisation trusted to hold and use information, she said.
IT security chiefs can support GRC programmes by providing leadership in the organisation's structures and processes to safeguard key information.
The biggest contribution IT security chiefs can make, said Lawton, is to help the board understand the importance of GRC by keeping it simple and relevant.
All these functions of security inform the management of information, resources, performance and value within GRC programmes.
"Many people perceive security as a barrier to doing things, but it is important to GRC because it encourages people to use information properly," said Lawton.
Another important role of IT security chiefs is to keep policies and practices in line with the goals and aspirations of the business.
"If IT is locking down information internally, but business strategy is to give suppliers more access to get better service, there would be a mismatch," she said.
Aligning IT security with business strategy is also an important way of ensuring the board takes an interest in IT security before things go wrong, said Lawton.
IT security professionals can ensure they are in tune with the business by talking to people outside IT and taking in interest in the organisation as a whole.
"The message is get out of the IT department to see what the business is doing and how they are using what you are giving them," she said.
Lawton is a member of a panel to discuss the role of security in governance, risk and compliance at Infosecurity Europe 2009 at Earls Court in London on 29 April.