Most enterprises are now “IT-centric”, depending increasingly on IT for their critical business information. Yet the threat to this source is increasing exponentially; not only from internal resources, deliberately or otherwise, but also externally. Security of laptops and mobile devices is still weak.
Enterprises have to accept that this is now a prime factor in their profitability, even survival. So information denial –the denial of critical business information to authorised users of it, whenever they require it – now has to be a powerful factor in their enterprise risk management.
Information security, in all its forms, is regarded now as the most potent means of protecting the integrity of this information source, but it still covers at best 50% of the information risk.
Extending the solution
Enterprises now have to recognise that to solve this problem satisfactorily, the solution needs to extend to a wider variety of business functions, beyond the information function.
In the first instance, a genuinely effective disaster recovery plan should now be a priority for every enterprise. Many such plans exist, but few are truly effective.
A further package is needed to complement them, covering crisis management (viz the onset of avian flu), corporate governance and the growing burden of regulatory compliance, a widening range of staff management and training issues, contract and outsourcing management, physical security, energy management, and so on.
Apart from incorporating electronic protection and interaction with relevant agencies, systems need to be designed to provide markedly better availability to users, with the support needed, plus enhanced quality in operating them, including escrow access to facilities when an outsourced supplier fails.
The most lethal cause of information denial is still the old problem: poor programme and project management in implementing change.
A consistent policy
To many enterprises these needs are individually self-evident, and have been addressed in line with relevant standards. But these measures are seldom brought together in a consistent enterprise-wide policy.
Significant investment thus often leads to fragmentary protection, persistent vulnerability and exposure to corporate and personal penalties for failure to protect the integrity of the information function.
Hence the key role of the board of directors in enterprise risk management. Only senior board members, not chief information security officers or even CIOs, can ensure the generation of business cases to fund policies embodying consistent measures across all the business functions involved.
Board members need to see that these policies are implemented and sustained over many years, while instilling the optimum balance of security culture and enterprise needed for them to be beneficial.
Ian Wylie is a director of Kemble Knowledge Governance
Have your say: Do you disagree with Ian Wylie? If you have an opinion about this or any article in Computer Weekly, e-mail firstname.lastname@example.org
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference.
Vote now at: www.computerweekly.com/ITgreats
This was first published in July 2006