Information security means better business

It's time for an ongoing dialogue with the board

Information security, as a recognised business activity, has come a long way in the past decade. Various factors have caused the discipline to mature and it has now attained its "licence to operate" within the corporate and public sector environments, becoming one of the core business and organisational enablers.

However, there is little room for error, as the consequences of insecure systems and information are almost always costly and distracting.

The challenge now for senior security specialists is to develop an ongoing dialogue with the board about the importance of information security in the context of organisational goals.

Information is the engine of global enterprise, and fit-for-purpose information security is fundamental to managing global enterprise risk. The regulatory environment, especially the requirements of Sarbanes-Oxley, has pushed security onto the board's agenda.

Security standards and frameworks, such as the international standard ISO 17799, are increasingly being adopted by third parties and business partners as proof of security credentials.

Users are waking up to security rights and expectations, causing public-facing organisations to tighten privacy policies. And the commercial imperative for information security is gaining momentum as more companies outsource or offshore operations and demand full mobility of their staff.

Organisations that are the most effective at information security tend to demonstrate three characteristics.

First, they are driven by results rather than activity.

Second, they earn credibility by candidly educating company management about security risks and basing their security investment on realistic assessments of risk.

Third, they are committed to independent standards and to measuring their departments' compliance with those standards.

Recognising that security should form part of overall business risk management, many organisations are now structuring and managing information security as part of operational risk management.

In other cases, it is seen as part of corporate security management which deals not only with physical threats, but also problems such as brand fraud.

Information security should, of course, have in place a framework for responding to incidents and threats. But it must also be prepared to take longer-term action to proactively defend the business against future threats and enable it to take full advantage of changing business opportunities.

Ultimately, a company's information security must be effectively integrated and aligned with the corporate strategy, objectives, business structure and style.

But to get that prize, security professionals must speak the business language and persuasively make the business case for the tan­gible and strategic dividends that strong security can undoubtedly provide in this global environment.

l Richard Brown is leader of technology and security risk services at Ernst & Young

Read more on Hackers and cybercrime prevention