Maksim Kabakou - Fotolia
Responsibility for maintaining strong protection while supporting the technology and working practices demanded by users – at an acceptable cost – starts with an organisation’s governing body.
This body, with the chief information security officer (CISO) as a direct report, should treat information security as a critical business issue and set clear direction for information security and risk management in a strong information security governance framework, aligned with corporate objectives.
Using the framework, IT and information security must provide the business with technology and solutions that meet security demands and user requirements, in support of corporate objectives.
Mature information security functions work with IT and the business, acting as enablers rather than inhibitors. Simultaneously, the business accepts that some technologies and practices are simply too insecure to adopt (based on the organisation’s risk appetite) and instead work with information security to find alternatives.
Information security should never underestimate the ingenuity of business users if these users can’t get what they need, in pursuit of corporate objectives; they will find a workaround – which could be insecure.
As every CISO will know, keeping down the costs of providing information security support is challenging. A benchmarking exercise can help an organisation understand its current level of security and where the gaps are.
This analysis can then be used by the CISO to determine where funding is adequate, too low or too high, the latter with the potential to divert funding.
Another option is to cross-charge business functions for providing specific services (often referred to as IT chargeback). This helps identify the costs associated with providing IT support (including information security), but it can be time-consuming and interpreted as an inhibitor rather than enabler.
Again, a workaround may be pursued by some business users to avoid any chargeback – but, of course, this means that risks will not have been assessed and are therefore not managed.