The Information Security Forum's (ISF) 300+ blue-chip members are currently debating how information security can make business sense.
Information and security are critical to effective and efficient business operations and this dependence is increasing. Yet, we see IT and information security functions facing increased calls on their resources which are not matched with significant increases in head-count and budget.
The key to aligning with the business is the appropriate management of risk. The language of business is risk – not security products – and information security must help the business build a realistic understanding of information risk and its relationship with other business risks.
It is the chief information security officer's (CISO) role to communicate this to the organisation.
Here are some examples of how ISF Members support their businesses:
- Managing risk in business initiatives by selecting proportionate controls that enable the business, yet manage cost
- Taking a strategic view and measuring progress against a road map, defined goals and milestones, produced in collaboration with business leaders
- Creating robust governance structures to manage risk organisation-wide and support corporate governance obligations
- Working with functions such as legal and privacy to create a sound basis for compliance
- Integrating with supplier management to assess and mitigate information risk across the supply chain
- Supporting new initiatives such as bring-your-own-device (BYOD), cloud adoption and big data by recognising how these technologies add business value and providing secure methods of deploying them.
The real answer as to how IT security can make business sense, optimise financial performance and protect brand reputation is people.
Upcoming ISF research, conducted for a soon-to-be-released paper on the role of the modern CISO, tells us that staff with a mix of business and technical skills, complemented by the ability to communicate at all levels, are key to aligning and integrating information security with the business.
Adrian Davis is principal research analyst at the Information Security Forum (ISF)