The boardroom is recognising that direct threats to the health of the business are increasing in volume and sophistication, but is less clear on how to be responsible with information security risk.
Clearly, managing security should be no more the job of the board than accounting or legal practice. It is the board's job, however, to define what is expected of information security and to play its part in closing the infamous business IT gap.
Considered to hold a relatively minor position in IT just a few years ago, information security professionals are now getting the boardroom recognition they have long craved and deserve. Their diversity of knowledge and skill ranges from a comprehensive view of compliance issues to proficiency in risk models with management instincts.
Despite the growing influence, information security continues to be perceived as a necessary evil or cost to the business. All too often, this is as much the perspective of the individuals in the profession as it is of the executives charged with funding it. We are unified in our motivation to avoid threats rather than to advance business.
Way to competitive advantage
Business executives may well accept that selling online is dependent upon good security, but the broader information security picture is not well appreciated.
It is time to change that thinking and recognise that there is every opportunity to consider information security as a strategic tool for competitive advantage, increased shareholder value and better management of resources. Such change does not require new technical knowhow or security solutions, but rather a new way of assessing them.
It must first be recognised by the board that information security programmes reflect high levels of interdependence across the business. A review of hiring practice is warranted to ensure a team that, from the top down, it is capable of working collaboratively with business units participating on strategy committees, assessing business objectives, presenting risk analyses, and reporting common accomplishments in recognition of common objectives. The resulting security strategy will inherently address how companies would like to take advantage of their business intelligence, evolving workflows, how customers like to interact with the businesses, outsourcing objectives, application management and development strategies, and so on.
Collaboration with the board
Information security professionals need to work with the board and company executives, addressing not just budget issues, but also the need for an organisational structure that allows such effective collaboration. It should not be unusual for them to spend up to 50% of their time communicating and managing the team's contribution to the business.
Part of this effort must elicit a clear articulation, ideally from the board as well as other senior management, on what is expected of them. This would encourage security and its potential impact on the business to be considered at the strategic planning stage.
The first step is for the board to consider a general view of what information security should and could do for the company. The result will lead to a definition of a role for the information security department and the depth of required skills within it. Herein lays the guideline for the development of the team itself, identifying skills that may exist, training requirements, and opportunities for the recruitment of new talent.
Most likely to be lacking are the broad-based skills required to assess and communicate priorities, plan development, set overarching policy, and assess and prioritise risk within the context of the business's specific exposure and opportunities.
Much of these are skills associated more with lengthy business management experience rather than specialist security practice. The process is not unlike that of the development of any specialist department within a business.
As the information security challenge continues to occupy regulators, company directors have an opportunity to do much more than grapple with the threat of prosecution for negligence. In considering this challenge, they would be advised to craft a more effective, progressive operational model that views information security as a resource.
John Colley is chairman of (ISC)2's European advisory board
Have your say
If you have an opinion on this or any of the other articles in Computer Weekly, we want to hear from you. Email your thoughts to: [email protected]