Use regulations to get boardroom backing for IT security policies

Buy-in from top is essential to build security culture, says Jon Fell

New Asset  
Tighter regulation will force the board to build a security culture and take security threats seriously, says Jon Fell





It seems strange that when it comes to information in the workplace, we seem to place a far lower importance on ensuring the integrity and availability of the information on which we base our business decisions. Why do we need to wait until a legal obligation is imposed upon us before we take information security seriously?

Compliance with legal requirements provides a business with very good reasons for reviewing information security practices, but it should not in itself be the sole or even the main driver.

However, it seems that tighter regulation will be the catalyst to more businesses taking security seriously. The Companies (Audit, Investigations and Community Enterprise) Act aims to improve the reliability of financial reporting and the independence of auditors and auditor regulation by, among other things, requiring directors to make a statement in the directors’ report about the disclosure of relevant information to their auditors.

When the new Act comes into force it will impose stricter obligations on company directors and officers in relation to the accuracy of the information they supply to their auditors.

The disclosure provisions have been likened to those contained in the much vaunted Sarbanes-Oxley legislation in the US. The fact that failure to comply may give rise to a criminal offence will certainly concentrate the minds of senior management.

Of course, it is virtually impossible to implement security policies and nurture a security conscious culture within an organisation unless there is buy-in and direction from the top of that organisation.

Although there appears to be a growing awareness of IT security at board level, some persuasion will still be needed. It is all too easy to concentrate on the negative impact of failing to comply.

The best approach may be to dwell on the business case for having readily available accurate information and the competitive advantage this may give to the business.

Information security in some large organisations is managed through the commercial departments rather than the IT department. The more security can be embedded within a process so it becomes automatic, rather than dependant on a person remembering to do something, the better.

We have come a long way from the days when information security was synonymous with IT security and the buck stopped with the IT manager.

Some companies are now talking about "information assurance" and are treating security matters as mainstream commercial issues.

And given the recovery and disruption costs of failing to protect yourself against IT security threats, can any business afford not to take information security seriously?

Jon Fell is a partner at law firm Masons

Jon Fell is a keynote speaker at the Infosecurity conference in Manchester on 17 November

Read more on Hackers and cybercrime prevention