Understanding Information Security

March 3, 2010

At the InfoSec Group, we assist our clients with meeting – and exceeding! – their information security goals. Some of our clients are mandated to do so, while others understand the importance to protect their business, their assets and their clients and have taken a proactive approach to acknowledging their responsibility as business owners/operators.

We enjoy the idea of increasing an organization’s information security awareness level from the top on down, and in the process of doing so, we have discovered that there are myths out there that certainly do die hard.

So in an effort to more accurately describe what it is that Information Security is, we traditionally communicate the following concepts:

1. Information Security is about business.
It is, simply put, a business goal. And like any other business goal, it is imperative that a strategy be developed, and that this strategy be designed to be integrated with the organization’s overall business strategy. The two must be aligned, otherwise the goals will not be reached.

2. Information Security is about people.
Because it is inherently cultural and behavioral, information security is and has always been about the people involved. To be successful, the company has to foster a culture of security. That cannot be achieved unless the culture is created and promoted by the C-level executives. After all, who wants to be burdened by security measures if the boss doesn’t have to abide by the same rules?

What we try to accomplish is to have employees understand the value that information security brings, and “buy in”. No buy in, no success.

3. Information Security is hinged on risk management.
Not understanding what risks threaten your assets – and therefore your business – and what costs are associated with these risks means that you are unprepared to protect yourself against these threats. A careful risk assessment process is a potent approach to identifying these threats and the controls necessary to protect the business. And because the process involves assigning a dollar value to the assets and the remediation controls, the process allows for the solutions chosen to make business sense.

4. Information Security is NOT about IT!!!
This is the biggest myth of all. Information Security is NOT an IT function – it is a business function. Making it an IT function means that your strategy is flawed from the start. To illustrate this point, consider the following:

Would you deploy an anti-virus solution to protect an asset threatened by a virus infection? Yes, because it makes IT sense to do so.

Would you deploy a $300,000 anti-virus solution to protect a $100,000 asset threatened by a virus infection? No, because it doesn’t make business sense to do so.

This is why information security has to be a business function, and not an IT function.

Furthermore, for IT to be in charge of security would be a violation of the basic principle of separation of duties, and is therefore widely regarded as a violation of security best practices.

In our next blog, we will look at the risk that the use of social media can create for a business. We will see that social media should be used – but that being aware of the inherent risks, and designing a simple strategy to palliate those risks will insure that the organization can reap the benefits of social media without attracted unwanted threats.

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: