Most of the business leaders and executives that I talk to frame information security as a problem for IT to manage and solve; however, IT cannot and should not manage or solve this problem on their own.
While there is a lot that IT can do to manage the security of the IT network (i.e., IT security), IT has nothing to do with confirming a bank transfer with the person requesting it or the fear driven culture that led an HR employee at a company to email the organization’s entire employee database, including social security numbers, to a cybercriminal. Organizations that are effectively managing the security of their information lead from the top, not from IT. Effective organizations have designated an executive or senior manager to manage the security of their information.
The only way to ensure that the information in the possession of your organization is appropriately protected is for the executive leadership of your organization to be proactively engaged in managing your information security efforts. To be practicing governance.
Recognizing that information security management is its own formal management discipline — and one that is very distinct from sales, operations, HR, finance, legal, and even IT — effective organizations also make sure that the team is supported with qualified subject matter experts.
At its core, managing the security of information is an exercise in risk management that dates back to the 1980s when the governance of IT was first being established. At the time, businesses around the world were concerned about how to manage IT and how to mitigate the risks that poorly managed IT departments left the business vulnerable to. In response, the United Kingdom’s Central Computer and Telecommunications Agency (CCTA) created a framework for managing IT, built upon input from world business leaders and technologists. George Spalding, who was one of the initial creators of this international IT Infrastructure Library (ITIL), asserted that “governance ensures that IT fulfills its promise to the business.”
IT governance means that leadership and processes are in place to ensure that IT meets and supports the business’ objectives. It is this same leadership and process (read: governance) that is required for information security management in order to ensure practices are appropriate to the size of your business and the value of the data you need to protect.
Organizations that are effective at managing the security of their information have three qualities that set them apart from others. First, they manage and lead from the top with the support of information security management experts. Second, they take a risk-management approach to information security. And third, they govern IT in accordance with clear IT security standards set from the top with information security governance.
Proper governance will define the critical distinction between IT security and information security. In effective organizations, it is the responsibility of information security management to provide oversight of IT security. This means setting clear IT security standards for IT to follow and then ensuring that IT is managing the IT network in accordance with these standards.
While some IT vendors and IT practitioners may truly be doing an outstanding job of managing the security of the IT network on their own, my own experience in assessing a new client’s IT security is that IT is often very far from adequately managing IT security to a standard that could be considered “reasonable.” Sadly, most of these clients are sitting ducks, woefully unprepared to defend against a ransomware or other cyber-attack – and, management is usually surprised to discover how vulnerable they are.
Once a company’s leadership implements expert-driven information security governance, they can rest assured that they are meeting commercially reasonable levels of security – offering protection for their staff, clients, and company assets.
David Lam, CISSP, CPP, is partner and CISO at Miller Kaplan, a top-100 CPA firm. Learn more about the firm’s information security
services at millerkaplan.com.
Return to Event Page