Controlling Risk to Information Assets – Cyber & Data Security in the Workplace
Is information security an afterthought in your business? At what point is security considered?
Now being a technologist you might answer that it is at the forefront of your activities and that’s great but for the business people at what point does it enter the business discussion? Chances are it doesn’t.
The reason I raise the question is simple. Effective security should be core to business operations and culture, not a bolt on application, or a retrofit but rather part of the business process itself. I think it is in our human nature to look at the upside when discussing anything new whether a business opportunity, investment, or other venture. Far too often we forget the downside perhaps choosing to ignore it and without consideration we create situations that are emotionally charged and highly reactive when the unforeseen arises.
The same is true for information security. While organizations and business leaders seek the advantages of implementing technology based solutions to create competitive advantage, the downside and potential risks associated with exposing electronic forms of critical business assets are generally not given appropriate consideration. Without consideration the threat of electronic asset theft is left unmitigated and the cost of such an event never considered.
Too often information security is seen as a purely technical function that adapts to the needs of the business. However such an approach leaves huge gaps in business process and procedure for which technology is not an effective stopgap. Without clearly architected and documented business process, and technology solutions that support the business process, technology solutions have no hope of keeping a check on unwanted activity.
We see repetitive disconnects in organizations that have suffered information compromise, are seeking to become compliant, or in general looking to improve their overall security posture. Information security is not effective operating as a disconnected organization that builds perimeters of firewalls, intrusion detection systems, log analysis devices and jumps to the call of some alarm. Too often broken process can be a root cause that reactive security measures will never stop and a security breach goes on unnoticed for months and beyond. Once identified the organization’s approach to the information breach is emotionally charged and highly reactive. The lack of preparation can cost the affected organization dearly between brand degradation, costs of cleanup, loss of customers, and legal proceedings.
Effective information security programs are tightly integrated into the businesses they serve across people, process and technology. Highly effective, high profile organizations get this. You can see it in the manner in which the organizations themselves are structured, how new ideas are discussed, vetted, and implemented. Sound risk management principals prevail in the organizations that get it.
A highly integrated approach applies business centric risk management principles that evaluates risk, identifies compensating controls, and implements the appropriate structures to prepare, prevent and respond in protecting sensitive business assets from information compromise.
A well-constructed information security program should bridge the gap between business operations and its processes, to standards based security measures such as those developed by NIST, SANS, ISO or others.
To find out how your information security programs measure up contact us.