Home » Security Leadership » Exec. Communication

Opinion

Information Security Management: The Basics

It's one thing to establish a security program that meets the needs of your organization. It's quite another to successfully embed the principles of that program into the very DNA of your organization

By Micki Krause (et al)

July 01, 2008 —

It's one thing to establish a security program that meets the needs of your organization. It's quite another to successfully embed the principles of that program into the very DNA of your organization.

However, it can be accomplished if you take a multi-faceted approach that incorporates organizational, managerial and operational aspects that are closely associated with the business.

This approach can be condensed into three major areas: assessment, implementation and monitor/measurement. Here is an exploration of these three areas:

1. Assessment
Corporate culture.The first thing to assess is the culture of your organization. Few things are more frustrating than trying to fit a square peg into a round hole. Thus, it's important to know where you stand, from an organizational perspective, before launching an initiative with as potentially high impact as a security program. After all, security is a change agent, and people by nature are not conducive to change. Making matters even more challenging, security professionals typically work in resource-constrained environments, in which they have little authority.

When you work within the confines of your organization's culture and align the security program with the cultural reality of your organization, you can gain a key leadership edge. It's essential for the security professional to adapt the look and feel of the local practice.

Business alignment. In order to provide value from a security perspective, it's essential to work very closely with the business, understand the business's needs and be able to fully articulate the business value of the security program. Indeed, business alignment is the only way to gain the cooperation and buy-in from your business constituents that's critical to the success of the security program. Unless you truly understand the business, you can't accurately and forcefully strategize, deploy and communicate the value of the security function.

Management commitment. Depending on the maturity of the security program in your organization, you may require anything from a few tweaks to a full implementation of substantial controls, implying significant budget considerations. Therefore, it's imperative to have executive management sponsorship and line management buy-in. Security professionals must make themselves visible and known to business management, especially business leaders who will be most involved with the program or feel the effects of it the most. It's a symbiotic relationship that pays off in the end.

In fact, collaborating with other functions within the organization is essential to the success not only of the security professional but also of the business. The most important business areas to align with include compliance, governance, business continuity, operational risk and audit. Information security is interdependent on all of these areas. One way to build functional commitment and collaboration is through security councils.