Opinion

Information Security Management: The Basics

It's one thing to establish a security program that meets the needs of your organization. It's quite another to successfully embed the principles of that program into the very DNA of your organization

By Micki Krause (et al)

July 01, 2008

It's one thing to establish a security program that meets the needs of your organization. It's quite another to successfully embed the principles of that program into the very DNA of your organization.

However, it can be accomplished if you take a multi-faceted approach that incorporates organizational, managerial and operational aspects that are closely associated with the business.

This approach can be condensed into three major areas: assessment, implementation and monitor/measurement. Here is an exploration of these three areas:

1. Assessment
Corporate culture.The first thing to assess is the culture of your organization. Few things are more frustrating than trying to fit a square peg into a round hole. Thus, it's important to know where you stand, from an organizational perspective, before launching an initiative with as potentially high impact as a security program. After all, security is a change agent, and people by nature are not conducive to change. Making matters even more challenging, security professionals typically work in resource-constrained environments, in which they have little authority.

When you work within the confines of your organization's culture and align the security program with the cultural reality of your organization, you can gain a key leadership edge. It's essential for the security professional to adapt the look and feel of the local practice.

Business alignment. In order to provide value from a security perspective, it's essential to work very closely with the business, understand the business's needs and be able to fully articulate the business value of the security program. Indeed, business alignment is the only way to gain the cooperation and buy-in from your business constituents that's critical to the success of the security program. Unless you truly understand the business, you can't accurately and forcefully strategize, deploy and communicate the value of the security function.

Management commitment. Depending on the maturity of the security program in your organization, you may require anything from a few tweaks to a full implementation of substantial controls, implying significant budget considerations. Therefore, it's imperative to have executive management sponsorship and line management buy-in. Security professionals must make themselves visible and known to business management, especially business leaders who will be most involved with the program or feel the effects of it the most. It's a symbiotic relationship that pays off in the end.

In fact, collaborating with other functions within the organization is essential to the success not only of the security professional but also of the business. The most important business areas to align with include compliance, governance, business continuity, operational risk and audit. Information security is interdependent on all of these areas. One way to build functional commitment and collaboration is through security councils.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Manage your IT more effectively

Secure your virtual and physical environments with the same software

Simplify your data center with Juniper Networks. View the webcast

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Efficient - Flexible - Compliant

Any company can promise identity protection. Only Debix can prove it

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously