Globally, many organizations are spending millions of dollars protecting their businesses and its enabling infrastructure, but are they really secure? We shall discuss answer to this question in a little while.
We need to understand core basics before we actually jump into conclusion whether we are secure and to know where do we stand and why do we face challenges and get into firefighting at the last moment.
We all know that a practical approach to implement information security is from Top to Down. Well! where does this Top start and where does this Down end? Those organizations who have a clear line of demarcation for the TOP start and DOWN end shall succeed and can reap major benefits out of Information Security Investments.
Let us see how TOP can be defined in TOP to DOWN approach:
a. Someone Authoritative
b. Have power
c. Have huge / limited pocket
d. Business minded, meaning, they understands only investments / portfolios / profits / presumably losses / recovery options, etc.
d. Finally, their focus will be on expenses, financial reports, balance sheets, cash in/ cash out statements, ETC.
Did you really notice what is actually missing here? Yes, something called business enablers. People at TOP are least bothered about business enablers, sometimes they do bother, but most of them are focused and are after success / results / growth.
c. Have limits
e. Work for salary
f. Direction less, in general, unless otherwise specified
*There are many categories to describe DOWN category, we shall further discuss about the same in my upcoming POST's.
Before we even talk about aligning information security with business objectives we need to determine if people at different levels are well informed and articulated about their roles and responsibilities, especially, addressing information security. THE CORE BUSINESS ENABLER.
In a typical organization there will be Board, Top Management, Executive Management, Managers/Supervisors, Team Leaders, & Core Team. Human's are the weakest link, yes agreed, but what are we doing to address it? Its a question every organization must ask themselves and such questioning must start from the TOP.
Well, all that what I mentioned above is already discussed, in detail, and many publications have evolved and mastered and yet there is something lacking and still many organizations still fall prey to security misappropriations. Did you ask yourself a question, WHY? How can we bridge this GAP?
Let's get to the point!
Its actually easy to say Information Security is everybody's responsibility and blah blah.
Actually, it must be the core and primary responsibility of the TOP team who actually are authoritative in the organization. Someone who joins with Information Security responsibility must be aware of TOP team liaison and must be able to buy much time and participation of TOP team while establishing governance framework / architecture.
A clear communication channel must be established between Information Security responsibility and TOP Team.
Business units, their processes, inputs/outputs, their supportive infrastructure, respective team's skills set, role they must play to enable the business in a secure fashion, their core functions, portfolio role to the business, etc. must be clearly documented and TOP Team must be aware of such information and its periodic updates.
Once the TOP team is aware of all the activities of the business and its concerns including information security, regulatory compliance, and other human and environmental factors into consideration, one can actually determine the culture of the TOP team is not just business centric but are well informed and articulated about information security and its pertaining core aspects that which eventually enable business.
While constantly changing environmental, regulatory, human factors along with technology risks do exist, the above approach would at least address the risk communication part effectively to TOP Team by making them aware of the importance of information security due diligence which eventually helps organization to strongly counteract threats.
There are many aspects i thought to include in this blog, but would like to seek suggestions / feedback from our ISACA community or from general public.