Jeimy J. Cano M., Ph.D., CFE, CMAS
Even before a formal or conceptual structure, a business model requires a vision, a passion, a taste and a different way of seeing the world that allows its creator to shape an idea or thought or a way to develop his intellect and an opportunity to assemble a puzzle of challenges in pursuit of his own dream. A business creator knows he will have many things in his favor as well as many others against him and knows that he must have good judgment to understand his competitor’s considerations and a flair for taking calculated risks to get what he wants in the end.
In this sense, the information security professional should understand that his business is to find the opportunity to meet the demands of the organization’s information protection and a way to create an environment of trust, knowing that uncertainty and the inevitability of failure will test his strategies and safeguards. Understanding the business model of information security means understanding the expectations of top executives and how security is part of the board’s agenda.
Therefore, information security professionals should be part of the organization’s strategy and its tactical plans in such a way that understanding how business value could be generated and how this value unfolds in each one of its areas. In this sense, information security practices become a natural part of the processes, generating proactive actions to be developed by people involved in them.
The information security function will fulfill its promise of value to the clients when it is able to reinvent itself in every business process and has consistently instilled commitment throughout the organization as well as an effective culture for handling information security.
In other words, an information security professional will be considered successful when information security policies and practices allow him to anticipate and understand an emergent risk. These actions will enable the top management to fulfill its promise of value to the customers in an assurance context.