JOnline: Information Security and the Human Factor 

Download Article

If technology alone were enough to keep an organization secure, Internet threats would be little more than an afterthought for many enterprises.

As businesses of all sizes and industries have learned, unless security technologies are supported by strong corporate security policies and procedures, even the most robust solutions fall short of providing adequate protection against today’s rapidly evolving threats. Policies and procedures complement security technologies. They represent how-to guidelines that identify the steps that must be followed to avoid unsafe practices that would jeopardize the confidentiality, integrity and availability of data.

However, although technology and processes represent foundational pieces of a corporate information security framework, a third component is needed to complete the picture: people.

It is not just that people make security technology run or that people create and follow critical security policies, procedures and processes.

It is that people—that is, having the right people in the right places—can compensate for deficiencies in processes and technology. Indeed, people can be either the weakest or the strongest link in the security chain. Making them the latter is possible with executive involvement, the assistance of security professionals, cross-functional corporate input and scheduled independent reviews.

Operating at C-Level

Information fuels business. In every industry—from financial services to manufacturing to healthcare—information reigns supreme. The same holds true for each functional department within a single company; information drives human resources, product development, sales, marketing, customer relationship management and more.

As a result, information must remain accessible yet secure. Protecting information, in turn, must become a top business priority rather than just another technology issue.

That’s where the chief executive officer, chief information officer or chief operating officer comes in. For an information security program to be embraced as a critical business initiative, it must have the support and ongoing attention of executives at the corporate level. Information security projects require funding and resources. Securing business information impacts virtually every individual, every process and every piece of hardware or software in an enterprise. Moreover, information security—or even a lack of it—can have a noticeable impact on customer satisfaction, corporate brand and reputation.

In or Out

In the past, security problems could be handled by nearly any professional within an IT organization. Threats spread relatively slowly and were easy to pinpoint, eradicate and contain.

This is no longer the case. Internet threats have reached an unparalleled level of complexity, and the rate at which they appear and propagate can outpace even the most tech-savvy organizations. Perhaps more importantly, software vulnerabilities are constantly being uncovered and exploited so quickly that proactive patching is virtually impossible, especially as IT staffs are charged with covering more bases with fewer resources.

That is why having a dedicated information security organization in place is key to understanding and meeting the information security challenges of today and tomorrow. For every 1,000 employees, at least one information security professional must be in place who has the credentials and experience required to recognize and respond rapidly to anything that threatens the security and availability of corporate information assets. A senior-level leader who reports to the CEO, CIO or COO should be at the head of the information security team.

Of course, for many organizations, outsourcing some or all security functions is a viable alternative. Because information security is critical yet intricate, hiring reputable experts to manage it can result in significant cost savings and a much stronger overall security posture.

It Takes a Village

Good corporate governance is the hallmark of any successful, profitable organization. It helps establish the direction of a company and ensures that the company stays headed in that direction. Corporate governance reflects the interests of a wide range of company stakeholders, from the board of directors to management to shareholders.

Information security also requires guidance by a governance board. Because information security impacts the entire enterprise, an information security governance board must include leaders from key business units and functional departments. These departments typically include legal, facilities, human resources and IT. Moreover, just as the corporate governance board is held responsible for the direction of the company, the information security governance board is accountable for the company’s information security program.

A Look Back

Because the aim of information security initiatives is to maintain the security and availability of information, holding periodic independent reviews of information security policies, procedures and solutions is a necessity. While in-house reviews can add value by uncovering ineffective practices or faulty technologies, the audits performed by a team of Certified Information Systems Auditors (CISAs), for example, can provide a much more detailed analysis of the level of compliance toward various industry and government regulations.

Independent reviews also give organizations a way to gauge the effectiveness of their security program against industry best practices. In addition, because their experience is based on interaction with multiple businesses and organizations, independent auditors can do more than identify problems. They can offer trusted recommendations for tightening controls and practices to make real improvements.

Information security is not likely to fall off radar screens in the business world anytime soon. Indeed, as information technology becomes even more tightly integrated into the daily operations of organizations across continents and industries, information security will remain a chief priority in boardrooms large and small.

Consequently, critical information security initiatives will be driven and implemented by corporate executives working together with information security professionals who keep a watchful eye on information assets and potential threats on the horizon. More than the most cutting-edge technologies or tried-and-true best practices, this human factor will prove to be an organization’s best defense against whatever may lurk around the digital corner.

Mark Egan
is chief information officer at Symantec Corp. Egan is the author of The Executive Guide to Information Security, published by Symantec Press.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.