ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > The Evolution of Information Security Programs

The Evolution of Information Security Programs

| Published: 11/24/2014 3:09 PM | Category: Security | Permalink | Email this Post | Comments (0)
Kerry A. Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP

Information security programs need to evolve in order to survive and mature. This century will see almost a thousand times greater technological change. This means information security programs will need to evolve to maintain their current maturity stage. The key strategy for managing the maturity life cycle is adaption. Organizations unwilling or unable to adapt may find themselves regressing to an early maturity state, while enterprises willing to innovate and expand upon new paradigms will thrive. The following strategies can assist in the evolutionary change required for maturity to flourish:
  1. Develop change-adaption strategies—Each organization needs to develop a strategy for adapting to change. Whatever the change appetite, information security programs are more successful in managing change when those programs are in control of it rather than having it forced upon them.
  2. Identify focus areas—It is possible to have too many ideas. A mature information security program needs to select a few focus areas that have the highest potential to take it to the next maturity stage. This requires identifying any weaknesses that that could thwart maturity progress, then methodically eliminating them. 
  3. Build connectivity—Mature information security programs cannot exist within a silo. All stakeholders need to understand how their decisions can affect the organization’s security posture. This means communicating security messages across all levels of the organization.
  4. Be prepared for set backs—Set backs are inevitable in life. Successful information security programs regard the occasional bump in the road as the cost of innovation and a chance to try again, similar to Henry Ford’s saying, “Failure is simply the opportunity to begin again, this time more intelligently.”
  5. Seek continuous renewal at every maturity level—An information security program cannot tolerate stagnation. Maintaining an effective program requires vigilance in sustaining its people, processes and technologies, as well as continuing to seek solutions to emerging risk. The security threat environment is dynamic and the control portfolio needs to be tweaked to adjust to changes in the risk landscape and unique organizational environment.
In the dynamic business environment we are currently experiencing, continual change may remain the only constant. In order to maintain and advance maturity, information security programs need to respond and transform themselves to manage emerging risk.

Read Kerry A. Anderson’s recent Journal article:
From Here to Maturity—Managing the Information Security Life Cycle,” ISACA Journal, volume 6, 2014.

Comments

There are no comments yet for this post.
Email