The role of management in IT security

With increasing levels of regulation creeping into industry, organizations are becoming legally obliged to demonstrate a level of capability and consistency in measuring and managing elements of risk throughout their business.

The main difficulty is that management teams sometimes struggle to translate security and risk into business terms.

Conventionally, business practices are governed by ROI and the bottom line, but risk management strategies are complex and it's often very difficult to attach monetary value to all but the most tangible elements.

Furthermore, risk management practices can be very time consuming, forcing organizations to seek quick wins by focusing on risks that would potentially impact on daily operations, rather than addressing larger and potentially more destructive concerns.

One thing is clear - information security is not about tools and technologies, it's about policy and process. Firewalls, Intrusion Detection Systems, Public Key Infrastructures, Anti-Virus countermeasures are all enablers that facilitate risk management.

Security requires effective and meaningful communication between managers and risk managers.

Threats, the likelihood of the exposure being attacked, and the cost of mitigation must all be prioritised before any attempt at recourse. Management needs the support of the security personnel, in understanding the impact and probability of each potential incident.

The impact on business processes and operations must be highlighted by security professionals, not the technical issues or detail.

CIOs and CSOs can act as intermediaries and buffers between security professionals and upper management, translating the concepts of risk and exposure into business concepts that can be managed.

Similarly, their role is an important one in escalation and ensuring resources can be made available for high priority issues and concerns.

As in every area of business and IT, security has to be considered from the ground up - people, processes and technology must be combined to produce a reliable, cost-effective service that has an appropriate level of integrated security.

It is easy for security to be regarded as important, but it costs time, resources and money to run any operation in a secure fashion.

To achieve this, organizations need to make a conscious effort to get security and management to begin talking the same language.

November 2005

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.