Musings on Information Security :: Security Function as a Business Enabler

This Month

Month Archive

August 2008
July 2008
June 2008
February 2008
January 2008

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

Previous:	The Order of Diminishing Returns
Next:	Taming of the Information Security

Security Function as a Business Enabler

by RaviC on Fri 27 Jun 2008 08:50 PM PDT | Permanent Link | Cosmos

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.