Thursday, December 4, 2014

Why Information Security is a Management Issue

Mike Gillespie a principal information security consultant, he says that many people even the experts or business owners think that information security is an IT problem, but this is actually a management issue.

He adds that if anyone needed any evidences he/she may look deep inside the current wave of data loss incidents, (how can we forget the recent Apple cloud hack), where companies as well as users are paying the fee of such loss.

He says, only few were caused by an IT practice, instead many are because of business or human errors. However, there are a list of moves Governments are taking to ensure information security in KSA, Europe, and other parts, but still there are vulnerabilities that exist in the system.

Why do we need revolutionary moves in policies?


There are a number of information security moves that have been addressed and clarify information security professionals gathered at one forum and see here what they added in the further discussion.

Lack of integration:


Where are the physical security guys in the information security plan? Where are the people who are expert in dealing with personnel-related risks? Who is the co-ordinated response?

These information security professional added that it is true that IT security does not have its part to play, it does, but where are these guys who are also important in securing the system as guardians, and they must be part of the team too.

And this negligence must be tackled by the senior management as these guys are equally important in securing the information of any IT infrastructure.

These guys also added that there is no such standard to help us out at the individual company level and there is no single guideline exists in the whole information security world.

However, they added that information security standard ISO 27001 is still in the process of development and improvement, but still it builds on 11 key blocks clearly stating that information security is a combination of set of policies and procedures involving HR, business continuity, compliance, and physical security and so on. This clearly states that information security is just not an IT thing in fact it is a complete organization process which must be handled by the management itself.

Why we need accountability?


One thing we must understand that and that is ISO 27001 standard is on the rise and organization who really want to get it right must have to create an overarching security function, but only few business do this.

In most cases, large companies from KSA set up a separate department with highly trained Information security, while companies who cannot afford big team, invest in hiring one to two individuals with Information security knowledge.  But experts say, that this approach must be added into the overall organizational structure to protect the overall system and business integrity. No company can get the desired success unless they rotate its wheel continuously and adopt the new moves as quickly as possible.

No comments:

Post a Comment