Management’s View of Information Security

Monday, May 23, 2011

Dejan Kosutic


If you think your management doesn't have a clue what information security is all about, keep in mind that misunderstanding usually goes both ways: management often thinks you have no idea about what is appropriate for the business.

So before suggesting to your management to start implementing your information security / ISO 27001 project, you should learn about your management's way of thinking.

Here are the five main concerns your management will have when you approach them:

Is it really necessary?

You have to be prepared to present the main benefits of information security, because otherwise the management won't understand its purpose. In most cases you can choose among the following benefits:

(1) Compliance with various legislation and contractual requirements etc.,

(2) Achieving competitive advantage in the marketplace,

(3) Lowering expenses by decreasing the number of incidents, and

(4) Optimizing your business operations by clearly defining tasks and responsibilities. Read more on these four benefits here: Four key benefits of ISO 27001 implementation.

Does it fit into our company strategy?

Strategic fit is very important for your top management - one of your management's primary concerns is how to keep your company competitive for a longer time period.

Therefore, you have to do your homework - find out how information security can underpin certain elements of your company's corporate strategy.

How to decrease the costs?

One of the most misunderstood aspects of information security is that most of the problems (i.e. incidents) happen not because of technology, but because of human behavior.

Therefore, most of the investments needed will be in defining new policies and procedures, and training and awareness programs which will prevent such incidents from happening - such investments are usually far cheaper than new technology.

Sometimes, investment in technology will also be needed - in such cases you can try to calculate the Return on Security Investment. For instance, you might try to calculate the damage that would be caused by a fire, and calculate the investment needed to prevent such damage.

Just be sure not to exaggerate here, because you'll lose your management's confidence.

How to make sure we've achieved what we wanted?

First of all, you need to help your management set very clear objectives - usually, those objectives will derive from the four benefits mentioned above.

The second step is to set up a measurement system which will define how to measure whether the company achieved the set objectives; that system must involve clear responsibilities of who will make the reports, in which form, and who is going to read them and interpret them.

Finally, a system must be in place to correct all the deviations from the objectives (be sure that such deviations will certainly happen).

What risks are involved?

Management usually wants to know what is the likelihood of failure of the investment they have made. Here you need to explain to them the balance between the risks you will identify during the risk assessment and the security measures your company will invest in - the higher the investment, the smaller the chances that something will go wrong.

Of course, over-investing is not a solution, and this is why you need to leave the decision about acceptable risks to the management - your role is to present them the risks and potential security measures in an objective manner. The decision what to do with those risks is up to the management.

The point here is - the problem is not that management doesn't want to invest in information security, but that it is either uninformed about it, or that you cannot speak the same language with your management.

By understanding the five basic issues your management is concerned with and by establishing appropriate communication with them, you'll dramatically increase your chances for your information security project.

Cross posted from ISO 27001 & BS 25999 Blog

Complete ISO 27001 and BS 25999-2 Webinar Schedule:

ISO 27001

ISO 27001 Lead Auditor Course Preparation Training

ISO 27001 Benefits: How to Obtain Management Support

ISO 27001: An Overview of ISMS Implementation Process

ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

ISO 27001 Foundations Part 3: Annex A Overview

ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

ISO 27001 Implementation: How to Make It Easier Using ISO 9001

BS 25999-2

BS 25999-2 Foundations Part 1: Business Impact Analysis

BS 25999-2 Foundations Part 2: Business Continuity Strategy

BS 25999-2 Foundations Part 3: Business Continuity Planning

BS 25999-2: An Overview of BCM Implementation Process

ISO 27001 and BS 25999-2

ISO 27001/BS 25999-2: The Certification Process

How to Become ISO 27001 / BS 25999-2 Consultant

ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

ISO 27001 and BS 25999-2 Strategy

Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

Asset Management and Classification


Possibly Related Articles:
Information Security
Management Risk Management ROI ISO 27001 Information Security Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.