The security professionals are, often wrongly than rightly, blamed for the failure of organisational information security. Instead of the blame game, we should learn to work together and share the responsibility.
A typical scenario in a South African organisation: the Chief Information Security Officer (CISO) complains to a colleague from another company that the information security in his firm is jeopardised by the managers’ and executives’ low awareness and deficient understanding of real cyber dangers – and, as a consequence, losing valuable organisational information resources.
There is even less understanding of the nature of the information security defence: “You’ve got the technical support and you are paid to protect us – you will be blamed for any damage caused by failed security”. This is a typical reaction of executives and boards to the CISO’s suggestions for allocating needed resources and, equally importantly, for their participation in securing organisational digital future.
The pictured setup often occurs in still rare SA organisations that already have a CISO. Other organisations are even in the worse information security situation. To be truthful, similar scenarios also happen in many other countries – but it must not be an excuse for us to behave in the same manner.
Obviously, many organisations have not yet realised that modern business world requires more astute managers and executives who will understand the critical nature of globally connected enterprises and the role that information security plays in protecting the prosperity of these organisations.
Instead of blaming – let us get organised
It is of the utmost importance to understand that the blame game will not sort out any problem. Hence, this text is not aimed at blaming business people for not understanding, often complex, information security issues. Unfortunately, there is even less comprehension of the technical jargon used by security professionals.
In plain English, the business executives and managers must be fittingly made aware of the methods of protecting their information assets in this modern, technologically imperatively connected world.
It is, firstly, important to understand that there are three general layers that should be responsible for securing organisational digital future. The first layer consists of information security professionals responsible to, primarily technologically, protect organisational information assets.
The second layer represents the company’s IT department that is in charge of supporting the organisation’s business goals and operations. This layer, although indispensable for organisational functioning in the digital world, sometimes appears as a stumbling block between the top management and the security professionals. This is somewhat understandable as the IT function attempts to secure the permanent availability of technology to the business people, often neglecting security issues.
The third, enabling layer represents the group of the business leaders, including managers and executives. This layer is responsible for strategies, policies and, equally importantly, the allocation of necessary resources for securing valuable organisational information resources.
By the roles those groups of people play, it appears logical that none of them can solely make an organisation digitally secure. Instead, only working together those people can make apt information security related decisions. In this regard, each of these groups should be able to understand that information security is about recognising possible risks to the company’s information assets and the comprehension of how to effectively address these risks together.
It is certainly the role of the top managers and executives to ensure that these layers work together and harmoniously in protecting organisational digital future. In order to do this, it is fundamental that those people understand the concepts of information security and the roles that different groups of employees should play in securing organisational digital well-being. A meaningful interplay between these groups, facilitated by the executives and CISOs, is the key to success.
As Chinese General Sun Tzu Wu wrote about 500 BC in his well-known and still popular ‘The art of war’, if we want to win a war – we have to know both ourselves and enemies. So, instead of the blame game, let us cooperate and learn about the roles each of us has to play in making our enterprises cyber-resilient.