Security needs to be done to protect the information assets from all the hackers, thieves, criminals and people waiting to steal laptops and data as well as those disgruntled employees that are trying to sabotage the networks, right? Everyone knows that, we need to invest much more money to solve this problem.
Ummm… Can we see the next resume for the Security Officer position, please? How too often is this message articulated within business today, that we have all these external and internal threats which must be mitigated? This approach to information security establishes the information security department as a cost center, or an overhead function which is driven not by the business, but rather as an expense that must be incurred to sustain the business. While there is some truth to this statement, this is not the best way to position the information security program for long-term viability and growth within the organization.
Everything Essential in the Business Is “Driven”
Business leaders know that every activity within the business operations should be part of a process that contributes to the delivery of a service or the creation of a product. Supporting functions only exist to provide the capability to produce these deliverables and are not in and of themselves really that important. Just as activities performed within the business functions must establish a linkage to the end product, so must information security, or the function risks being put out of business.
So, this begs the real question – what is a business driver for information security? If it is not hanging out the Fear, Uncertainty, and Doubt (FUD) shingle, what is it, really? Harry DeMaio, former CEO of Deliotte and Touche Security Services, LLC, provided some insight