Skip to main content

Hitachi ID certification

Product Sites

Hitachi ID Systems Blogs

Posts Tagged ‘Security Governance’

Does Information Security matter?

Monday, June 18th, 2012

Based on a recent article in the SC Magazine apparently it does matter to
the head of IT. Whether one is aware of the security posture within the
enterprise or not. As soon as the data security has been compromised and
the news is on the front page, someone in the IT department seems to
always get the axe.

But should the IT department be held responsible for overall
information security?  Business requires reliable information
security to ensure company information is well protected. Lack of will or
means to protect company information assets won’t make business partners
comfortable.  Information security cannot come from the IT department
alone. When was the last time an IT department asked for a new privileged
access management solution and had it denied by the business? This is a
common story from IT managers at conferences.

At a recent event, I was having dinner with a group of seasoned security
professionals. We started to talk about what does IT Security mean for an
organization. Some spoke of security management that focuses on things
like the number of vulnerabilities found and remediated.  Others spoke
about how they kept hitting a plateau in terms of the number of
workstations patched with the latest Antivirus. But those remediations and
vulnerabilities wouldn’t matter to a business person unless they mattered
to the bottom line. One thing we found in common, businesses still have a
tendency to signoff on acknowledged risk until they are required to be
accountable for the security issue.

It is like driving a school bus with no adequate maintenance and
insurance. A school bus full of children (e.g. customers/employees
unaware of risk) who were assured by the bus operator that they’ve
done everything possible to ensure the safety and security of riders.
Meanwhile, the operator is rewarded by operating several bus routes
until one day a bus crashed, and many innocent lives are taken. It’s
not the bus operator’s intention to create any harm. As long as one
can get away making money without incurring cost to beat out the
competition, there will always be someone who is willing to turn a blind

Information security is similar in many ways. If you don’t update your
information security, sooner or later there will be an intruder roaming
around the network. It would simply be a matter of
time until your business operation faces the truth that many customer
records have been stolen or the intrusion showed up on the news.

Businesses tend to ignore information security when it doesn’t appear
relevant to the core business process. But the reality of the
matter is, many of business critical process today run on information

- Sending email to confirm order with your customer

- Finding delivery route using online map and GPS

- Receiving payment through wire transfer

- Process payrolls to your workers

- Online payment for your vendors

- Social network marketing

- Process and resource planning

- Research for purchasing supplies

- Processing customer order from ePOS

- VOIP or PBX/IP Telephone system for making sales call

Most likely some of your business operation has dependencies on information
technology. How much would it cost your company if your business operation
is disrupted for hours, days, weeks? Does it cost your company money if
you cannot deliver products to your customers on time? How much would it
cost your company if you couldn’t file your tax return on time? What would
it mean if your business just lost most of its customer records because of
weak application security?

Culture vs Governance

Tuesday, February 14th, 2012

“It takes a village to secure a village” means security is  expected behavior of any good corporate citizen. On the security side, we often hear strategy, solution, governance, planning, and controls. But what seemed to miss in the whole picture is how to influence security behavior in the organization. If security has not been taken seriously, does the corporate policy really matters all that much to  an employee?

Recently, in another security conference, the same message about influencing cultural change been the primary objective of any CISO was re-iterated. So is there a gap between existing employee behavior vs expected secured corporate culture? Lets see if we can point out some difference between governance and culture today.

Governance : Employee should not disclose sensitive data information outside of the corporate network.

Culture : The only way I can handle my work load is if I bring my work home on my own personal device.

Governance : Employee should follow the information security guideline.

Culture : Security guideline can be re-evaluated when it comes to doctors and board room executives.

I once asked a very senior CISO, “what is information security governance?”. In his own words, “…governance is a framework that define plan and strategy to achieve balanced information security objectives.” However, with so many conflicts between security guidance vs organizational culture, what is the right governance  for a business?

Then this article ( pops into my browser. The key points are…

1. Culture is more important than strategy
2. Companies who align culture and strategy are more successful
3. Encouraging individual, cultural attributes are the keys
4. Maintaining a successful culture takes careful attention and hard work

Between what we have to do (compliance) and what we tend to behave (culture), the article left me with two questions :
a. How do we make corporate culture an integral part of security governance?
b. How will security helps transform business to be more successful?

There  is no definitive answer from me at the moment, though I do welcome any comment from anyone who read my blog.

page top page top