One of the common problems in Information Security is the belief that a technology solution will be able to resolve all the security problems that an organisation faces. As a consequence, Information Security professionals have the tendency to dive straight into designing and implementing a particular technology product (hardware, software or both) and then wondering why the business fails to see any benefit.
From our experience, this approach significantly reduces the chance of a successful implementation – especially in the eyes of the business. Worse still, is that the continuous focus on implementing the newest technologies just leads to a series of failures. This causes a significant erosion in the business’s confidence and creates a belief that Information Security is not actually adding value or adequately protecting the business.
Today, most organisations are much more cost conscious and want to ensure that all their investments will add value – be it directly or indirectly. Information Security is no exception to this pressure and needs to demonstrate that it’s adding value by providing better and appropriate protection to the organisation.
By focusing on People, Process and then Technology, you can better target the real security issues and their relevance to the organisation. IT Security Tools should only be implemented to support the people and processes that they need to follow to provide protection. Typically, they will be used to automate tasks which would be too expensive or impossible for people to perform, e.g. the correlation of security events. The true value is in the actions that people take as a result of the information provided by IT Security Tools.
Therefore, it is necessary to report on the information generated by the IT Security Tools and the actions taken as a result of their outcomes. It is important to publicise the success of a specific IT Security project – but it is also necessary to continue to publicise the ongoing actions and outcomes that result from the change in practices. This will help remind the senior management, who agreed to the original investment, of the value of their investment and demonstrate the benefits that it continues to bring to the organisation.
When you successfully deliver value to an organisation, it will build up the confidence of senior management and stakeholders in your ability to deliver – which in turn creates more buy-in from future stakeholders. If you do not publicise the successes, then this is unlikely to happen.
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.