Think of Information Security as a Control function and not as a Support function.
There is a commonly held view across Information Security communities that Information Security should be an “enabler” to the business. This is simply the wrong debate and one that CIOs and CISOs must avoid: Information Security results from the application of controls around Information to protect the business from the threats it faces.
The “Security as an enabler” cliché is often used in contexts where Information Security functions have historically promoted approaches perceived by business or IT communities as arbitrary and negative (i.e. “disabling”). But it is a cliché also applied broadly to many Support functions in a large organisation (IT, HR, Procurement as an “enabler” etc.). It simply means that the business expects Support functions to make it work better and not to impose arbitrary or bureaucratic barriers.
But Information Security is more complex than that and it cannot be seen just as a Support function, ensuring that business processes run safely. It needs to be a Control function, mandating protective measures and ensuring that they are implemented. It is there to protect the business from real and active threats – this is no more (or less) enabling than roofs over heads or locks on doors. And saying no to some individuals is sometimes necessary to protect the business as a whole.
The CISO must have the personal, professional and political gravitas to communicate effectively the reality and seriousness of the threats to all business stakeholders. The need for protection should follow as a natural consequence. Proportionality and common sense should prevail throughout (i.e. ensuring the adequacy of controls in proportion to the threats), and all decisions about Controls (including budgetary and financial decisions) should be made in the context of a structured Information Security Governance model.
This article is the first in the series “The CIO Guide to a successful Information Security Practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered.
We will be expanding further on those concepts in the following articles in the series.
Managing Director – Corix Partners
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.