As we’ve shifted from a manufacturing to an information economy, the structure of organizational value has changed dramatically. The intangible assets (mostly intellectual capital) of most organizations are now worth substantially more than their tangible assets and this trend is unlikely to reverse – even as a result of the current financial bust!
Information is the life blood of the modern business. All organizations possess and use critical or sensitive information. Roughly nine-tenths of businesses now send e-mail across the Internet, browse the web and have a website; and 87% of them now identify themselves as ‘highly dependent’ on electronic information and the systems that process it. Information and information systems are at the heart of any organization trying to operate in the high-speed wired world of the 21st Century.
Business rewards come from taking risks; managed, controlled risk taking, but risk taking nonetheless. The business environment has always been full of threats, from employees, and competitors through criminals and corporate spies to governments and the external environment. The change in the structure of business value has led to a transformation to the business threat environment.
The proliferation of increasingly complex, sophisticated and global threats to this information and its systems, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is forcing organizations to take a more joined-up view of information security. Hardware-, software- and vendor-driven solutions to individual information security challenges no longer cut the mustard. On their own, in fact, they are dangerously inadequate.
News headlines about lost CD-Roms, hackers, viruses and online fraud are just the public tip of the data insecurity iceberg. Business losses through computer failure, or major interruption to their data and operating systems, or the theft or loss of intellectual property or lists of individually identifiable data or other key business data, are more significant and more expensive.
Organizations face criminal damages, reputation loss and business failure if they fail to adequately secure their information. Directors face loss of personal reputation and potential jail time if they fail in their duty to protect the information their organization is holding.
But computer security technology, on its own, simply does not protect information. On its own, it just wastes money, gives a false sense of security and decreases business efficiency. What organizations need is a structured method for identifying the real information risks they face, the financial impact of those threats, and appropriate methods of mitigating those specific, identified risks. Securing information is not rocket science, whatever the technology vendors might say. Information is at risk as much through human behaviour (and inattention) as it is through anything else. Securing information therefore requires an approach that is as much about process and individual behaviour as it is about technological defences.
And no organization has either the time or the resources to try and work out, on its own and from first principles, how to do this effectively. Apart from anything else, the time and error profile is likely to be unattractive.
No organization needs to. There is an international standard for best practice information security management: ISO27001 (more formally ISO/IEC 27001). ISO27001 (http://www.itgovernance.co.uk/iso27001.aspx) has already been successfully implemented in more than a four thousand organizations around the world. It gives organizations a reliable and effective framework for deploying an information security management system that will preserve its assets, protect its directors, comply with the growing range of data protection and data breach legislation and improve its competitiveness.