People have a lot of prejudices
when trying to identify the different roles in Information Security for the
different position scales in the companies, it is easy to oversimplify the responsibility
levels as it is human behavior.
Everybody knows the different
issues of IS in any company, actually companies and media has even blown them out
of proportion sometimes, it has to do with a combination of creativity and
common sense where everything begins:
A typical modern company has the
following macro divisions on their workforce:
·
End Users
·
Information Security Officers
·
Top Executives
End users
End users take the brunt of the
decisions of both ISO’s and TE’s and are mostly dubbed as the “enemies” of the
ISO’s… there is nothing farther from the truth as the people who knows most
about the micro management of the company is the End Users!!
They are the people who faces day
by day the challenges and attempts of hundreds of wannabe small time criminals
who want to obtain information or any kind of advantage from our company.
End Users are our first and best
line of defense against information criminals and they deserve the support and
training from the Information Officers and Top Executives.
ISO’s have to explain carefully the
role of the EU’s in the security strategy, in this task it is imperative to keep
the explanation in a mildly-technical manner, and this speech has to be simple,
to the point and focused in their role, humans tend to lose focus in topics
which are perceived as outside their area of expertise.
EU’s have to understand their responsibility
on the business process and the potential impact of their actions in their job
and the organizations to realize their full potential as partners in the
security of the organization.
Information Security Officers
Information Security Officers are
called “Good Guys” in the company because they are the rule makers and protectors
of the realm, but it can easily become the contrary.
Information Security inside of an
organization is a delicate matter as it needs to create a synergy between the
business needs, the business process and, well, security.
ISO’s tend to become entrenched in
the last factor only, they tend to become a “NO” man, which doesn’t go too far from
becoming an obstacle for the company.
The primary task of an ISO is to
listen to the needs of the business with the Top Executives, then listen to the
way it is currently executed by the End Users and basically create a Security
Strategy using a combination of both point of views.
The second task of the ISO is
assuring this strategy will not hinder EU’s while covering TE’s objectives,
this part can be done by designing and/or implementing tools and procedures
with the EU’s.
The responsibility of the ISO is to
protect the business, not only the information but the business too and this
means protecting the way it is done too.
Top Executives
Top Executives are very important
for the company as they define the macro operations of the organization, they
help to design the security strategy and must help to enforce it by using their
skills to create a culture out of this strategy.
TE’s tend to forget this second
part and stay in a passive role, thinking that after issuing the order the
responsibility is exclusive to the ISO, but the company’s security is not as
simple.
ISO’s by definition cannot change
business procedures as required by the strategy as this is a TE function, so
the TE’s have to be involved on every adjustment to the business processes.
ISO’s have to explain their role
and the implications of it to the TE’s so it is imperative for it to be
described in a business language and be very careful with the technical
language involved, as previously stated it is common in human beings to ignore
ideas unclear or not perceived as part of their expertise.
Conclusion
In the matter of security an
organization cannot leave its responsibility and execution in hands of one
individual, it is a work for all echelons in the business to develop a security
culture which will protect its employees and their jobs.
Security is not a new field but it
is one of the less developed and new threats on new business fields are forcing
a due sophistication on its method which calls for all disciplines to embrace
new ways to get the job done without giving away our hard work to petty
criminals
No comments:
Post a Comment