Setting the estage
Páginas: 11 (2526 palabras)
Publicado: 3 de julio de 2011
1. Setting the Stage
Few would argue that enterprises have increasingly become dependent on IT to facilitate
business operations. In today’s knowledge-driven economy, information is critical to an
enterprise’s ability not only to survive, but also to thrive. Experienced business leaders
know that information deserves at least the same level of protection as any other asset, and
have madeinformation security managers a common addition to the organization chart.
However, information security has struggled as a function. Security managers face
myriad challenges, including changing risk profiles, lack of funding, cultural issues, and
internal and external threats. Managing information security has never been so critical,
yet there are very few formal models that help an informationsecurity manager do so
effectively. Of the few models that do exist, even fewer consider how the enterprise
changes, how the culture adapts, and what may or may not emerge as a result.
Current models tend to be static and simple, while environments are continuously
changing. The Business Model for Information Security recognizes that it is a dynamic
and complex world, and provides a wayinformation security managers can take a
holistic approach to managing information security while directly addressing business
objectives. The model also provides a common language for information security and
business management to talk about information protection.
Current Business and Security Landscape
Information security is continually evolving. Throughout history, the importance ofinformation protection has been evident. Cryptography was an early example of a control
created out of an understanding that information is a valuable asset. The relatively recent
dependence on computers to facilitate business operations resulted in the development of
technology-based information security solutions focused on protecting the enterprise’s
information infrastructures from externalthreats. However, as business has come to view
information as a critical asset, and has increasingly come to depend on public networks
to transport sensitive information, protecting information has become less about
technology and more about sustainability of the enterprise itself.
The current landscape is riddled with challenges. While external issues such as rapidly
changing regulatoryrequirements and continually shifting risks constitute primary
concerns, they do not stand alone. Internal issues can prove just as thorny.
For example, although security managers and business managers are working toward
the same goal, they often seem to be speaking a different language. Information security
managers strive to ensure that their program helps the enterprise meet its organizationalgoals; this can be a difficult task, however, when they are speaking in terms of specific
threats, risks, controls and technologies while business managers are talking about cost,
productivity and return on investment (ROI).
© 2 0 0 9 I S A C A . A l l r i g h t s r e s e r v e d . 7
An Introduction to the Business Model for Information Security
The complexity of this cross-communication iscompounded by the fact that security
is often defined inconsistently throughout the business. For the financial manager,
security may equate to minimizing financial risk and loss, while to the sales manager,
it is ensuring that nothing interferes with sales efforts and achieving targets. The legal
department sees it as a function of regulatory compliance, while a board member regards
it asprotection from personal liability. To resolve this issue, enterprises must create
a culture that is supportive of information security. Everyone in the enterprise must
thoroughly understand their role as it pertains to security management. The Business
Model for Information Security addresses these issues by defining roles and introducing
business terms—through systems thinking principles—to...
Few would argue that enterprises have increasingly become dependent on IT to facilitate
business operations. In today’s knowledge-driven economy, information is critical to an
enterprise’s ability not only to survive, but also to thrive. Experienced business leaders
know that information deserves at least the same level of protection as any other asset, and
have madeinformation security managers a common addition to the organization chart.
However, information security has struggled as a function. Security managers face
myriad challenges, including changing risk profiles, lack of funding, cultural issues, and
internal and external threats. Managing information security has never been so critical,
yet there are very few formal models that help an informationsecurity manager do so
effectively. Of the few models that do exist, even fewer consider how the enterprise
changes, how the culture adapts, and what may or may not emerge as a result.
Current models tend to be static and simple, while environments are continuously
changing. The Business Model for Information Security recognizes that it is a dynamic
and complex world, and provides a wayinformation security managers can take a
holistic approach to managing information security while directly addressing business
objectives. The model also provides a common language for information security and
business management to talk about information protection.
Current Business and Security Landscape
Information security is continually evolving. Throughout history, the importance ofinformation protection has been evident. Cryptography was an early example of a control
created out of an understanding that information is a valuable asset. The relatively recent
dependence on computers to facilitate business operations resulted in the development of
technology-based information security solutions focused on protecting the enterprise’s
information infrastructures from externalthreats. However, as business has come to view
information as a critical asset, and has increasingly come to depend on public networks
to transport sensitive information, protecting information has become less about
technology and more about sustainability of the enterprise itself.
The current landscape is riddled with challenges. While external issues such as rapidly
changing regulatoryrequirements and continually shifting risks constitute primary
concerns, they do not stand alone. Internal issues can prove just as thorny.
For example, although security managers and business managers are working toward
the same goal, they often seem to be speaking a different language. Information security
managers strive to ensure that their program helps the enterprise meet its organizationalgoals; this can be a difficult task, however, when they are speaking in terms of specific
threats, risks, controls and technologies while business managers are talking about cost,
productivity and return on investment (ROI).
© 2 0 0 9 I S A C A . A l l r i g h t s r e s e r v e d . 7
An Introduction to the Business Model for Information Security
The complexity of this cross-communication iscompounded by the fact that security
is often defined inconsistently throughout the business. For the financial manager,
security may equate to minimizing financial risk and loss, while to the sales manager,
it is ensuring that nothing interferes with sales efforts and achieving targets. The legal
department sees it as a function of regulatory compliance, while a board member regards
it asprotection from personal liability. To resolve this issue, enterprises must create
a culture that is supportive of information security. Everyone in the enterprise must
thoroughly understand their role as it pertains to security management. The Business
Model for Information Security addresses these issues by defining roles and introducing
business terms—through systems thinking principles—to...
Leer documento completo
Regístrate para leer el documento completo.