« Unauthorized access | Main | The business view of information security, part 2 »

The business view of information security

Previously I'd said that a good, practical definition of information security is to prevent and detect unauthorized access. That definition is fine, but it doesn't address why a business would be interested in pursuing an information security program. In my view, there are two primary reasons: a good information security program can help control costs and add value.

Control costs

Unauthorized access leads to disruptions and disruptions cost money. The unauthorized access might directly disrupt business, worm and virus infections that crash workstations are good examples, or the results from the unauthorized access might be disruptive, such as when trade secrets or product development plans are stolen. As a result, the business wants information security to keep such disruptions to an appropriately low level.

Of course, the business would be perfectly happy if information security eradicated all unauthorized access. Unfortunately, not only is this an impossible task, the closer you get to such a goal, the more difficult it is to do business. Disruptions due to security processes can quickly become greater than the disruptions from the unauthorized access. So the business instead tasks information security with keeping disruptions at an acceptable level.

When operating to control costs, an information security team manages processes aimed at increasing the difficulty of gaining unauthorized access (prevention) and decreasing the damage potential of unauthorized access (detection). I feel that detection naturally includes response--if you detect something, you investigate and respond--but I've talked to others who feel that response should be an explicit part of the information security mandate. If your organization falls into that category, it's easy enough to alter the definition: prevent, detect, and respond to unauthorized access.

An effective information security program must be founded on frank discussions between the business and information security on the disruption unauthorized access would cause and the disruption security controls and processes would introduce. Those discussions should focus on identifying relevant disruptions and figuring out how they can be measured. Once you can measure disruption, you can work on defining acceptable levels of disruption. And from there you're well on your way to an information security program that the business backs because it produces a measurable control of costs.

A later post will explore how an information security program can add value.

Kevin Kenan on January 19, 2008 in Building a Security Program |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83420496153ef00e54ffb1a548834

Listed below are links to weblogs that reference The business view of information security:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

About

  • A blog by Kevin Kenan about technology, security, and the ancient craft of programming.

    You might also be interested in checking out TeXTARIUM, where I chat about fiction, music, and the pursuit of the perfect shot of espresso.

My Book

  • Cryptography in the Database: The Last Line of Defense

    My book on using cryptography to protect information stored in a database. Published by Addison-Wesley and Symantec Press. Read more at the book's site. The source code is available for download.

Categories

Dedication

  • My grandfather had a wonderful shop in his basement. To me, it was a place of mystery and fascination, and I would spend hours wandering through it, looking at all the tools and projects in various states of completion. Not being much of a wood worker, I've never had the need for such a shop (not to mention that I lack a basement), but recently it occurs to me that my gear, computers, and software are my shop. This site is for my late grandfather and everyone else who takes personal pride in carefully executed work.
Subscribe to this blog's feed