Information Security Purposes
To accomplish the information security purposes, most businesses deploy an information protection function to safeguard their business confidential information in order to avoid any losses resulting from competitive disadvantage, lost customer loyalty, and confidence, and damaged corporate image as a result of poor corporate information protection controls. Other institutions in business environments where they collect millions of customer private data and must comply with various privacy laws, engage information protection professionals to just comply with the laws. In my professional experience, I have noticed a firm commitment on the part of organizations in sectors such as Financial Services, Healthcare and Insurance to comply with the laws and less enthusiasm or concern with protecting customer information unless the consequences of losing customer private information are understood and impact the business bottom line. Such consequences include violations with the increasing State and Federal privacy laws as well as class action identity theft lawsuits. Although, businesses are slowly discovering the long term benefits of protecting customer information, most are far from understanding the real information security risks and just focus on compliance.
In dealing with information protection purposes, most organizations seem to be “fire fighters” as they wake up in the morning and start looking for fires rather than having an adequate program and plan of action. Having an adequate information security program entails developing, communicating and educating employees regarding corporate policies, standards, guidelines, monitoring, and responsibilities from a position of strength. And, an effective action plan entails proper risk assessment to identify control gaps and solutions for reducing the risks as much as possible. The problem however is that the information protection focus is too often narrowed such as when an organization places heavy emphasis on information technology security risks and institutes the information security function within the information technology organization. A complete and effective information security program requires enterprise-wide coverage and placement of its head of information security at the business level where there is visibility and no conflict of interest. An information protection function placed within the IT organization violates both of these principles. For example, employee education and assessment of vendor controls are corporate functions and do not just involve IT security.
As I mentioned, a few businesses are placing the information protection function at the right level within the appropriate business segment such as having the CISO report to the CFO, COO or even the President of the company with a dotted line to an oversight committee for an independent function. However, less mature and smaller organizations are reducing the visibility and scope of the information protection function for cost saving purposes and due to the lack of total understanding of the risks. Of course the downward economy is not helping my case for such improvements in accomplishing the information security purposes; however, I had also seen this trend in good economic times.
Return to the workplace information protection section from "information security purposes".