Senior management’s commitment is a key element in ensuring the success of information security initiatives, according to a recently released global survey.
Conducted by the Information Systems Audit and Control Association (ISACA), the study revealed most organizations believe IT security initiatives will be more successful when managed as a business undertaking rather than a technical requirement.
Other critical elements to a successful information security pogram include, management’s understanding of information security issues, security planning prior to implementation, and business and security integration. ISACA surveyed 157 respondents from major industries in eight countries. ISACA is a global organization of professionals involved in IT governance, control, security and assurance.
“There is a culture that’s been around for a while that says security is a technology issue and we leave it to the IT professionals to deal with,” said Everett Johnson, international president, ISACA in Rolling Meadows, Ill.
The survey, however, revealed the need for “a much broader consideration than what information security professionals acting alone can accomplish.”
The study urged executives to forge a relationship with the IT security manager, “backed up with visible and consistent implementation of company policies and standards.”
While a pre-requisite for success, executive buy-in is only part of a bigger picture, said Joe Greene, vice-president, IT security research at Toronto-based IDC Corp.
“It’s a combination of people, process and technology,” said Greene.
The first step in implementing an IT security program, he said, was planning. Senior executives needed to understand the benefits of an IT security investment.
“It’s very difficult to prove a return on investment with IT security, so senior executives need to have a more holistic view of what’s involved in IT security,” Greene said.
But the role of senior executives does not end with “throwing money at the IT security problem,” said Greene. The whole process involves understanding the issues, formulating a plan around those issues, and then acquiring the products and services to help bring that plan to fruition, he said.
Another vital element is employee education around the need to protect information assets, said Greene.