About   |    Newsletter   |    Resources   |    Contact
Get A Quote

Questions? 952-467-6381

FRSecure University

FRSecure Article

Executive Management needs to be (or get) involved


Commentary from Evan Francen, president of FRSecure


If there is one thing that stands out time and time again, it’s that too many excellent business leaders are absent when leading in the area of information security. Why is this?

I’m not going to spend too much time preaching the importance of information security. I think most people understand that it’s important to protect the information they are responsible for, but I wonder if executive management understands the added responsibilities placed on them. Information security responsibilities are not typically a common topic among business leaders.

Responsibilities


So what are the responsibilities of an executive with respect to information security?

Ultimately, the information security “buck” stops with executive management. A significant portion of an organization’s value is directly related to the quantity and quality of the information it possesses (in some organizations, as much as 90% of an organization’s value!). Doesn’t it make sense that an executive sees to it that such a significant portion of their organization’s value be adequately protected?

Executives don’t need to be information security experts, but they do have responsibilities.

Example responsibilities for executive management:
  • Provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the organization,
  • Ensure that an information security program is developed, documented, and implemented to provide security for all systems, networks, and data that support the operations of the organization,
  • Ensure that information security processes are integrated with strategic and operational planning processes to secure the organization’s mission,
  • Ensure that senior management within the organization are given the necessary authority to secure the operations and assets under their control and within the scope of the information security program,
  • Designate a single person (or group of persons), and delegate authority to ensure compliance with applicable information security requirements; and,
  • Ensure that the delegate, in coordination with the other senior managers, reports regularly to executive management on the effectiveness of the information security program, including the progress of remedial actions.




Consequences


Whenever we fail to fulfill our responsibilities in life, there are consequences. It doesn’t matter if it’s a failure to change the oil in our cars, forgetting important dates, or making poor business decisions. Things may be fine for a while, but eventually there’s going to be a day of reckoning if the failures to fulfill responsibilities continue. Our car engines will fail, we will no longer be considered reliable and lose trust, or our businesses will suffer. There are always consequences for our actions (or failure to act). The trick is to understand what our responsibilities are, then seeing to it that we fulfill those responsibilities.

Example consequences:
  • Get in the news for the wrong reason
  • Civil suits
  • Regulatory fines
  • Legal fees
  • Internal investigation fees
  • Government agency investigations
  • Forensic investigations
  • Loss of consumer confidence
  • Loss of brand name recognition and status
  • Loss of customers
  • Potential personal liabilities for company leaders
  • Loss of Intellectual property


The list really goes on and depends on the situation, but one thing we can be sure of; there will be consequences. Consequences cost money. In most cases consequences cost significantly more than fulfilling our responsibilities. If we’re in business to make money, it would be wise to fulfill responsibilities, and minimize consequences.

Questions to ask ourselves


Here are some sample questions that can give us an indication of whether or not we are involved enough with information security:
  • Do we have a dedicated budget for information security?
  • How much is our organization’s information worth to us?
  • How much is our organization’s information worth to our customers?
  • When was the last time I was briefed on the status of our information security efforts?
  • When was the last time I talked to our board about information security?
  • Who has access to our organization’s most sensitive information?
  • When was the last time I reviewed our information security policy(ies)?
  • When was the last information security incident? (NOTE: The answer “we’ve never had one” is an indication that we have never been made aware of one, NOT that we haven’t had one!)
  • How secure are we when compared with our competition?


Conclusion


Today, more so than in anytime in modern history, we operate in a hostile business environment. Competition is tight, regulations are cumbersome, and people are weary. What should set our organization apart; the consequences of poor information security management or the rewards of responsible information security management?

You know my answer.



About Evan Francen
Evan is the president of FRSecure; a full-service information security consulting company in Minneapolis, Minnesota. Prior to establishing FRSecure, Evan spent more than 15 years as a leading information security professional and corporate leader in both private and public companies.




Contact me here

What our Clients
have to say...

Request Info

*Company:

*Name:

*Email:

*Phone:

 Question/Comment:
Subscribe to FRSecure's Strategic Information Security newsletter