FRSecure Article
What is your Information Security Security Risk Rating?
Is it Acceptable?
Information Security (IS) is not a Technology issue, it is a Business issue.
Information security is much more than firewalls, intrusion detection, file permissions and other technology related issues.
Information security must also account for establishing and maintaining security policies, training, personnel procedures, printed documents, and physical controls.
To view information security through the lens of IT alone draws focus away from the broader business and risk management issues.
IS requires specialized skills and a holistic view of the business in order to adequately protect information assets in all of its forms.
The need for Strategic Information Security Management
Other than the largest business organizations which have trained, dedicated Information Security Management staff in house, all businesses and their supply partner networks are exposed to many risks and hidden costs.
This is not because the business does not have adequate IT, it is because their IT is appropriately focused on IT operations and performance, not security.
Invariably, IS is relegated to a priority back-burner because it can wait; while the day-to-day, never-ending backlog of upgrades, down equipment and software problems never can.
The Reality for IT Managers and Staff Dealing with Information Security:
- The time spent on IS is time not spent on the “real” job of optimizing IT operations, and consequently undermines their most valuable impact to contribute revenue to the company. Off-loading the IS responsibility allows IT to maintain its primary focus. It’s the same logic that explains why banks don’t own and operate their own private fleet of Brinks security trucks as part of their operation.
- IT operations staff cannot stay current with all that’s required to maintain “expert” status in the IS field. As a result, they may inadvertently put their organization at risk. Oftentimes, organizations operate with a false sense of security because they haven’t experienced a security problem to date. The real problem is when you don’t know what you don’t know.
Ultimately, if IS is not specifically and strategically addressed, the organization is at greater risk of a breach or violation and not prepared to:
- Minimize the likelihood of a breach
- Minimize the impact if a breach does happen
What Happens When the IS “Levy” is Breached?
Let’s just put it this way – it’s not good.
Here are possible consequences if an organization does not have an appropriate Information Security plan, and more importantly, does not implement it and keep it maintained:
- Civil suits
- Regulatory fines
- FBI investigations
- Legal fees
- Forensic evidence and investigation fees
- Class action lawsuits
- Loss of customer information (account and personal)
- Loss of consumer confidence
- Loss of brand name recognition and status
- Loss of customers, potentially to be driven out of business
- Potential personal liabilities for company leaders
- Loss of Intellectual property
- Loss of data – Payroll, customer databases, etc.
- ACH attacks
- Fees to pay for identity theft solutions if personal information is lost
- Fees to notify individuals that information was lost
- Cost and humiliation to publicly declare that your institution lost information (state law)
How to Accomplish a Successful IS Program
The goal of IS is to minimize the likelihood and the impact of any IS failures. This is impossible to accomplish when there is no established IS program. It’s like the saying goes: you can’t win the lottery if you don’t buy a ticket.
Even when everyone in a company recognizes the importance and risk factors involved, there a number of reasons why Information Security is not a high priority and does not “just happen”:
- No one person is personally tasked with or has the time to be the “Information Security Manager”
- There is a lack of knowledge and skills specific to IS concerns
- There is a lack of accountability
- It is difficult to know where to start and whether decisions made along the way are correct
FRSecure eliminates the obstacles and limitations that stand in the way of designing, implementing and maintaining a solid, seamless IS strategy for your ongoing security success.
