Welcome to ITproNews  
Search iEntry News
ITProNews
SecurityProNews
ITmanagement






Information Security Organization

By Dan Morrill
Expert Author
Article Date: 2007-04-02

In conversations with people at work and at home, one of the things that has reflected negatively on the problems surrounding information security as an organization (gross label, not true in all cases) is that the primary issues are:

1. Inability to take a look at the value of the data verses the cost of the solution.

2. Inability to take a reasonable approach to information security in that the first word is "no" there are no second words. It is hard to argue with "no" when positionally the word "no" can kill off the project

3. Inability to think outside the box and come up with alternative solutions, in other words, no is easy and requires no thinking on the part of the information security person.

The inability of modern information security precepts and standards come up with "reasonable and appropriate" solutions to the problem, given the value of the data, the value of the systems in between the data and the internet, the countermeasures, and monitoring what happens in-between the data and the internet is an Achilles heel in modern information security thinking. Organizationally in the business unit, we build our empires around "no" and are satisfied with that, rather than thinking about how to protect the data given what the folks want to do. We take the "path of least resistance" which is not to be surprised at.

If we look at the ability to creatively think within the organization, we also must deal with the tangents that creative thinking introduces. There has to be an overhead process that keeps the creative thinking on a path that gives "best value" to the company. But it is also those tangents that when properly applied or nurtured that increase the thinking base solution set to the company. As well, the process of creative thinking when provided within the SECI model by Nonka and Naguchi is one of socialization of those tangents within the development of the organization. There is a thread here that allows for embryonic ideas to be expressed, socialized, and drives the organizational development of the information security group within the company.

Organizational creativity in regards to the expression of the design of the organization is a key to successfully navigating and integrating an otherwise powerful if small group within the organization. Socialization of Information Security into the greater goals of the company is important, and more mandatory than not in this process. The information security group has to think about the value of the data, and about the value of that data to the owners, consumers, and protectors of the data. With all the monumental failures of information security in the last year, it is not surprising that organizationally the process gets marginalized because they can not fit into the company organizational design. It is a lot like adding plumbing to a house years after it has been built. Organizationally information security is in its childhood, and in many respects in the staid and normalized business operational model of managers who were in the company 20 years ago, this discipline did not exist.

Integrating new ways of thinking and new processes into an atrophied middle management, or a company that still does not see a reason to pursue this is like leaving the car unlocked in a high crime area. Information security organizations do not help themselves to integrate into the company when they keep on saying "no", rather than seek a reasonable and appropriate accommodation based on the standard rules for calculating risk/reward in information security. The information security department organizationally is marginalized, or otherwise finds themselves outside of both formal and informal communication loops, meaning that they are no longer effective, or only find out the existence of a project the day that it "goes live" or too late to say "no". The organization self heals around the speed bump of the information security department. This ends up organizationally as a vicious circle with increasing stridency on each part of the process until arrhythmia happens and no one is effective in the process anymore.

Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.


Newsletter Archive | Article Archive | Submit Article | Advertising Information | About Us | Contact

ITproNews is an iEntry, Inc. ® publication - 1998-2008 All Rights Reserved Privacy Policy and Legal

iEntry.com