While compliance has become the magic lever for driving information security in companies that must comply with HIPAA, PCI and SOX regulations, it does not always resonate with the business operations strategy. This is largely due to the seemingly endless profusion of controls and countermeasures included in these regulations and are used as a means for measuring compliance.
For midmarket companies, this means increased operations costs, a problem compounded by the fact that such organizations don't have the luxury of a well-staffed IT department. Some companies may have only one head-count allocated to information security, while others may have IT staff that share the duties of operations and security. Whatever the case, typically those individuals will have to fight for resources and recognition to support the regulations that will make their organization compliant.
In the past year, more information security professionals have recognized the value of speaking to the business in business terms. This is crucial given the increased trends of organizations' adoption of strategic planning to define long-term direction. In years past, the use of guidelines from the IT Governance Institute, the National Institute for Standards in Technology (NIST) and ISACA's COBIT, were used as a basis for developing an information security framework. While these guidelines are still critical to the success of a security program, they don't easily translate into an accepted business model which will drive an organization's strategic plan.
A more reasonable solution is to understand first your organization's business model, then its high-level business operations strategy, and finally the goals of the parent organization which houses information security. By gaining the correct understanding of your organization's business direction, you can easily develop an information security framework that will integrate with the business. While going the traditional route may promote better management support, it will affect the maturity rating of your program, given its implementation will require a longer cycle.
Using a traditional business model to drive security initiatives may not seem to be the wisest course. Some may feel the visibility of their program will be buried. In turn, a loss of people, resources and budget may equate to inadequate program support and overall program failure. However, the same program failure has been experienced by those who rely solely upon information security centric guides to develop frameworks.
Given the fact that the precepts governing compliance are not going away any time soon, a savvy practitioner would do well to work with a framework that best compliments their operational environment. If your organization is mature or has already adopted a business model, adjust your existing framework for information security to match that model. By utilizing a top-down approach, you can develop a framework that compliments the business model of your organization with compliance built into the business framework. The end-result is an information security framework that aligns to the business and is written in accepted business terms. If your organization does not have an accepted model, you should still consider putting your program in a framework. It is easier to digest and sustain. It will be a blend of a traditional business model and an information security centric model, with more of an emphasis toward information security. This will provide you with an opportunity to evangelize information security amongst those whose focus is elsewhere and whose buy-in you'll need down the road.
Be prepared to go through a couple iterations of your chosen framework. While you may understand what you are trying to convey, that won't matter if your business partners don't agree. Consider a preemptive approach by socializing the information security centric pieces of the framework in smaller portions prior to presenting the entire framework. This will give business partners the opportunity to ask the necessary questions and result in better acceptance down the road.
Ravila Helen White is the information security coordinator for the Bill & Melinda Gates Foundation.
This was first published in May 2009