Why a business does information security greatly influences the outcome of successful risk management. If you have seen Simon Sinek’s Ted Talk: How Great Leaders Inspire Action, you’ll have an idea of the concept of “Why;” and although the topic isn’t directly related to information security, it is applicable on many levels.
As an executive that is fully invested in the growth of your business, have you ever wondered why some businesses succeed while others fail (especially, when both have the same tools, resources, and potential)? The answer is in the “Why.” Why an organization does what they do is what makes them different from other businesses.
When applying this concept to your information security posture the question CEOs, CIOs, and board members need to answer is: Why is information security important to your business? Is your “Why” compliance or meeting the necessary requirements of your industry? If this is the case, sorry to burst your bubble, but you will lose in the risk management arena. You will lose for various reasons.
- Your attackers are not only focusing on compliance when attempting to steal your sensitive data or penetrate your network. On the contrary, they go through great lengths to figure out how to infiltrate your environment and are up-to-date on their opponent’s security strategies. Compliance and everything mandatory are always in the headlines; making it easy for intruders to find, study and test those security requirements.
- Regulations are the foundation of your minimum security efforts, which ultimately prepare an intruder to what they should expect. It’s like a check list that gives them a head start to where they can begin scouting for vulnerabilities within your system.
- Also to keep in mind, compliance doesn’t include all security components. For example, PCI compliance does not include physical security. This leaves a business vulnerable if they stop their efforts at compliance instead of pursuing a holistic risk management program.
If the reason information security is important to your business is because of requirements and not because you want to protect your customers, your employees, and your intellectual property; you may avoid fines and pass audits, but you will not be prepared for threats or breach.
If executives and security pros want to lead from within, to actually be the difference and make the difference; then your information security “Why” will be to protect. You secure your customers, employees and business data knowing that your security doesn’t stop at compliance; but instead, that you must actively pursue a holistic risk management approach. This includes external audits to double check your internal vulnerability assessments, employing the necessary resources to make your security strong, and attempting to do everything necessary to continuously monitor your vulnerabilities.
Take your information security to heart and you will succeed in your intent, to secure your enterprise. The added bonus, you will also lead others into doing the same and make a difference within your industry.
What is the “Why” of your information security?
Photo Courtesy of Peshkov Daniil