Why is it important for security professionals to understand security management?
Information Security Professionals must understand security management because without the proper management of a security implementation in an organization, the organization will know know with any certainty that it is doing an adequate job of properly using its resources to reduce risk to a level that is acceptable for the organization’s operations.
Here’s additional information about managing information security using an ISMS.
The fast-paced, electronically-enabled business environment of the 21st century is characterized by the tactical and strategic uses of information as business enablers. In most modern organizations, information is now seen as a primary asset and as such, it must be protected. Yet the proliferation and reliance on information in an organization also introduces responsibilities and risks which if not addressed, can subject the organization to extraordinary risks that could severely impact the viability of the business. The best strategy for an organization to manage these new business realities is to adopt a strong posture aimed at compliance management, risk management and information security management to ensure that its information assets are protected in the most comprehensive, standardized manner possible. Presently, the best tool to manage the challenges of Information Security is an enterprise Information Security Management System (ISMS). The ISMS is a centralized system of policies, procedures, and guidelines that when created and uniformly applied will provide the best practices to help ensure that an organization’s Information Security is being managed in a standardized way using documented best practices. The introduction of an ISMS into organization’s business operations will serve to identify, document and classify information assets and risks and then document the mitigation of risks using established, documented controls. It will also establish a framework to monitor the effectiveness of these controls and for continuous reporting and improvement.
For a typical organization that implements an ISO 27001-based ISMS, the key benefits will be:
· Better management and fulfillment of the Information Security requirements from the organization’s clients, because in many cases they have already adopted ISO 27001
· Reduction of risk of loss of existing customers
· Increased opportunities for new business
· Reduction of risk to regulatory penalties
· Reduction of risk reputational damage
· The creation of an Information Security-aware culture throughout the organization
· Because it is an international standard, the adoption of ISO 27001 enables ISO 27001-compliant branches and subsidiaries that are outside the U.S. to communicate and conduct business in a standard way that ensures information security is well-managed
· Better management of IT assets and their associated risks
· The ability to have an Information Security Management System that is based on the Deming model of Plan – Do – Check – Act for continuous process improvement
· The adoption of the most widely recognized international standard for implementing an ISMS
Note that the Information Security has rapidly risen to the forefront as a serious business issue. Because of its rapid rise to prominence and the dynamic and evolving nature of threats and the associated risk management efforts, the models to measure and quantify the value of such projects can often seem frustrating at best. So while this ISMS project may difficult to quantify using traditional methods such as return on investment, it is clear that the benefits of continued customer relationships as well as the ability to attract future customers through a demonstrated strong and continually improving posture of Information Security compliance management will far outweigh the costs associated with an ISO 27001-based ISMS implementation project.
Indeed, after implementing the ISMS under ISO 27001 standards, an organization will have better control of the Information that is the lifeblood of its business, and it will be able to demonstrate to its customers and its business partners that it too has adopted a strong posture of compliance management, risk management and information security management.
Does understanding classical management theories help security professionals?
Yes. Classical management theories suggest that resources must be controlled and managed and that people in organizations should be held accountable, so I would suggest that Information Security Professionals can benefit greatly be studying classical management theories and that managers can likewise benefit by studying Information Security.
Calder, A. (2009). Implementing Information Security based on ISO 27001 / ISO 27002. Zalthommel, Netherlands: Van Haren Publishing.
Calder, A. (2005). Nine Steps to Success: An ISO 27001 Implementation Overview. London, U.K.: IT Governance Publishing.
Calder, A. (2005). the Case for ISO 2700. London, U.K.: IT Governance Publishing.
Fennelly, L. J. (2004). Effective Physical Security, third edition. Burlington, MA: Elsevier.
Hintzbergen, J., et al. (2010). Foundations of Information Security: Based on ISO27001 and ISO27002. Zalthommel, Netherlands: Van Haren Publishing.
ISO. (2005) “Information technology – Security techniques – Information security management systems – Requirements”, ISO/IEC 27001:2005. Retrieved from www.ansi.org on March 20, 2011.
McCrie, R. D. (2007). Security Operations Management, second edition. Burlington, MA: Elsevier.
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
CYBR 510 Blog: http://cybr510.blogspot.com
773 - 235 - 3080 – Home
312 - 758 - 0307 – Mobile
1337 N. Ashland Ave. No. 2
Chicago, IL 60622
United States of America