There’s a lot of swirl in the industry about Security Organizations lately and the term Information Security seems to be used synonymously with the term IT Security. These are very different functions and should be distinguished as such. With proper alignment between these two functions you can ensure that your Security functions are purposefully aligned with the business strategy and vision of your CEO and board of Directors.
Let’s start with Information Security. Information Security is the governance of Security, typically within the context of Enterprise (business) operations. The governance of Security includes tasks such as defining policy, and aligning the overall company security strategy with the business strategy.Information Security governance solves “business level” issues and this function transcends the IT department.To appropriately govern Information Security in an Enterprise setting IT must be treated as any other business unit and is a consumer of the Information Security service the same as Legal, HR, Finance, Facilities, etc. This function of Information Security governance is pervasive to your business and should provide end-to-end coverage of the entire business.
Now for IT Security. IT Security is the management of security within IT. IT Security Management teams should be translating Information Security strategy into technical IT Security requirements. They are responsible for IT Risk Management, Security Operations, Security Engineering and Architecture, and IT Compliance. The IT Security Management function should “plug into” the Information Security governance framework.
Example would be if your business is preparing to expand into Europe as part of your business strategy, your Information Security governance might include compliance and certification for US-EU Safe Harbor, and your IT Security management teams should be aligning their plans to implement the security controls to comply with the Safe Harbor regulations. This mechanism of cascading goals and strategy will help to ensure a holistic approach to security across the entire business.
So the big question is why should you care? It’s about creating a common definition of security, if we can begin to educate folks about security and provide a common terminology this gives our audience a platform to think about security in a way that makes sense to them and apply the terminology at a personal level. When people can correlate an activity or definition to their personal environment, it usually will allow them to make an informed decision and self-select the correct security behavior when no one is there to reward them for the right decision.
If you are just getting started we highly recommend you check out the work form ISACA, specifically CobIT 5 for Information Security found here: ISACA’s CobIT 5 for Information Security. ISACA’s CobIT 5 for Information Security is a nice reference point as they do a nice job creating common definition between Information Security and IT Security; ISACA also ties in all the security business enablers as part of the larger CobIT Governance and Management Framework. ISO27001 should not be overlooked either, there’s a great collection of artifacts found at ISO27001 Security.