The Role of Security Management in an Organization Essay

Introduction

As Ullman (1983) explains, “security management is a broad field of management related to asset management, physical security and human resource safety functions”. The author further explains that security management plays a significant role in identifying a business’ assets and developments, as well as how they can be protected to ensure long-term development of a business is protected.

As Hong et al. (2003) cautions, “security management is core to ensuring very long-phrase sustainability of any company, and the need for people educated in this field is developing each and every day”.

As far as human security is concerned, “employers have an obligation to shield the people within the workplace, and the measures delivered must offer workers in all sectors of the economic climate with the information and knowledge to tackle and control possibly hazardous occasions” (Hong et al., 2003).

When it comes to information, every business today is faced with a test of coping with constantly changing information systems, threats and needs. “Businesses that have been around for a long time have had to adjust from ledger cards to keeping up with large volumes of information generated in the digital “ (Awad & Hassan, 2004).

The speeds at which information flows in and out of a business today is makes information systems more complex and hard to keep up with. Awad & Hassan (2004) further explain that “as we move rapidly into the future, leaders face the challenge of being effective in a global knowledge environment”.

One way through which their effectiveness is tested is through investing in research, acquiring information from the markets when it is still relevant, and ensuring that information security is prioritized in a business.

Today, the information entrusted to organizations by their clients is too detailed and sensitive. For example, banks and insurance companies require a customer to provide sensitive information such as birth dates, physical location, and other family members’ information, just to mention a few.

The situation leaves customers extremely vulnerable and at the mercy of the business’ ability to protect the information. It is therefore paramount that these business exercise sufficient care in managing and using their clients’ information.

It is also notable that “leaders have to undertake the responsibility of helping their organizations cope with the challenges they face from expanding knowledge and information systems” (Cronin, 2009).

Information security management enables a business to collect, represent, disburse and use information in a safe and trustworthy manner. Information security further covers the process by which data is collected, converted to information and finally utilized in a business.

“In a world overloaded with information, there is a need for emphasis on not just more information security, but actionable intelligence that is capable of guiding decisions in its security” (Beccerra-Fernandez, Avelino & Rajiv, 2004).

Developing an information security management strategy in any business requires a comprehensive understanding of what objectives the business intends to achieve from the process. It is also through a clear understanding of how the business intends to meet these objectives (Cronin, 2009). Information security in any business should be developed through formulating actions designed to meet its objectives.

It should further be through implementing suitable timescales and progress assessment techniques. This ensures that a business is able to monitor and measure progress, as well as identify those systems that are working and those that are simply wasting its resources.

When implementing information security strategies, it is crucial for a business to understand that over-reliance on one information security model can pose significant risks for a business.

For the big businesses such as multinationals, conventional security strategies may lead to stagnation and neglect in dynamics of change. Issues must be addresses as they come and a business must be willing to be flexible enough when new threats arise.

“Strategy formulation may involve identifying how the business can leverage its information security strategies, the best approaches, and how to prioritize” (Cunningham & Fried, 2002). For businesses that deal with huge amounts of information, the entire process must be guided by the company’s current information security needs. However, this does not mean that long term information security needs should be ignored.

A business’ mission, vision and strategic objectives must serve as constant guidelines to strategy formulation. There are several areas that must be considered fundamental for the success of information security.

As identified by Solms (2005), “they include top management support, unfiltered access to information, information security management teams and resources, and professional knowledge on how to implement safety strategies”.

Management tools

Managing information security requires adequate research and preparation. Several steps are followed to ensure the two are addressed comprehensively.

Information classification

It is important for a business to classify its information to avoid overwhelming amounts of data and information. Information can be classified according to how often it is used, its influence on business operations, level of sensitivity and its ease of access. By doing this, complexity of systems put in place to ensure its protection can be increased or reduced depending with what class information is in.

Furthermore, planning and design of strategies is made easier. Classifying information also ensures that information is only accessed when it is needed. Putting all information in the same database means that the database is visited more frequently and by more people. This is one way to protect data and information by ensuring it is only accessed by a few people, and when it is needed.

Risk assessment

Risk assessment involves analyzing possible attacks into a business database and their effects on a business. It is not possible for a business to protect its information if there is no clear information on what or who it is protecting the information against.

For example, a business must identify information that may sabotage the uniqueness of its products and services in a market, and ensure that it is out of reach to anyone considered as competition. Its clients’ personal information must be out of reach to anyone who is not authorized to access it.

Risk assessment further allows a business put in place stand-by and control measures that it can use to address an attack if it occurs. This in many ways could reduce the damage caused by a damage.

Risk analysis

The first step towards effective safety management is identification of risks and threats. Analyzing risks facing a business allows it to adequately prepare for attacks and challenges. It provokes preparedness for any possible attacks.

Risk analysis involves calculating the implications of a perceived threat. Implications could include financial loses, reputation damage and strained relationships between employees and employers, just to mention a few. Risk analysis should be a continuous process carried out consistently to allow a business prepare for new threats.

Information Security management options

Accepting

The first step towards managing information security is accepting that a security problem exists. Acceptance provokes an analysis of just how big a security threat is in a situation. Acceptance puts the management on alert that something needs to be done.

This way, it is possible for information security to be prioritized as the company does its planning and programming of activities. Information security management requires early preparation and planning, as well as effective budgeting. When a business identifies and accepts potential threats to its information security, these elements are easily incorporated in the company’s system and schedule.

Transfer

Information security threats can be easily transferred from one location or area of business to another. Examples of such threats include those arising from equipments and portable materials such as data cables. Another way of transferring security threats is through insurance.

This way, any financial liabilities arising from information security matters are transferred from the business to the insurer. Businesses prone to information security challenges employ this method to protect themselves from heavy financial burdens.

Reduce

Another significant information security management options is reducing the threats. This happens through consistent inspection and investigation of areas where threats are likely to occur. Reducing information security threats further occur when businesses invest in detection systems.

In businesses where threats are mostly from external attacks, reduction can be achieved through restricted entry to the facilities. It can also be done by ensuring that people getting into and out of the facility are screened and checked.

Eliminate

Elimination has been identified as the best information security management option. Its saves a business troubles that arise from disasters and crises common in information security related disasters.

It is paramount for a business to ensure that it prioritizes elimination in its information security management strategies. Elimination is many times not easy as there are new information security challenges facing any business each day.

Businesses can achieve elimination using several procedures:

Detect

Installing detection systems helps a business deal with a threat before it materializes into a full-blown security disaster. Latest technological innovations have made it easy for businesses to achieve this. Inside a business, using controls is a common method of arresting security and safety problems before they occur.

In the external areas of the business, using surveillance cameras and other technologies allow a business to detect threats such as cable interference easily. Detection also occurs by enrolling investigative services where suspicion occurs. Many governments have put in place measures that allow businesses access to professional security advice and services.

Deny

Denying attackers a way to get through to a business’ system is the most cost effective elimination strategy. All information security strategies should be aimed at minimizing access to a business information, especially to anyone who cannot be trusted with it. Business do this using different tools such as administrator passwords and having employees seek authorization before accessing sensitive information, among others.

Delay

Having systems that delay damage in case of an attack allows a business time to react. Depending with the nature of the situation, the amount of threat facing a business may be considerably reduced in such a situation.

Delaying damage can be done using control systems that send signals to operates in case of threats or automatically shuts down a company’s operations systems before the damage spreads to the key areas of a database. In today’s world, creative innovations allow business to purchase and implement custom made solutions that may detect specific threats common to some areas of the business.

For example, the IT department can install systems that send notification messages to every user in the company in the face of a probable virus threat. The department can also have warning messages sent to them anytime unauthorized users try to access certain information. Users of certain systems can have limited attempts to enter the correct password, after which the system shuts itself down or locks itself.

Managing security at a data warehouse

Some business have information warehouses such as specific rooms where sensitive information is stored. It is possible to have some information being only accessible in one specific room or location in a company.

Depending with the nature of business, a company can have control rooms where operations are managed from. The security of such locations is critical. It can be managed using regular security measures used to protect physical locations. These measures include;

• Using simple and sophisticated locks
• Having local and monitored alarms
• Installing appropriate barriers for unauthorized personnel
• Use of security lighting
• Having authorized personnel use access control cards to monitor traffic in and out of the facility
• Improve communication capability between users and security teams
• Having armed security on stand-by in case of breakages

Role of management

Cunningham & Fried (2002) argue that “while protecting the human element of information security may seem obvious, it clearly is not”. Many organizations are still below the level expected of them as far as information security is concerned.

“In fact, most businesses do little than pay lip-service to it-spending more time and money on free coffee for employees than on educating those employees on information security practices that help mitigate the insider threat” (Brockman & Turtle, 2003).

The author further explains that any businesses trying to save money by cutting the cost of training on information security are taking a big and foolish risk. As information security threats grow in complexity, it is every business’ responsibility to ensure that their employees’ level of knowledge on the same is developed.

Since there is always a human element in every information security threat, businesses need to realize that no single safety system is foolproof. Therefore, there should always be a clear road-map initiating different information security programs to suit different threats.

Role of employees

As Solms (2005) explains, “many employees in today’s workforce are not aware that they play an important role in their organization’s information security”. Lack of awareness on their role in the matter may lead to actions which put a business under high risk of insecurity attacks.

Cronin (2009) further explains that “employees engage in risky behavior on the internet, open unsolicited e-mail attachments, carelessly divulge proprietary information, introduce wireless risks to corporate networks, and neglect to consider security in their daily routines”. All these activities could put expose a business to security threats, and expose sensitive information.

While much of the attention is given to high profile information security challenges such as viruses and hacking, the greatest risks arise from employees and other insiders. Major information security challenges occur not because systems have failed, but because people entrusted with the information failed.

It is evident in many cases that the success of an organization and the safety of its information, is dependent on how ordinary people with access to the information comply with the set safety measures.

Unfortunately in many businesses, information managers are answerable for breaches committed by employees on their watch. This does not protect a business from information insecurity, since many times the damage is already done before the managers can realize it.

“It is important to note that the human factor is typically the most critical variable in information security systems and even the best policies can be rendered completely ineffective if the people involved do not take responsibility for safeguarding the information they control” (Hong Et al., 2003). Experts in this area reveal that only 25% of information security breaches are planned and executed by outsiders.

The remaining 75% of the cases are inside jobs and many times they are not intentional or planned. Insecure habits such writing password on sticker pads or forwarding information to a home computer can expose an organization into major risks. Some employees are too polite to challenge visitors who invade their workspace, or fellow employees who have no authority to access information on their computers.

An ignorant employee who opens spam emails and attached documents without verifying their sources may paralyze an organization’s information systems for days, and even cost it a lot of money. Today, threats grow exponentially as information systems become more and more complex.

Therefore, ignoring the employee element of information security may be the most dangerous and costly mistake a business can make. Having employees that do not recognize their role information security may also be the biggest inhibition to achieving maximum information security.

It is paramount that an organization trains its employees on all parameters of information security, and ensures that their level of information is constantly updated.

Awareness training

Awareness training must be equally balanced between corporate security and information technology (IT). Most organizations still regard information security as an issue that should be entirely left to the information technology department. “Unfortunately, businesses are leaving themselves open to security breaches because their information security awareness training is woefully inadequate” (Cronin, 2009).

Since training employees and equipping them for proper information management it is not an easy task, it should not be left to one department. Instead, organizations need to ensure that the IT department is fully supported by the corporate security department.

Experts in this field argue that the best way to ensure maximum information safety is having responsible and accountable end-users. This is only achievable through a complete change of corporate culture. Furthermore, a business must have the capacity and ability to manage the behavior of the end-users, especially those with access to key information.

Unfortunately, the IT department is not good at these functions. The department primarily focuses on ensuring critical information systems are in place and running effectively. The IT department in many businesses lacks the appropriate communication skills to influence an organizational culture. Instead, they are more focused in ensuring that technical aspects of information management are working.

For this reason, the corporate security managers should be more involved in influencing an organization’s culture. As Awad & Hassan (2004) explain, “one of the chief strengths of corporate security managers is that they’re inter-personally involved with the employees”. Therefore, they are more equipped and experienced to manage personnel security as far as information is concerned.

This includes making sure that every employee is well aware of their role in protecting a business from avoidable risks. It makes more sense for them to initiate a culture that fosters awareness and responsibility as information security is concerned.

Programs initiated must create awareness of risks and reinforce well formulated policies. Furthermore, the corporate security is department is able to communicate important information security details in less technical language that would be easily be understood by employees at all levels.

To ensure responsibility, both the corporate and IT departments must be able to explain why security breaches occur when they do. Therefore, it is both the departments’ responsibility to ensure that every employee is aware of possible threats before they happen.

Educating employees ahead of time makes them more sensitive and will easily notice and report threats before they become harmful. Such a measure will save a business a lot of time and money spent on fixing the problem.

Information security policies and procedures

Businesses all over the globe spend billions of dollars each year to ensure that their information systems are well protected. But while the measures taken are important, security issues most arise from the most neglected aspect of information security-employees. More than 75% of security breaches occur as a result of employees who are either not conversant with a company’s security policies and procedures, or are ignorant of them.

In an era where huge amounts of information can be sent with the click of a mouse, it is imperative that those with access to any sort of information know how to handle it well. As technological innovations get more and more complex, it imperative for businesses to secure their information starting from inside.

Information portability has further made it easier for data thieves. Vital information can be smuggled out of a company’s data warehouse through extremely small devices such as flash disks or through emails.

Wireless systems have further made it easier for one to transfer information from one point to another without hassle. This leaves organizations in extremely vulnerable situations, with the only hope being a corporate culture that encourages discipline and loyalty.

It is important for a business to set up strict penalties for employees who breach security measures in a company. This is done through policies and procedures that define an employee’s roles and responsibilities. They should further outline tough measures and penalties for offenders. It is important for employees to understand the consequences of engaging in unacceptable behavior when dealing with information.

However, security policies and procedures will not be very helpful if employees are not willing to abide by them. Developing a culture of discipline ensures that employees are cautious not to jeopardize vital information in a business. Awareness programs should focus on educating employees on how costly small mistakes can be and how it affects them as stakeholders.

It is only through continuous transformation of attitude and exposure to training will policies and procedures help a company develop information security. Employees have the ability to transform the state of a company’s security by maintaining caution when handling information. As Solms (2005) argues “ without implementing an effective awareness program an information security policy is more or less useless.

The best policy in the world will fail if the people who are affected by it most don’t know the rationale behind it”. An organization’s biggest asset is a culture that promotes positive behavior in all aspects of its operation. Other measures that can be used to encourage positive behavior include rewarding diligent employees and encouraging communication between employees and the management.

Management buy-in

Cronin (2009) explains that “the first and most crucial step in developing an effective security awareness program is getting top management buy-in”. It is very crucial to get management on board for any important strategy to work. However, it is notable in many organizations that getting the management to understand the weight and significance of information security is not easy.

This is because it may appear too technical and even abstract for people in other area of profession other than IT. Information security in many organizations is viewed as a matter of fixing computer infrastructure and ensuring latest technology systems.

Managers who do not understand that it is much more than this may end up spending a lot of money on expensive infrastructure and yet still remain extremely vulnerable to information security threats.

It is also notable that many managers do not view information security as a worth investment since on its own, it may not appear to have financial returns to a business. It is viewed as an investment with little chance for financial returns. However, what many managers don’t realize is that neglecting information security may cost a business all other returns it is making.

The long-term success of a business is highly dependent on how well its reputation, trademarks, copyrights and innovations are protected. As explained earlier, trying to cost cut by investing too little in information security may end up being the riskiest and most foolish decision any business can arrive at. It is also important to know where investments are required.

By simply investing in the tangible elements of information security such as computers and software may not be very fruitful without working on other relevant areas. To ensure management understands the relevance of information security, they should be constantly reminded of certain issues;

Downtime

It is important for managers to be talked to about the millions of dollars it could take to recover if suffers from an information attack. Depending with the information lost, the whole business may be paralyzed for a while as it tries to get a database up. It may cost the the business a lot of money to instal new information systems, since the existing once might be too risky after they have been broken into.

Reputation management

Building a reputation for a business is an expensive and long-term affair. However, all the efforts put into ensuring a positive reputation may go down the drain if as a result of leaked information. Information security breaches many times leave a negative impression and competitive losses at the market. Managing the damage may end up being an extremely expensive affair for a business.

A good example is a big corporation which requires to send over 200,000 letters to their clients explaining why their credit information has been exposed. For example, a bank may need to recall credit cards from customers after their numbers have been stolen. Managers need to be constantly reminded of such outcomes to take information security programs and initiatives seriously.

Competitive disadvantage

Information security breach leaves a business exposed to its competitors. The trade secrets that give it a competitive advantage become easily accessible. Information such as a business’ marketing plans or future products will lead to loss of revenues and a widespread damage to profits.

Since more than half the breaches arise from inside a business, it is important for the management to invest in ensuring that information security is managed from inside out.

Legal liability

Each day we hear of cases where businesses are facing legal challenges arising from wrongly leaked or exposed information. Clients in a business expect that management should be able to keep their information safe and confidential. Most business contracts obligate a business to keep a client’s information safe and take responsibility when it fails to do so.

As a result, many businesses have found themselves in trouble when those terms are not adhered to. The situation is especially worse when stolen information is used against a client or used against their will and wish to for other purposes other than why they gave the information in the first place.

When information is stolen from a company, it is almost impossible to prove in a court of law that the company took all the necessary measures to protect the information because if that was the case, then it wouldn’t be stolen in the first place.

This leaves the business entirely responsible for any damages arising from information theft or leakage. It is important for managers to realize the magnitude of challenges that may arise from having to battle legal challenges every often due to under-investment in a company’s information security system.

Behavior based information security models

It is important to realize that an employee’s behavior does not have to be malicious to expose a company into information security threats.

Innocent behaviors such as leaving computers on in the presence of a visitor, sharing a password with a colleague, willingness to answer innocent questions by social engineers, and laptop loss can result in very dire consequences. All these gateways to information insecurity have people as a common aspect. Therefore, bringing information safety message as home as possible is mandatory.

Behavioral based security management are designed towards ensuring that every stakeholder is doing their best and playing their role in protecting the company’s assets. Every stakeholder must accept responsibility as a part of the enterprise, and as a beneficiary of the success of a business.

As Brockman & Turtle (2003) argue, “behavior-based awareness capitalizes on these elemental human dynamics, bridging the chasm of risk by instilling in every employee the empowerment to affect change and create value through awareness action”.

From these realities, it evident that if a business can change its stakeholders behavior to suit that of a responsible culture, information security can be achieved more easily and cheaply.

Behavior based information security models require a lot of investment in awareness an knowledge development. All stakeholders must be well equipped with proper knowledge on how to minimize chances of exposing a company to risks and threats. For example, if suppliers have gate access cards, they should avoid attempts to use them somewhere else, and report to the company as soon as it is lost or stolen.

Employees’ attitude towards security measures should not be cavalier. Working spaces should be fully protected and sources of information such as computers and files guarded at all times. This will only happen if naivete towards information risks is eliminated in a business. The effectiveness of behavior based information security models can be maximized through these practices;

• Convincing employees and other stakeholders that security breaches harm not only the business, but also individual stakeholders. Employees could reduce their jobs and extreme information security attacks could even lead to business shutdown.
• Constantly reinforcing strong security programs and integrating creativity to avoid monotonous routine that could see employee easily get casual with them.
• Ensuring programs put in place appeal to the issues considered important by employees and other stakeholders
• Continuous awareness programs through research, training and education
• Reinforcing positive attitude towards measures taken by a business through articulated programs that are easily applicable in employees’ day-to-day activities. Use of technical languages and approaches leaves a large number of people who may not understand the language out. It further discourages interest in subjects related to information security.
• Motivating employees, management and other stakeholders to put into use the information and knowledge they acquire through training and awareness programs
• Ensuring that everyone’s job description addresses the need to protect a company’s assets which include information

Helping create constant awareness

Cunningham & Fried (2002) explain that “only through constant exposure to appropriate awareness training can employees transition from the greatest risk to the greatest asset”. Continuous exposure can be achieved through the following methods;

Use attractive posters

Employees should be reached and reminded about information security at all times. Placing attractive posters around their work place, at the company’s entrance, around water coolers and other strategic positions ensures that they are constantly reminded of the importance of information security. A constant reminder further reiterates the significance and importance of the issue to the company.

Create pop-up windows that feature information security

Using such tools enables a business keep its employees aware of the constant threats facing the business as far as protecting information is concerned. Such pop-ups can also be used to remind employees of important points covered during a past training event.

It can further be used to remind them what to do in case they are faced with a risk to lose information from their machines. The pop-ups should lead the employees to the company’s security department of web page to allow them communicate a problem when it occurs or seek clarification on issues that may not be very clear.

Publish information security articles in the company’s newsletters

These is way for businesses to reach more than its employees. By having as many people read about information security as possible, companies will help each other fight the problem. A company that does not do regular trainings on the subject can benefit from having its employees read about such issues from other sources such as other companies’ newsletters.

Newsletters provide a big space to explain details that may not be covered in small posters in a more comprehensive manner. A company can use real-life stories in its newsletters to catch the attention of its stakeholders and explain the relevance of information security.

Using audio and visual aids

These include using videos to pass messages that leave a long-lasting impression in the head of the viewer. “Such aids are effective in emphasizing various aspects of security such as how to defend against “social engineers” attacks” (Solms, 2005). These can be placed in social places such as the cafeteria.

Conclusion

Security management in an organization plays a significant role in its level of success. Perhaps nobody could put it better than Solms (2005) who explains that “the safest organizations are those that have figured out how to change the culture of the company so that everybody’s job is part of security”.

As explained earlier, today businesses are faced with a hard task of managing overwhelming amounts of information coming in everyday. Information security management enables a business to collect, represent, disburse and use information in a safe and trustworthy manner.

The benefits of information security management for any business are enormous. It provides businesses with a capacity to protect itself from constant threats larking in the markets.

Big organizations such as multinationals need effective and modern strategies in their information management systems to ensure security, reliability and reputation management. In this case, information management is crucial in ensuring protection and minimized costs of recovering and managing damages.

The most effective approach when managing information security is having a corporate culture that encourages responsibility. While much of the attention is given to high profile information security challenges such as viruses and hacking, the greatest risks arise from employees and other insiders.

Major information security challenges occur not because systems have failed, but because people entrusted with the information failed. It is evident in many cases that the success of an organization and the safety of its information, is dependent on how ordinary people with access to the information comply with the set safety measures.

Another approach in managing information security include identifying and understanding a business’ capabilities and resources. These are not restricted to but include corporate resources such as basic inputs and organizational capabilities. Expertise in the area is key for a business to stay ahead of possible threats. This calls for hiring and retaining the best talent in the IT field.

Due to increased complexity in information management, it is important for a business to have a team that has capacity to keep up with new updates and solutions to information security. A business also has to identify its financial capacity its capacity to acquire and utilize resources. The strategies formulated for any organization must connect with the bottom line and nurture it with relevant knowledge on how improvements can be made.

Steps for designing information security strategies for any business must include clarifying its business strategy, identifying its unique information activities, identifying available resources required to implement their strategies, and putting in place measures that allow it to detect threats before they become real dangers to it.

It is also important for a business to “prioritize information security components that align with available needs and resources, and decide on how the business will access the lacking resources” (Beccerra-Fernandez, Avelino & Rajiv, 2004)

In order for any corporation to develop an efficient information security strategy, these recommendations, among others will be applicable:

• Design strategic and tactical information management initiatives
• Conduct a comprehensive company needs analysis to identify key issues in
• Information security
• Identify key staff needs that require urgent attention to support information security
• Based on the above recommendations, develop a strategy to address the needs
• Identified

Reference list

Awad, E.M. & Hassan, G.(2004). Knowledge management. Pearson Prentice Hall.

Beccerra-Fernandez, I., Avelino, G. & Rajiv, S. (2004). Knowledge management: Challenges, solutions and technologies. Pearson: Prentice Hall.

Brockman, P. & Turtle, H.J. (2003). “A barrier option framework for corporate security valuation”. Journal of Financial Economics, 67(3), 511-529.

Cronin, O. (2009). “Information assurance: A survey of current practice”. International Journal of Information Management, 14(3), 204-222.

Cunningham, R. & Fried, D. (2002). Adaptable Real-Time Information Assurance. Aerospace, 6 (4), 2678-2682.

Hong, K.S. Et al. (2003). “An integrated system theory of information security management”. Information Management & Computer Security, 11(5), 243-248.

Solms, S.H. (2005). Information security governance-Compliance management vs. operational management. Computers & Security. 24(6), 443-447.

Ullman, R.H. (1983). “Redefining security”. International Security, 8(1), 129-153.