In many companies the reality is that there are not a lot of resources to handle information security. The reality is also that additional resources will probably not be allocated in the future. The security officer will therefore have to make do with the limited amounts of time and money.
The good news is that this is not an impossible task. And the great news is that it is possible to increase information security by tackling the tasks differently, compared with previous practices.
Information security should not be a marathon
If you were to come up with an analogy for working with information security, you could say that in some companies there has been a tendency to perform the necessary security tasks as if they were regular marathons.
The development of security policies, rules, risk assessments, contingency plans etc. have been planned and carried out as a part of comprehensive processes that have been time-consuming and perhaps even costly if external consultants have been hired. A common feature for these processes is often that the end result does not correspond with the efforts. Despite good intentions, many plans are left at the bottom of a drawer, when the boxes have been ticked for the completion of a security task.
Everyone can run a 5K
Jakob Joensen is Head of Information Security Advisory at Neupart. He recommends organising the security work as weekly and more feasible 5K runs instead of grueling marathon distances.
“Instead of the security officer becoming completely bogged down two or three times a year, it makes more sense that the company breaks up the tasks into several sub-processes that can be carried out continually over the course of 12 months. This also means that it is not the security officer who performs all the tasks and instead the responsibility is distributed across the various employees in the organisation,” says Jakob Joensen.
The annual cycle embeds the security tasks
This approach is supported by an annual-cycle process where all the year’s security tasks are entered into a system. When it is time to perform a task, the employee responsible for a sub-process will, for example, receive an email with a notification that it is time to perform a task. Then they can confirm or reject changes to the area and finally document the execution of the task.
“The whole idea is that it is easier and cheaper to keep an annual cycle running at low speed than it is to keep having to re-start the cycle after a long break,” says Jakob Joensen.
Get out of the office and ask your colleagues
He recommends that the person responsible for a company’s information security begins by talking with those who have insight into the company’s sub-processes.
“The security officer should ask the IT developer, IT technician, IT operator, network administrator etc. what they actually do and should also pose the same question to colleagues in customer service, marketing, sales, production and HR. When they have made these inquiries, they will have an overview of the company’s core tasks, what systems support the execution of the core tasks and how data are secured.”
“If you are successful in entering the individual tasks and who is responsible for performing them into an annual cycle, it is my claim that the tasks will be better embedded across the organisation and that it will heighten the quality of information security in the company,” Jakob Joensen concludes.