It's time for business, IT and security leaders to leave the silo and start speaking the same language.
Business leaders often ignore information security, yet it is invariably an area of risk that they underestimate.
Historically, business leaders and boards have tended to regard information security as a technology issue – as reflected by traditional reporting channels. But this is a misconception and it needs to change.
The scale of the financial and reputational risks to businesses means that information security has now become a key board-level concern. In terms of the growing threat, recent statistics tell their own story.
As the PwC 2010 UK Information Security Breaches Survey confirms, after declining for the past few years, a new wave of security threats is hitting UK organisations, costing billions.
The survey shows that 90 per cent of large organisations (those with more than 250 employees) have suffered a malicious security breach in the past year, while 46 per cent have seen staff members lose or leak confidential data. In just 12 months, one typical large organisation has suffered 45 breaches, costing up to £690,000 each.
But the issue of tackling the risk of security breaches is being undermined by a potentially damaging breakdown in communication between the information security function, IT and the rest of the business.
Instead of working together towards common goals, different parts of the business often fail to understand – or even respect – each other's roles. Miscommunication stems from the different languages used by the three departments. Business, IT and information security leaders need to take parallel steps to close this gap. So, why does such a breakdown in communication arise between these three key stakeholders?
Business leaders grudgingly accept that IT provides vital support to its processes, but frequently feel frustrated at delays and costs incurred to their systems. Worryingly, the disconnect of business from information security is usually even greater, since it does not see a real business need for the security function's existence and can't understand much of what it says.
To further complicate things, the IT department feels that the business does not really appreciate the good work it does, which the information security department compounds, making its life more difficult by requiring extra controls in systems and by delaying the implementation of completed projects by insisting on complex activities such as penetration testing and code reviews.
For its part, information security doesn't speak in business language – and going to the board with a technical presentation provokes an immediate loss of interest.
The information security department feels that the three functions should be partners fighting on the same side against a common threat, yet when it tries to explain the nature and scale of threats facing the business and IT, it comes up against misunderstanding and incomprehension.
In some industries, such as financial services, regulatory and compliance pressures have helped information security sell security to the wider business and get onto the business agenda, but in most sectors it remains an uphill battle.
Information security must continue to work closely with the business process owners and with IT to support both functions in achieving their business objectives. Its role as a go-between can sustain and build the business's confidence and buy-in for what it is seeking to achieve.
The breakdown in communication between the three is hindering the business's ability to understand and engage constructively with information security and to ensure that the company's information is protected.
The security of corporate information will stand or fall by the ability of the various internal functions to communicate clearly with one another. It takes willingness and a common language to sustain a meaningful dialogue, so a change in mindset is needed from all sides.