Venture Knowledgist Quality Integration
INFORMATION SECURITY MANAGEMENT AND BUSINESS LEADERS' ROLE
Information and knowledge are basic building blocks of our modern
society and need to be managed properly. This paper approaches the
question of information security from the viewpoint of business
management. Information security is not a separate entity, isolated
from other business practices; rather, it constitutes an integral
part of the modern business management system, and supports the
organization to achieve and maintain a competitive advantage over
its business rivals. The aim for business performance, including
information security, is superiority over competitors. Fulfilling
only the minimum requirements or achieving mediocrity is not enough.
Since modern businesses are based on a process approach, also information
security should be integrated into the management of business processes.
Business leaders' role is crucial in striving for information security
in all kinds of organizations. Situation in practice, however, is
not adequate. There are much guidance and education available but
that does not seem to help or even may make situation more confusing.
The problem is considered in this paper on the basis of the synthesis
of multiple research references through the following questions:
What is the state of art in business people commitment to information
security? Why is business leaders' commitment to information security
crucial? Why is senior executives' commitment to information security
in practice not satisfactory? After a comprehensive analysis the
paper proposes practical advice to what should be done for enhancing
organizations' senior executives' commitment to information security.
Key aspect of the proposed management approach is to reinforce integration
and awareness of information security within the organizations and
then to use innovative methodology for managing information security.
This kind of comprehensive approach has been considered only very
little in the existing literature that typically deal it and its
sub-areas as distinct expert issues. 
Information and security
Information forms the basis of all intelligent activities. Thus,
the performance of individuals and organizations depends on acquiring
useful knowledge at the right time and using it to manage and improve
their operational business and prepare their strategic plans for
the future. This observation is relevant for all kinds of organizations,
including private companies, public civil service organizations
as well as third sector voluntary and not-for-profit organizations.
Many organizations collaborate with their stakeholders on a global
scale, and they are strongly dependent on electronic information
and communication technology as well as network solutions and services.
Business knowledge is a valuable asset and is consequently highly
interesting also for others, such as business competitors and hostile
groups. Sometimes this situation is described as information war
. The incidence of data abuse is on the rise, producing considerable
damage. As a result, information security and security management
have become central issues in the social and business activities
Integration of information security
management into business management system
Information security is related to many different topics of business
and science (see figure 1). All these aspects should be taken into
account also for practical organizational situations in an adequate
way in order to consider management of information comprehensively.
Figure 1. A comprehensive approach to information security
The implementation of information security forms an integral part
of all business activities, management activities in particular,
both on the strategic and operational management level. Thus, we
may speak of integrated information security management . To
achieve its aims, information security requires a professional approach
and close cooperation between security experts and business executives.
A company with superior information security knowledge has a great
advantage over the competition, a lead that is difficult to close.
Neither technological solutions nor software-based security measures
are sufficient as such. Even in principle, it is hardly likely that
information security could be accomplished by means of separate
information security systems. These might in fact cause more harm
than benefit. Business management systems (see figure 2) have no
room for such systems; all business activities must be flavoured
by professional information security measures.
Figure 2. Elements of a typical business management system form
the basis for integrating information security management. Each
company must develop its own management practices incorporating
the necessary business needs.
Operationally, information security originates from process-related
activities and information flows between these activities. Thus,
information security is affected directly in real time through process
arrangements, tools and people which, in turn, are influenced by
appropriate and systematic process management practices. Integrating
information security practices and management, it is extremely important
to understand information security issues in the context of business
processes. This is because, in practice, information security is
a cross-functional discipline, which requires close cooperation
and multifarious expertise.
In today's world, e-business is an existing reality and offers
increasing opportunities to organizations in all sectors. It is
important to realize that Internet-based e-business is not merely
a technological issue. The Internet provides a rapidly expanding
worldwide communication infrastructure that covers all aspects of
business and life. The net includes all people, organizations, cultures
and communities, and it has already changed conditions for interaction
as well as behaviours. E-business is no longer concerned only with
explicit data and information possessed by organizations, but it
extends to tacit knowledge which people rely on in communication.
Information security should also be adapted to these new business
realities. And that is not the end of it, e-business also creates
new opportunities both for business management and operations and
- consequently - for information security .
All these issues relate very strongly to the decisions and actions
of the top management (the strategic viewpoint) and to the practices
used in the management of business process (the operational viewpoint).
Business people are not adequately
committed to information security
There are studies and observations from small and big companies,
governmental offices and universities that demonstrate that most
people - including business leaders - in organizations are quite
familiar with the fundamental and basic principles of information
security, recognize their importance and even may be motivated .
That is obviously due to a lot of general and organization-dedicated
information security information and education for increasing awareness
and skills of information security .
However, senior executives in those organizations :
- Are not really interested in information security in their own
- Don't understand or recognize their managing role for information
- Have only a superficial understanding of information security
- Lack the necessary skills for managing an organization with regard
to information security
- Easily delegate their responsible duties to external consultants
or even outsource the whole issue
Therefore it is essential to understand more deeply business leaders'
role in organizational information security and reasons to the inadequate
Business leaders' commitment to information
security is crucial
All recognized references, e.g. international standards for information
security management [2-3], OECD guidelines for information security
, and a lot of published professional literature references for
information security emphasize the importance of senior executives'
commitment to information security.  They justify this e.g. with
the following facts:
- All organizations are today increasingly information-intensive
and information-dependent in their business activities, and information
security is crucial for their successful business performance and
- Development of the information society is the major aim of societal
development all over the world. Information society is not only
a question of tomorrow but it is already an existing issue.
- Information security is a central management issue at both strategic
and operational level of management. It cannot be realized only
by experts, technology, or money.
- Information security risks are often major business risks.
- Most information security breaches and violations take place within
organizations by their own people.
- Information security is strongly an organizational culture-issue
following the behaviour and role model of the top management.
As an example, OECD's principles towards a culture of information
security  emphasize the managing role of business leaders comprising
awareness, responsibility, responsiveness, ethics, democracy, risk
management, security design and implementation, and assessments
for information security.
All this entails much greater emphasis on information security
than what is typical now in organizations. Commitment and actions
are expected by governments, businesses, other organizations and
individual users who develop, own, provide and manage information
services, or use information systems and networks.  Top managers
are in key position to get that happen in practice in their organizations.
Reasons to business leaders' poor commitment
to information security
There are many reasons why business leaders are not adequately
involved, committed, and effectively contributing to information
- Basic professional information security concepts, e.g. integrity,
availability, confidentiality, authority, authenticity, are difficult,
complicated and strange to business people. Organizational overall
information security performance depends on all these detailed aspects
in a complicated way.
- Information security management requires specific knowledge and
skills. The organizational information security is a fuzzy concept
(see figure 3). One should have consistent methodologies in use
in an organization to evaluate its current status, to project targets
for the future performance, and to improve continually the performance.
- Guidance materials for information security management are complicated
and confusing, and difficult to realize and apply consistently.
[1-4,8, 25] Examples include: a) General standards and guidelines,
e.g. ISO/IEC 27001:2005, ISO/IEC 27002:2005, and OECD Guidelines
b) Information technology and service references that normally consider
also information security aspects, e.g. ISO/IEC 20000:2005, ITIL,
COBIT, Sarbanes-Oxley Act, Basel ll, FISMA, HIPAA, GLBA, etc. and
c) General management references, e.g. ISO 9000 standards , extensive
and multifaceted general management literature, and management education,
e.g. MBA programmes, don't clarify information security as a management
issue and don't explicitly promote the issue.
- Information security is a multidisciplinary issue and difficult
to cope with simple managerial practices.
- Communication between business leaders and information security
(and other related) experts is ineffective and uncreative in general
and within organizations.
- Business leaders are very busy, subjective, authoritative, and
- External third party audits and certifications undermine business
leaders' active responsibility.
- Business information is principally based on tacit (implicit)
knowledge, and management of the security of tacit knowledge is
a sophisticated issue .
Figure 3. Information security is a fuzzy organizational performance
factor. There is always a certain "Is" level of information
security in organizations. It is essential to business leaders where
we are right now, what the needs, "Should be", for improvements
are, and how to carry out evaluations and necessary development
Consequences when senior executives
don't commit to information security
Information security management cannot be delegated and cannot
be happen genuinely and effectively in organizations without business
leaders' consistent contributions based on their organizational
position, authority, and role. If that does not happen:
a) Information security is not being managed business-minded and
not aligned with real business needs.
b) Information security is seen only as a reactive and negative
question to fulfil some standardized requirements.
c) Organizations keep busy with separate and restricted information
d) Organizations take only "cosmetic" or superficial actions
for information security.
e) Organizations keep silent on their problems or incompetence in
information security - and suffer consequences, or hope that nothing
serious will happen.
Enhancing business leaders' commitment
to information security
Major means for enhancing business leaders' commitment to information
security consist of:
a) Integration of information security seamlessly with business
management decisions and strategic and operational activities [10,
b) Strengthening the general information security awareness and
culture in organization under the leadership of senior executives
Integrating information security management with business management
in organizations implies the following:
- Information security should be understood as a crucial business
issue that cannot be realized successfully without particular expert
knowledge. Information security experts have an important assisting
role for organizational information security.
- Basic concept of information security management should be clearly
a business management concept and defined as coordinated activities
to direct and control an organization with regard to information
- Organizations should define clear guiding ideas and principles
for information security management reflecting their own business
needs and expectations.
- Information security management should be a responsibility of
an organization's business management that takes place through the
managing actions of business leaders. It should be embedded within
normal strategic and operational business management activities,
including managerial decisions. [10,11]
- Sound overall business management system and consistent practices
by using profound knowledge should form the steadfast basis for
a sustainable success in information security management.
- Recognized business management tools, e.g. PDCA (Plan-Do-Check-Act)
model, business process approach, and business audits and assessments,
should be used and combined with information security specialized
methodology. Especially well-known quality management tools are
useful also for information security management. 
- Effective communication between business leaders and information
security experts should be established and facilitated. 
- Real business conditions and facilities as well as business needs
and expectations should be taken into account in developing managerial
actions for information security [12, 13]. General information security
standards and guidance material should be used as reference material
for organization-dedicated information security development.
- An organization's information security status (see figure 1) should
be assessed against organization's business needs and expectations
and information security risks managed as business risks. Suitable
assessment methodology should be used in assessments where especially
continual development actions and results are appreciated. 
- Information security development should be included within organization's
business strategies and strategic and operational business development
- Both reactive (rational) and proactive (creative) measures and
continual improvement should be driven decisively by business needs
in order to avoid random drifting or superficial solutions.
- Information security development should be targeted towards excellent
information security performance instead of only fulfilling standardized
Information security management needs managerial responsibilities
at three different areas :
- Control: Managing daily operations in business processes in order
to achieve the specified results. Normally rectifying nonconformities
is carried out in connection with control.
- Prevention and operational improvements: Solving acute problems,
preventing nonconformities, and finding / implementing operational
step by step improvements in business processes continually
- Breakthrough improvement and change management: Innovating and
implementing strategically significant changes in the way doing
These areas are very typical and normal within actual practices
of business leaders but they are not normally applied for managing
information security [8, 9]. Especially rapid responsive and innovative
business development is required in modern rapidly changing business
environments . This sets pressure also to innovativeness in
the development of solutions of information security. Unfortunately
the existing standardization of information security management
has not been able to follow the development of the society.
Information security awareness is a complicated issue [15, 16]
and is required consistently among business leaders, experts (not
only information security professionals but also e.g. R&D engineers
who are developing information technology and communication solutions
and their security practices), and all employees. Different personal
categories require different skills and competences and different
deepness of awareness of information security. 
Strengthening general information security awareness and culture
in organizations is possible only under the leadership and participation
of senior executives. This may include the following:
- Promoting discussion and understanding what information security
is all about and why it is important in the case of a particular
- Establishing and communicating corporate information security
policy consisting of the general intention and direction in information
security within the organization
- Practicing open and transparent information security related multilateral
communication in the organization, its business community, and society
- Promoting collaborative cooperation and networking of different
expert disciplines within the organization, and avoiding harmful
competing and conflicting movements among them
- Arranging traditional training events or e-learning facilities
for the basics of information security within the organization and
also participated by business leaders . However, much this kind
of formal training and education or information security awareness
programs has not necessarily created real awareness or commitment
successfully or effectively. Most (80%) of all learning takes place
in practice through informal learning. [7, 17, 18, 20]
- Facilitating on-the-job learning (learning by doing), informal
learning, and information security auto-control (self-management)
within business processes and their particular activities [7, 13].
This should also apply to the strategic management process of an
- Using normal managerial means to promote information security
awareness, e.g. through recognizing and rewarding especially successfully
established information security improvement actions and results
Increasing information security awareness is bioth individual and
organizational learning issue [7, 19].
Cooperation is the necessity in the organization also for information
security. The close cooperation between business managers and information
security experts is a necessity in order to get security happen
in a professional way. Information security is a cross-functional
discipline, which requires also close cooperation with other expertises
of the organization. Information security management is fully analogous
to the management of many other expertise areas important to a company.
These include :
- Finance management
- Quality management
- Corporate governance
- Business risks management
- Human resource development
- Information management and communications
- Occupational health and safety factors
- Social responsibility
- Environmental protection
- Innovation management
- Ethical management
All these different expert disciplines have impacts also in information
security, and on the contrary. It is especially harmful to the organization's
business performance and information security if there is a competition
between different experts within the organization.
Information and knowledge are essential and crucial factors in
operations of all organizations. This creates growing and complicating
information security needs and expectations for organizations' management.
However, business leaders are now not adequately committed and skilled
to act for information security according their management duties.
Effective integration of information security with business management
activities and enhancement of extensive information security awareness
are needed in organizations and societies at large. New innovations
in information security thinking, methodologies and organizational
infrastructures, and new individual and organizational learning
practices are necessary for today's rapidly changing business environments.
Managerial motto for organizational information security management:
Always ready, never finished
 OECD, Guidelines for the security of information systems and
networks - Towards a culture of security, OECD Publications, Paris
 ISO/IEC 27001:2005, Information technology - Security techniques
- Information security management systems - Requirements, ISO, Geneva
 ISO/IEC 27002 (17799):2005, Information technology - Security
techniques - Code of practice for information security management,
ISO, Geneva 2005
 ISO 9000, Quality management standards, International Standardization
Organization, Geneva 2000, and the drafts for the next revisions
of the standards, 2008
 Kajava J, Savola R, Varonen R and Anttila J, Exploring the use
of an e-learning environment to enhance information security awareness
in a small company, the CIS2006 conference, Guangzhou 2006
 Kajava J, Anttila J, Varonen R, Savola R, Röning J, Senior
Executives Commitment to Information Security - from Motivation
to Responsibility, Computational Intelligence and Security CIS2006,
 Anttila J, Savola R, Kajava J, Lindfors J, Fulfilling the Needs
for Information Security Awareness and Learning in Information Society,
The 6th Annual Security Conference, Las Vegas 2007
 Anttila J, Information security standards and global business,
 Anttila J, General managerial tools for business-integrated
information security management, 2006
 Anttila J, Business-integrated information security management,
 Anttila J, Managing and assuring information security in integration
with the business management of a company, 1998
 Anttila J, Quality management in networked and flexible organizations,
 Anttila J, Modern approach of information society to knowledge
work environment for management, 2006
 Anttila J, Tacit knowledge - The essense of quality management
 Anttila J, Quality awareness, 2006
 Block N, Some concepts of consciousness, 1995
 Downes S, The Buntine Oration: Learning Networks, 2004
 Cross J, Informal learning - the other 80% , 2003
 Senge P, Roberts C, Ross B, Kleiner A, The Fifth Discipline
Fieldbook, Nicholas Brealey Publishing Limited, London, 1995
 Arina T, Serendipity 2.0: Missing third places of learning,
 Anttila J, Reinforcing business leaders' role in striving for
information security, the CIS2007 conference, Harbin 2007
 Anttila J, Balanced integration of information security into
business management, 2004
 Anttila J, Business Integrated e-Quality - Innovative opportunity
for modern advanced organizations, 2002
 Denning D. Information Warfare and Security. Addison-Wesley.
ACM Press Books. Reading, Massachusetts. USA, 1999
 Anttila J, Kajava J, Varonen R, Quirchmayr G, Business-integrated
information security management, Ed. Javier Lopez, Securing information
and communication systems, Artech House, Boston/London, 2008
[This text has been presented in different forms in Harbin, China
in 2007 (CIS2007) and in Rovaniemi, Finland in 2008 (IPICS 2008)]