Qi Website

Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland
www.QualityIntegration.biz

BUSINESS-INTEGRATED INFORMATION SECURITY MANAGEMENT AND BUSINESS LEADERS' ROLE

Introduction

Information and knowledge are basic building blocks of our modern society and need to be managed properly. This paper approaches the question of information security from the viewpoint of business management. Information security is not a separate entity, isolated from other business practices; rather, it constitutes an integral part of the modern business management system, and supports the organization to achieve and maintain a competitive advantage over its business rivals. The aim for business performance, including information security, is superiority over competitors. Fulfilling only the minimum requirements or achieving mediocrity is not enough. Since modern businesses are based on a process approach, also information security should be integrated into the management of business processes. [22]

Business leaders' role is crucial in striving for information security in all kinds of organizations. Situation in practice, however, is not adequate. There are much guidance and education available but that does not seem to help or even may make situation more confusing. The problem is considered in this paper on the basis of the synthesis of multiple research references through the following questions: What is the state of art in business people commitment to information security? Why is business leaders' commitment to information security crucial? Why is senior executives' commitment to information security in practice not satisfactory? After a comprehensive analysis the paper proposes practical advice to what should be done for enhancing organizations' senior executives' commitment to information security. Key aspect of the proposed management approach is to reinforce integration and awareness of information security within the organizations and then to use innovative methodology for managing information security. This kind of comprehensive approach has been considered only very little in the existing literature that typically deal it and its sub-areas as distinct expert issues. [21]

Information and security

Information forms the basis of all intelligent activities. Thus, the performance of individuals and organizations depends on acquiring useful knowledge at the right time and using it to manage and improve their operational business and prepare their strategic plans for the future. This observation is relevant for all kinds of organizations, including private companies, public civil service organizations as well as third sector voluntary and not-for-profit organizations. Many organizations collaborate with their stakeholders on a global scale, and they are strongly dependent on electronic information and communication technology as well as network solutions and services. [13]

Business knowledge is a valuable asset and is consequently highly interesting also for others, such as business competitors and hostile groups. Sometimes this situation is described as information war [24]. The incidence of data abuse is on the rise, producing considerable damage. As a result, information security and security management have become central issues in the social and business activities of organizations.

Integration of information security management into business management system

Information security is related to many different topics of business and science (see figure 1). All these aspects should be taken into account also for practical organizational situations in an adequate way in order to consider management of information comprehensively.

Figure 1. A comprehensive approach to information security

The implementation of information security forms an integral part of all business activities, management activities in particular, both on the strategic and operational management level. Thus, we may speak of integrated information security management [10]. To achieve its aims, information security requires a professional approach and close cooperation between security experts and business executives. A company with superior information security knowledge has a great advantage over the competition, a lead that is difficult to close.
Neither technological solutions nor software-based security measures are sufficient as such. Even in principle, it is hardly likely that information security could be accomplished by means of separate information security systems. These might in fact cause more harm than benefit. Business management systems (see figure 2) have no room for such systems; all business activities must be flavoured by professional information security measures.

Figure 2. Elements of a typical business management system form the basis for integrating information security management. Each company must develop its own management practices incorporating the necessary business needs.

Operationally, information security originates from process-related activities and information flows between these activities. Thus, information security is affected directly in real time through process arrangements, tools and people which, in turn, are influenced by appropriate and systematic process management practices. Integrating information security practices and management, it is extremely important to understand information security issues in the context of business processes. This is because, in practice, information security is a cross-functional discipline, which requires close cooperation and multifarious expertise.

In today's world, e-business is an existing reality and offers increasing opportunities to organizations in all sectors. It is important to realize that Internet-based e-business is not merely a technological issue. The Internet provides a rapidly expanding worldwide communication infrastructure that covers all aspects of business and life. The net includes all people, organizations, cultures and communities, and it has already changed conditions for interaction as well as behaviours. E-business is no longer concerned only with explicit data and information possessed by organizations, but it extends to tacit knowledge which people rely on in communication. Information security should also be adapted to these new business realities. And that is not the end of it, e-business also creates new opportunities both for business management and operations and - consequently - for information security [23].

All these issues relate very strongly to the decisions and actions of the top management (the strategic viewpoint) and to the practices used in the management of business process (the operational viewpoint).

Business people are not adequately committed to information security

There are studies and observations from small and big companies, governmental offices and universities that demonstrate that most people - including business leaders - in organizations are quite familiar with the fundamental and basic principles of information security, recognize their importance and even may be motivated [6]. That is obviously due to a lot of general and organization-dedicated information security information and education for increasing awareness and skills of information security [7].

However, senior executives in those organizations [6]:
- Are not really interested in information security in their own management practice
- Don't understand or recognize their managing role for information security
- Have only a superficial understanding of information security
- Lack the necessary skills for managing an organization with regard to information security
- Easily delegate their responsible duties to external consultants or even outsource the whole issue

Therefore it is essential to understand more deeply business leaders' role in organizational information security and reasons to the inadequate situations.

Business leaders' commitment to information security is crucial

All recognized references, e.g. international standards for information security management [2-3], OECD guidelines for information security [1], and a lot of published professional literature references for information security emphasize the importance of senior executives' commitment to information security. [6] They justify this e.g. with the following facts:
- All organizations are today increasingly information-intensive and information-dependent in their business activities, and information security is crucial for their successful business performance and reputation.
- Development of the information society is the major aim of societal development all over the world. Information society is not only a question of tomorrow but it is already an existing issue.
- Information security is a central management issue at both strategic and operational level of management. It cannot be realized only by experts, technology, or money.
- Information security risks are often major business risks.
- Most information security breaches and violations take place within organizations by their own people.
- Information security is strongly an organizational culture-issue following the behaviour and role model of the top management.

As an example, OECD's principles towards a culture of information security [1] emphasize the managing role of business leaders comprising awareness, responsibility, responsiveness, ethics, democracy, risk management, security design and implementation, and assessments for information security.

All this entails much greater emphasis on information security than what is typical now in organizations. Commitment and actions are expected by governments, businesses, other organizations and individual users who develop, own, provide and manage information services, or use information systems and networks. [7] Top managers are in key position to get that happen in practice in their organizations.

Reasons to business leaders' poor commitment to information security

There are many reasons why business leaders are not adequately involved, committed, and effectively contributing to information security [8]:
- Basic professional information security concepts, e.g. integrity, availability, confidentiality, authority, authenticity, are difficult, complicated and strange to business people. Organizational overall information security performance depends on all these detailed aspects in a complicated way.
- Information security management requires specific knowledge and skills. The organizational information security is a fuzzy concept (see figure 3). One should have consistent methodologies in use in an organization to evaluate its current status, to project targets for the future performance, and to improve continually the performance.
- Guidance materials for information security management are complicated and confusing, and difficult to realize and apply consistently. [1-4,8, 25] Examples include: a) General standards and guidelines, e.g. ISO/IEC 27001:2005, ISO/IEC 27002:2005, and OECD Guidelines b) Information technology and service references that normally consider also information security aspects, e.g. ISO/IEC 20000:2005, ITIL, COBIT, Sarbanes-Oxley Act, Basel ll, FISMA, HIPAA, GLBA, etc. and c) General management references, e.g. ISO 9000 standards [4], extensive and multifaceted general management literature, and management education, e.g. MBA programmes, don't clarify information security as a management issue and don't explicitly promote the issue.
- Information security is a multidisciplinary issue and difficult to cope with simple managerial practices.
- Communication between business leaders and information security (and other related) experts is ineffective and uncreative in general and within organizations.
- Business leaders are very busy, subjective, authoritative, and holistic generalists.
- External third party audits and certifications undermine business leaders' active responsibility.
- Business information is principally based on tacit (implicit) knowledge, and management of the security of tacit knowledge is a sophisticated issue [14].

Figure 3. Information security is a fuzzy organizational performance factor. There is always a certain "Is" level of information security in organizations. It is essential to business leaders where we are right now, what the needs, "Should be", for improvements are, and how to carry out evaluations and necessary development activities. [4]

Consequences when senior executives don't commit to information security

Information security management cannot be delegated and cannot be happen genuinely and effectively in organizations without business leaders' consistent contributions based on their organizational position, authority, and role. If that does not happen:
a) Information security is not being managed business-minded and not aligned with real business needs.
b) Information security is seen only as a reactive and negative question to fulfil some standardized requirements.
c) Organizations keep busy with separate and restricted information security questions
d) Organizations take only "cosmetic" or superficial actions for information security.
e) Organizations keep silent on their problems or incompetence in information security - and suffer consequences, or hope that nothing serious will happen.

Enhancing business leaders' commitment to information security

Major means for enhancing business leaders' commitment to information security consist of:
a) Integration of information security seamlessly with business management decisions and strategic and operational activities [10, 11, 25]
b) Strengthening the general information security awareness and culture in organization under the leadership of senior executives [7]

Integrating information security management with business management in organizations implies the following:
- Information security should be understood as a crucial business issue that cannot be realized successfully without particular expert knowledge. Information security experts have an important assisting role for organizational information security.
- Basic concept of information security management should be clearly a business management concept and defined as coordinated activities to direct and control an organization with regard to information security.
- Organizations should define clear guiding ideas and principles for information security management reflecting their own business needs and expectations.
- Information security management should be a responsibility of an organization's business management that takes place through the managing actions of business leaders. It should be embedded within normal strategic and operational business management activities, including managerial decisions. [10,11]
- Sound overall business management system and consistent practices by using profound knowledge should form the steadfast basis for a sustainable success in information security management.
- Recognized business management tools, e.g. PDCA (Plan-Do-Check-Act) model, business process approach, and business audits and assessments, should be used and combined with information security specialized methodology. Especially well-known quality management tools are useful also for information security management. [9]
- Effective communication between business leaders and information security experts should be established and facilitated. [13]
- Real business conditions and facilities as well as business needs and expectations should be taken into account in developing managerial actions for information security [12, 13]. General information security standards and guidance material should be used as reference material for organization-dedicated information security development.
- An organization's information security status (see figure 1) should be assessed against organization's business needs and expectations and information security risks managed as business risks. Suitable assessment methodology should be used in assessments where especially continual development actions and results are appreciated. [11]
- Information security development should be included within organization's business strategies and strategic and operational business development projects.
- Both reactive (rational) and proactive (creative) measures and continual improvement should be driven decisively by business needs in order to avoid random drifting or superficial solutions.
- Information security development should be targeted towards excellent information security performance instead of only fulfilling standardized minimum requirements.

Information security management needs managerial responsibilities at three different areas [9]:
- Control: Managing daily operations in business processes in order to achieve the specified results. Normally rectifying nonconformities is carried out in connection with control.
- Prevention and operational improvements: Solving acute problems, preventing nonconformities, and finding / implementing operational step by step improvements in business processes continually
- Breakthrough improvement and change management: Innovating and implementing strategically significant changes in the way doing business

These areas are very typical and normal within actual practices of business leaders but they are not normally applied for managing information security [8, 9]. Especially rapid responsive and innovative business development is required in modern rapidly changing business environments [12]. This sets pressure also to innovativeness in the development of solutions of information security. Unfortunately the existing standardization of information security management has not been able to follow the development of the society.

Information security awareness is a complicated issue [15, 16] and is required consistently among business leaders, experts (not only information security professionals but also e.g. R&D engineers who are developing information technology and communication solutions and their security practices), and all employees. Different personal categories require different skills and competences and different deepness of awareness of information security. [7]

Strengthening general information security awareness and culture in organizations is possible only under the leadership and participation of senior executives. This may include the following:
- Promoting discussion and understanding what information security is all about and why it is important in the case of a particular organization's business
- Establishing and communicating corporate information security policy consisting of the general intention and direction in information security within the organization
- Practicing open and transparent information security related multilateral communication in the organization, its business community, and society at large
- Promoting collaborative cooperation and networking of different expert disciplines within the organization, and avoiding harmful competing and conflicting movements among them
- Arranging traditional training events or e-learning facilities for the basics of information security within the organization and also participated by business leaders [5]. However, much this kind of formal training and education or information security awareness programs has not necessarily created real awareness or commitment successfully or effectively. Most (80%) of all learning takes place in practice through informal learning. [7, 17, 18, 20]
- Facilitating on-the-job learning (learning by doing), informal learning, and information security auto-control (self-management) within business processes and their particular activities [7, 13]. This should also apply to the strategic management process of an organization.
- Using normal managerial means to promote information security awareness, e.g. through recognizing and rewarding especially successfully established information security improvement actions and results

Increasing information security awareness is bioth individual and organizational learning issue [7, 19].

Cooperation is the necessity in the organization also for information security. The close cooperation between business managers and information security experts is a necessity in order to get security happen in a professional way. Information security is a cross-functional discipline, which requires also close cooperation with other expertises of the organization. Information security management is fully analogous to the management of many other expertise areas important to a company. These include [11]:
- Finance management
- Quality management
- Corporate governance
- Business risks management
- Human resource development
- Information management and communications
- Occupational health and safety factors
- Social responsibility
- Environmental protection
- Innovation management
- Ethical management

All these different expert disciplines have impacts also in information security, and on the contrary. It is especially harmful to the organization's business performance and information security if there is a competition between different experts within the organization.

Conclusions

Information and knowledge are essential and crucial factors in operations of all organizations. This creates growing and complicating information security needs and expectations for organizations' management. However, business leaders are now not adequately committed and skilled to act for information security according their management duties.

Effective integration of information security with business management activities and enhancement of extensive information security awareness are needed in organizations and societies at large. New innovations in information security thinking, methodologies and organizational infrastructures, and new individual and organizational learning practices are necessary for today's rapidly changing business environments.

Managerial motto for organizational information security management: Always ready, never finished

References

[1] OECD, Guidelines for the security of information systems and networks - Towards a culture of security, OECD Publications, Paris 2002
[2] ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems - Requirements, ISO, Geneva 2005
[3] ISO/IEC 27002 (17799):2005, Information technology - Security techniques - Code of practice for information security management, ISO, Geneva 2005
[4] ISO 9000, Quality management standards, International Standardization Organization, Geneva 2000, and the drafts for the next revisions of the standards, 2008
[5] Kajava J, Savola R, Varonen R and Anttila J, Exploring the use of an e-learning environment to enhance information security awareness in a small company, the CIS2006 conference, Guangzhou 2006
[6] Kajava J, Anttila J, Varonen R, Savola R, Röning J, Senior Executives Commitment to Information Security - from Motivation to Responsibility, Computational Intelligence and Security CIS2006, Guangzhou 2006
[7] Anttila J, Savola R, Kajava J, Lindfors J, Fulfilling the Needs for Information Security Awareness and Learning in Information Society, The 6th Annual Security Conference, Las Vegas 2007
[8] Anttila J, Information security standards and global business, 2006
[9] Anttila J, General managerial tools for business-integrated information security management, 2006
[10] Anttila J, Business-integrated information security management, 2003
[11] Anttila J, Managing and assuring information security in integration with the business management of a company, 1998
[12] Anttila J, Quality management in networked and flexible organizations, 2004
[13] Anttila J, Modern approach of information society to knowledge work environment for management, 2006
[14] Anttila J, Tacit knowledge - The essense of quality management systems, 2004
[15] Anttila J, Quality awareness, 2006
[16] Block N, Some concepts of consciousness, 1995
[17] Downes S, The Buntine Oration: Learning Networks, 2004
[18] Cross J, Informal learning - the other 80% , 2003
[19] Senge P, Roberts C, Ross B, Kleiner A, The Fifth Discipline Fieldbook, Nicholas Brealey Publishing Limited, London, 1995
[20] Arina T, Serendipity 2.0: Missing third places of learning, 2007
[21] Anttila J, Reinforcing business leaders' role in striving for information security, the CIS2007 conference, Harbin 2007
[22] Anttila J, Balanced integration of information security into business management, 2004
[23] Anttila J, Business Integrated e-Quality - Innovative opportunity for modern advanced organizations, 2002
[24] Denning D. Information Warfare and Security. Addison-Wesley. ACM Press Books. Reading, Massachusetts. USA, 1999
[25] Anttila J, Kajava J, Varonen R, Quirchmayr G, Business-integrated information security management, Ed. Javier Lopez, Securing information and communication systems, Artech House, Boston/London, 2008

[This text has been presented in different forms in Harbin, China in 2007 (CIS2007) and in Rovaniemi, Finland in 2008 (IPICS 2008)]