Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
Information Security Awareness Amongst Top Management
 Joseph M. Katz Graduate School of Business November 26, 2007University of Pittsburgh
Information Security 
hasincreasingly become acritical IS managementissue amongst businesses.Majority of the problemarises because of lack of proper understandingamongst business and ITleaders of negative effects of lack of informationsecurity…
 Author: Saahil Goel
 
Page
2
of 
12
 
Executive Summary 
nformation is the lifeblood of almost every organization in today’s electronic communicationoriented world. IT has changed its position drastically from once being a support function to becoming the chief business driver. Even though information systems are so heavily reliedupon by businesses, the same kind of importance is not given to securing this information. Whileit seems obviously logical to protect information which is so sensitive to the workings of manycompanies, in reality many companies do not consider information protection to be a criticalissue.Most of the issue exists because of the attitude that business leaders and decision-makers havetowards information security implementation initiatives. Most business leaders view informationsecurity as a purely IT initiative rather than a company-wide one. Further, ignorance about thedevastating effects that lack of information security can have further exacerbates the problem. Bynot investing in spreading (and learning) information security awareness, businesses exposethemselves to various risks – such as lawsuits, loss of customer trust, loss of business, loss of sensitive information to competitors, etc.Business leaders need to understand that information security is as important as obtaining theinformation in the first place. This is especially relevant for businesses in the financial servicesindustry. Companies in the FSI sector have sensitive customer information, loss of which notonly affects the reputation of the company but may also cause actual financial losses to thecustomer. Also, because most transactions are electronic in the current banking environment, ahole in boundary protecting information can cause a lot of damage. Businesses need to make surethat information security decisions go hand in hand with all business decisions. For example, if acompany is undergoing a merger with another company, it becomes imperative that informationsecurity considerations are given as much importance as is given to the actual consolidation of transactional and profile data from both companies. Also business leaders need to be maderesponsible and accountable for heading information security initiatives in companies rather thanthis responsibility being solely in the reigns of the information technology departments.Information security training is also something companies are embracing. However the rate of adoption is not very encouraging. Top management needs to ensure that in addition to learningabout information security themselves, they also make the need for following stringent procedures and policies felt within their companies - right from the top to the bottom-mostemployees in a company. The threat posed by leakage of information can happen at any verticalin an organization; it is up to the business leaders to make sure that their attitude and their decisions support their organization’s ability to counter this threat at all levels. Not only shouldrobust and technically advanced information security technology be implemented, it should bekept current and should be utilized to its maximum potential. Not only can information securityimplementations help companies prevent disasters that may be caused by informationcompromises, it can also help them save money and in some cases provide them withopportunities for additional business.
I
 
Page
 3
of 
12
 
The Issue, context and motivation
y and large, every organization has had their share of breach of information security.Information security breaches can be both internal and external – the former being themore dangerous kind. Internal breaches are of a higher concern since the attacker (or hacker) will have relevant information about the company and will know where the loop-holesexist. Other cases in which breaches arise could also be unintentional. In fact, awareness aboutinformation security is the key to reducing if not eliminating losses caused by compromise insecurity. Employers must take on the responsibility of training their employees about the possible effects of irresponsibility on their (employees) part towards following securityguidelines. Further, business board members themselves need to be aware about the potentialconsequences of information security violations can have.With strong government regulations around security in organizations, such as Sarbanes Oxley2002, organizations
have
taken measures to comply with regulation. However, awareness and adrive to protect information are still lacking. Organizations have been taking the reactiveapproach to solving information security problems rather than a proactive one. This is harmful inthe long run for organizations. For example: all financial services companies, such as banks,insurance, trading companies, etc. maintain all their customer data online. If this information wasto get in the wrong hands, the company could face a severely hurt reputation, lack of trust fromits customers, lawsuits or even bankruptcy. Apart from saving a company from these troubles, awell implemented information security system also adds value to companies by providing cost benefits by enabling efficiency in the workplace.From the “2007 Global Security Survey” conducted by Deloitte Consulting LLP, 71% to 89%financial services companies across the globe feel that security has risen to the attention of thecorporate board members as a critical area of business. However, only 0% to 18% financialservices companies reported that their information security strategy is led and embraced by lineand functional business leaders. Hence, information security is currently regarded purely atechnology initiative.The real challenge with information security is that of spreading awareness and concern aboutinformation security to the business leaders in every organization so that it is given keyimportance in business functioning. Further, with increase in volume of businesses – bothvertically and horizontally, complexity of technology and enterprise solutions and the globalnature of the economy also lead to highly complex information security requirements and therisks that come along with not implementing the same.Information security is one aspect of technology and risk management which affects allorganizations. Even though it might affect some organizations more than others (banks,insurance, government, universities, aviation, logistics, stock trading, online retailing) eventuallyit will have major impact on all kinds of organizations. In fact, governments in many countriesother than the USA have not taken deep initiatives to move towards e-governance and electroniccitizen maintenance yet – but it is imperative that at some point they will. To take an exampleeven within the USA, there is discussion about digitizing all health records across all hospitalsand universities in the United States to better serve patients
and 
to make medical research easier 
B
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.
    • Notes
    Load more