Take a second and think about what comes to mind when you think about Information Security?
Is it: people with hoodies (hackers), apps on WhatsApp trying to steal your money, phishing mail, computers, applications, NIS2, GDPR, cybercrime, firewalls (or other security techniques)?
Well, that’s very logical, because those are tangible things that either compromise your information or try to stop this from happening. And when something is tangible, you (have the feeling you) can do something about it.
The question is: why isn’t securing your ‘information’ the first thing that comes to mind? All the things mentioned are not the object to realize security for. The object to secure is your (organization’s) information.
To realize information security, it is key to look for ways to close the gap between the board and technique. The challenge is that a lot of organizations focus on getting the board more ‘tech-savvy’.
I think that it is only possible to close this gap by working the other way around: We need to translate technique to the information it is processing.
Here’s explaining this with a Q&A:
Q: What does the board want to do?
A: They want to achieve goals and objectives of the organization.
Q: How does an organization achieve them?
A: By having knowledgeable and skilled people in their organization to process information in such a way that they perform the actions needed to achieve them.
Q: Where does technique come in?
A: As soon as it is used to support the organization and its people to process information more efficiently and more effectively (digitization)
Q: So, why can’t I start with that technique, this is where we process information mostly nowadays?
A: Because techniques are a means to an end. Start with the end to understand how to use the means.
Q: Why don’t we do this already?
A: Interpreting information is a subjective process, shaped by individuals’ unique perspectives. This makes information abstract. It isn’t tangible.
Q: Why is that a problem?
A: Because the more understanding information is subjected to the interpretation of people, the bigger the chance interpretation is incorrect. Also, different views make it difficult to understand what to protect.
Q: So, what to do?
A: Take your processes and look what information they need to move forward. Take that information and make it as clear as possible; make sure there is no question about how to interpretate it.
Q: And then what, doing this doesn’t make it secure?
A: Analyze what impact your organization would suffer in case the information streams become unavailable, incorrect or fall into the wrong hands. Then take measures to prevent that impact from happening. And take those measures everywhere where needed, not only in technique.
Q: Sounds like a lot of work ☹️
A: At least you start working on actually securing your information.