According to Business Software Alliance (BSA), the rate of cyber security incidents has grown by about 100% every year since the year 2000. The rampant insecurity has lead legislators and the industry players to pay special attention to IT security essentials (BSA, 2003). The threats on this front are new to many organizations, and there is no established framework by which IT security issues can be handled, which is a major obstacle to effective handling of IT related security issues (BSA, 2003). This review analysis research carried out by experts in the IT industry; and recommendations given to organizations to overhaul their IT and IT risk management.
Information plays a key role in achieving business goals of any organization, yet it is the least understood by management factors since the process of attaining security is quite something which needs to change (COBIT).
Corporate management has taken a mainly passive role when it comes to the management of IT resources and the security threats associated with it (COBIT). The defensive management technique has continued to put more pressure on the entire organizational management structure and industry experts agree that unless the management plays a more active role business will suffer on very many angles (COBIT). What is needed is a promotion of awareness on all levels corporate management structure to put firms in a position to face the new age challenge of cyber insecurity (ISO, 2011).
Security governance principles
The gravity of security threats to the IT departments of many businesses has necessitated intervention of both the government and corporate stakeholders into security governance. Security governance frameworks provide a roadmap for the implementation, evaluation and improvement of information security practices (BSA, 2003). One way to go about this is to develop a governance framework which allocates roles to different members of the management, from the CEO to the CIO (BSA, 2003). ISO has been relentless in pursuit of proper regulations to enhance security of information assets. ISO/IEC 17799 is the new standard that has received a lot of praise from industry players. The standard is regarded as the most important standard for the safe management of information with regard to security
Why stakeholders should be involved in IT governance
According to research carried out by BSA, customers are more responsive to products that are delivered through secure IT channels. Vendors also want assurance that the networks handling their personal information are secure and will not breach their personal security (BSA, 2003). Organizations such as COBIT provide a guide on IT governance frameworks managers should adapt (COBIT). The organization also recommends the involvement of top management in management of IT related risks, a deviation from the traditional approach to the issue.
COBIT recommends that the IT governance framework to adapt should attain the following objectives. Firstly, IT should be aligned with the business objectives of the organization so that its role in the daily business operations of the organization is enhanced.
Secondly, IT department should help the organization achieve its mission objectives and maximize the organization’s benefits. Thirdly, IT resources should be handled with the same level of seriousness as other resources in the organization. Effective handling of the IT resource will ensure that its benefits to the firm are improved and its cost implications are justified in its use.
Explanation and recommendation of IT governance to managers
Industry experts concur that managers should stop treating IT governance as a technological concern. The management should realize that the role of IT security extends beyond the mandate of the Chief Information Officer (CIO) (BSA, 2003). Key players in the IT industry also agree that the management is in a better position to ensure best practices and efficient use of technology (BSA, 2003). TheISO also realizes that the level of security of IT, and the controls associated with it should be under the control of the organization’s management.
Role of IT security professionals in terms of governance
A major factor affecting IT resource is the security risks it poses to the organization (COBIT). IT security risks can be very detrimental to the organization, especially if it has a high reliance on IT for its operations (COBIT). Because of these risks, the firm has to have the appropriate measures to minimize the damage IT insecurity causes (COBIT).
At this point it should be clear to managers that control of the IT resource is not as hard as it is presumed. The stakeholders should realize that legal framework already exists to handle IT security issues (BSA, 2003). BSA also suggests that the industry should develop information security governance framework. Both COBIT and ISO call upon the management to take more initiative in management of IT risks. The urge to evade this management risk could pose serious threats to organization in today’s highly competitive business environments (COBIT).