About Governing for Enterprise Security

Why Security Means Business, Not Firewalls

The once arcane art of security is now a mandatory and ubiquitous part of doing business. Numerous United States and European Union laws passed in the last decade require that organizations implement security measures, including the following:

The Sarbanes-Oxley Act of 2002 requires public companies to establish controls to ensure the accuracy of financial data.
The Gramm-Leach-Bliley Act requires financial institutions to protect customers' personal information.
The Health Insurance Portability and Accountability Act (HIPAA) requires the medical industry to protect and secure personal health care information.
The Federal Information Security Management Act federally mandates that agencies implement security controls.
The EU Data Privacy Directive establishes strict requirements for handling individuals' personal information in the European Union.
More than 30 U.S. state governments have passed laws that require companies to publicly disclose any security breaches that result in the compromise of state residents' personal data.

This is scary stuff for anyone vested in the success of a business. If a company discloses that it has lost its customers' data, its reputation could be harmed and it could lose customers. Its stock price could fall and it could lose revenue. These are not just security issues - these are business issues.

Potential risks to businesses are many and range in impact from minor to catastrophic: a partial list includes natural disasters, terrorism, power outages, hackers, malicious insiders, user errors, computer viruses, worms, internet spyware, phishing emails, and social engineering. Even threats that are intentionally generated seldom target IT systems in particular or even business continuity in general; however, they still have huge security implications.

Because of its potential business impact, security is no longer the sole province of the IT department (if it ever was). Security is becoming a core competency for business leaders, who must now ensure business resilience and continuity despite all kinds of threats. This is not to say leaders need to know how to configure a firewall - they don't - but they do need to understand basic concepts of enterprise and information security. This includes, for example, understanding that a firewall is a tool used to separate two networks, creating a gateway and filter through which all inbound and outbound traffic must pass - much like immigration and emigration checkpoints.

Thus forearmed, leaders will be better prepared to have productive dialogues about how to protect business assets from internal and external attacks. These conversations might take place with leaders in a variety of roles, such as chief risk officers (CROs), chief information officers (CIOs), chief information security officers (CISOs), chief privacy officers (CPOs), audit and compliance officers, or legal counsel.

Security threats and risks are enterprise-wide and so are the solutions. Leaders do not need to be specialists who understand every individual threat, but they do need a general awareness of threat. Before acting, they must ask themselves, "What are the security implications of this action? What threats and risks might we face?" Asking these types of questions helps leaders make better-informed decisions.

To be fair, some managers do play an active, knowledgeable role in risk mitigation, working with IT and other departments to implement proactive policies and safeguards along with reactive fixes. Others may engage in security risk mitigation in a more limited way, such as getting involved with change management (which may be viewed as a "big picture" issue) but not access control (which may be viewed as an IT or physical security issue). Others may delegate risk mitigation to other personnel and rarely think about it at all.

Unfortunately, this is not how security works. Everyone in an organization, especially leaders, must take responsibility for security in their daily actions. Because leaders make more - and more critical - decisions than most other employees, their responsibility is even greater.

Thus the question, "How do leaders address security effectively and in a business context?"

The resources on this site address this question.

Excerpted from "Bridging the Language Gap: An Information Security Course for MBA Students," a Carnegie Mellon University Master's thesis by Stephanie Losi, May 2007.


A complete version of the Governing for Enterprise Security (GES) Implementation Guide is available as an SEI report.