S 3.44 Making management aware of information security issues

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

Strong and active support of the top management is essential to the success of security campaigns directed towards the employees. For this reason, it is also essential to make management aware of security issues before starting any information security awareness-raising measures directed towards the employees.

The following presents the most important information needed by management for this purpose:

• Descriptions of the security risks and the costs associated with them
  
  The attention of decision-makers can be attracted to security issues, for example, by submitting reports of security incidents that could also affect your organisation (i.e. of security problems affecting organisations in the same branch or who use similar IT). Examples of specific security incidents that occurred nearby or at comparable organisations can make it easier for management to provide their support. Nowadays, such examples are not only found in technical magazines, but also in daily newspapers (reports of hacker attacks or of viruses infecting large organisations, for example) and naturally in great numbers on the Internet. Real damage events that occurred in the past at the organisation can also be used to achieve this goal.
  
  Experience has shown that it is difficult to provide exact figures for potential financial damage. Statistics and assessments such as those published from time to time by the police (the German BKA or the FBI in the USA) or security magazines may provide suitable information in some cases.
• Effects on the business processes
  
  Furthermore, it is important to describe the effects of information security incidents on the business-critical processes. Management is not always aware of the potential dependencies between applications and IT systems.
  
  A list of possible security risks alone is generally not enough, though, to gain the support of management. A balanced argument should also include the following points as well.
• Legal security requirements
  
  Laws and other legal regulations can also result in requirements for information security in an organisation. Examples of such laws include data protection laws, codes of social law, trade laws, civil codes, criminal codes, etc.
  
  Many legal requirements for information security are formulated in a general manner and may sometimes appear to be non-binding under certain circumstances.
  
  However, it is still possible to derive specific duties for guaranteeing an adequate level of security from such legal requirements. An organisation must examine which laws and regulations actually apply in their case.
• Advantages of certification
  
  Certification of the information security processes provides official confirmation of the high value placed on information security by an organisation. The level of trust placed in the IT of the organisation by business partners and the general public can be increased through certification. Certification can also provide a competitive advantage for tenders.
• Standard IT security procedures in your industry
  
  The conduct of other similar organisations can also provide additional motivation to use information security standards. Information on industry standards can be obtained from technical magazines in your industry, from events, or by contacting chambers of commerce and trade associations.

A suitable starting point for raising the awareness of management is a brief report, followed by a presentation, explaining the subject of information security based on current examples (external and internal examples). The report and presentation could point out that technical safeguards are useless unless personnel and organisational safeguards are implemented simultaneously, for example. To obtain the support of management, it helps to point out the benefits of such safeguards.

By presenting the security risks and alternative solutions, it is possible to convince management of the necessity to implement security safeguards.

According to experience, information security can only be implemented successfully in an organisation if all superiors set a good example. It therefore makes sense to explicitly require all managers to make their employees aware of the security policies and of their obligation to follow them.

Review questions:

• Is management aware of security issues?
• Does management support information security through exemplary conduct?