Business Model for Information Security – What is it all about?

The role of information security has not been clearly defined in many organizations and these organizations face challenges such as lack of senior management’s commitment to information security initiatives, poor security planning, integration issues between business goals and information security, issues relating to accountability for implementing, monitoring and reporting on information security and so on.

As long as information security is viewed as a separate department within the organization without linking the security initiatives to the business objectives, it is not possible to bridge weaknesses in security management, cut down unnecessary expenditure on controls and protect information assets from various risks.

In order to achieve the stated objectives, every security initiative should take into consideration the human element responsible for implementing the controls. The Business Model for Information Security provides a holistic approach that enables organizations to effectively re-evaluate the investments made in information security by considering a business-oriented approach to managing information security. The model speaks about four elements (viz. Organization Design and Strategy, People, Process and technology) and six dynamic interconnections (Governing, Culture, Enabling and Support, Emergence, Human Factor and Architecture) responsible for linking the four elements and maintaining the equilibrium.

The same has been represented in the form of a pyramid:

clip_image002

Continuous interaction of all the elements using the dynamic interconnections is important to effectively integrate the Information Security initiatives with the business objectives. Any improper change made or issue poorly addressed affects the balance of the pyramid.

This model focuses on people and processes in addition to technology and can help in the achievement of initiatives such as Strategic alignment, risk management, resource management, value delivery, performance measurement and process improvement.

Comments are closed.