Chapter twelve explores the principles that will help us understand the positive interaction between law and information security. It discussed culture, balance, communication and doing the right thing. In addition to the return on investment (ROI) and return on security investment (ROSI).
According to the text, security professionals deal with systemic problems including poor user practices, buggy software, and a deliberate lack of leadership at the national level. The pervasiveness of the problems, the regularity with which incidents containing common elements occur, and the depth of cultural influences that determine their continued existence suggest that legal intervention can make a difference. As a result, the information technology and law have already collided and will continue to collide at an increasing pace.
In this chapter, one of the important things to make any invesment calculations is using the ROSI (Return On Security Investments). This calculation gives us the opportunity to justify the investments of projects. Awareness in organizations grows insofar as the relationship between Information Security and the fulfilling of business objectives, investments in security-related issues position themselves to compete with more significant projects for resources and budget costs. in general, Return on Investment (ROI) formula is widely used by finance and management departments: ROI = (Benefit – Cost) / Cost. The ROSI formula is: ROSI = (Mitigated Risk – Cost) / Cost. When we analyze the investment in information security, we do not seek a mitigation of the risk to which the main business processes will be exposed.
Many executive managers view the security as a legal issue as much as a technological one. Small companies take all of the security responsibility from the CIO and giving it to the legal team. Normally, the legal team is responsible for writing security policies, while the IT team is responsible for enforcing those policies.
When it comes down to a decision between which are you going to have, faster response time, shorter time to market, lower cost or some other objective which is a traditional IT job, security in many cases will be going in the opposite direction slowing things down, and reducing time to market. The CIO may make decisions that will indirectly compromise information security. Approximately, everyone recognizes the need for the IT and legal teams to work together, at least on some level.
Finally, many organizations equate compliance with security, rather than noticing that compliance is achieving the minimum level of the required security.
References:
Oram A., & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think. Beijing: O’Reilly. ISBN: 978-0-596-52748-8
No comments:
Post a Comment