Computer Security to Information Security to Business Security
From Data Security to ….. Business Security?
Prof Basie von Solms
Academy for Information Technology
University of Johannesburg
Johannesburg
South Africa
Prof Rossouw von Solms
Centre for Information Security Studies
Nelson Mandela Metropolitan University
Port Elizabeth
South Africa
Key Words : Data security, Computer security, Information security, IT security, Business security, Corporate Governance, IT Governance, Information Security Governance
Abstract
This paper investigates the development of the protection of the Confidentiality, Integrity and Availability of electronic resources from the early days of computers, when this protection was called Data Security to the present situation, and suggests that maybe this protection should now be called Business Security.
1. Introduction
Protecting the confidentiality, integrity and availability (CIA) of (computer based) electronic resources had been an important aspect from the infant days of computing.
This protection went through different phases, driven by the role that data, information and software played in the use of computers at different stages.
When computers started being used in the commercially oriented processing of data, the term used for this protection was data security. This indicated the fact that preserving the CIA of the data itself was seen as the most important factor.
Although it is difficult to specify specific dates, one can say that this was the case from the early fifties to the middle seventies.
As the role and application of computers grew, and corporations realized that this protection covered more than just the data, the term used for this protection changed to computer security. This indicated the realization that protection of more than the data was important – protecting the software and communication were as important.
Again, a wide time scale can be from say the middle seventies till the middle eighties.
However, companies became more and more dependant on computers and information processing, and realized the fact that the information generated by the computers and information systems, was as important. Furthermore, company information was not only stored, processed and communicated by electronic means, but also spoken, faxed, photocopied etc. For this reason, protecting all types of information, became known as information security.
To emphasize the fact that in some cases this protection is ‘limited’ to data, information and software in electronic forms, the term Information Technology security (IT security) has, and is being used as an alternative to Information Security.
The relevant time scale for both these last two terms may be from the middle eighties till the present.
During this period it also became widely accepted that information security is not a technical matter, but a management one. Information Security Management became an important issue, and companies started spending more time and money on providing a proper management infrastructure for information security.
However, although senior management got involved to some extent in aspects around information security, and it even became a topic on Board meeting agendas, it did not necessarily cause Executive Management and Board members to have sleepless nights.
This would, however change dramatically because of the spotlight being focused on good Corporate Governance.
During the last year or two, driven by developments in the field of Corporate Governance, including IT Governance, it became apparent that this protection has a wider scope than just (directly) protecting the data, information and software of a company. Such data, information and software had become invaluable assets of the business as a whole, and not properly protecting this information could have profound business and legal implications.
Executive Management and Boards started realizing that Information Security Governance was becoming their direct responsibility, and that serious personal consequences, specifically legally, could flow from ignoring information security.
Information security governance had become an important business responsibility, and accountability escalated up to the Board level.
The following few quoted from relevant documents illustrate this development :
‘Corporate Governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of organizations’ overall (corporate) governance program.’ [1]
‘…. boards of directors will increasingly be expected to make information security an intrinsic part of governance, preferably integrated with the processes they have in place to govern IT’. [2]
‘ …. for information security to be properly addressed, greater involvement of boards of directors, executive management and business process owners is required’ [2].
‘An information security programme is a risk mitigation method like other control and governance actions and should therefore clearly fit into overall enterprise governance.’ [2].
'The information possessed by an organization is among its most
valuable assets and is critical to its success. The Board of Directors,
which is ultimately accountable for the organization's success,
is therefore responsible for the protection of its information.
The protection of this information can be achieved only through
effective management and assured only through effective
board oversight’ [3].
This growing realization has established the fact that information security governance has an enterprise wide impact, and that the risks mitigated by an information security governance plan, are risks which have an enterprise wide business implication. After all, we do not refer to such risks as ‘information risks’, but to ‘business risks’, accepting and understanding the fact that if such risks materialize, business as a whole will be affected.
Therefore, if we accept that such protection mitigates business risks, why do we still call it Information Security, and not Business Security?
Business Security therefore mitigates business risks, and Business Security Governance ensures that it is done properly!
One of the risks Board members are exposed to, is :
‘ Failure to understand the impact of security failures on the business, and potential effect on shareholders, share price and competition’. [4]
This paper suggests that, because of this growing emphasis on good Corporate Governance, maybe, we should now start referring to Business Security when we talk about the discipline responsible for the protection of the company’s (electronic) assets, and not anymore as information security.
It may, quite correctly, be reasoned that the term Business Security is too wide to use in this context, because there are many other aspects to be protected in a company which has got nothing to do with information. One example may be that of the health of the employees. Protecting the health of employees may be seen as part of Business Security for that company, but not directly related to the type of protection we are referring to above. Other examples may be video surveillance, alarm systems, access control systems and fire alarm systems.
In the last instance, it can be reasoned all that these technologies are anyway part of the present countermeasures being used in information security.
Nevertheless, we feel that by ‘elevating’ Information Security to Business Security, it will get the extra focus and attention it needs to ensure the prolonged existence of the company, and to integrate all the present efforts as far as protection is concerned.
IBM has its Global Business Security Index, which is ‘aimed at the boardroom rather than IT departments because it helps companies assess their security vulnerabilities from a business perspective…’ [7]. Note that they do not call it an ‘Information Security Index’, but rather a ‘Business Security Index’!
This rest of this paper will be trying to motivate a case for using the term ‘business security’ for what is now known as information security.
2. From Information Security to Business Security
From the comments made in the previous paragraph, and from those below, it is very clear that information security governance is integral to good corporate governance. Although this fact had always been true (by default), this recent emphasis on good corporate governance had brought information security much more ‘into the open’, and ‘into the faces’ of Boards of Directors.
This move had resulted in information security actually being seen as what it always was – a discipline to mediate business risks.
This has also now been formulated in law by for eg the Sarbanes-Oxley [5] legal developments in the USA. This development will however have an impact much wider than the USA. Other legal implications are also becoming apparent.
‘Finally, company directors should keep in mind that failure and/or refusal to identify and address corporate IT risk may result in personal liability if damages or losses follow.
In terms of section 424 of the Companies Act, a director and even an IT manager may be personally liable for unlimited damages if the failure to identify and manage risks are classified as reckless management of the company by the courts.’ [6]
Data security became computer security, and computer security became IT security and IT security became information security because of the better understanding of the business impact and associated risk of not properly protecting a company’s electronic resources. The recent emphasis and guidelines on good corporate governance, had improved and extended this understanding to such an extent that this protection must now be seen as an integral part of wider business protection, and Business Security seems to be the best term to relate that fact.
By starting to refer to Information Security as Business Security, and Information Security Governance as Business Security Governance, the role and position of protecting the electronic resources of a company will just benefit by making it a permanent item within the protection of the business as a whole, and of mediating business risks.
3. Positioning Business Security Governance in the company
The fact that the governance of the protection of the electronic assets of a company has become a wider business responsibility, is also reflected in the development to appoint Chief Security Officers (CSOs) in companies. These CSOs report, in many cases directly to the CEO, and has a direct line to the Board – very much like the Auditing Committee in the company.
In [1], several examples are given of the positioning of the CSO, and most, if not all of those reflect the direct reporting line of the CSO. In some of these examples it is even suggested that the Chief Information Officer (CIO) has a reporting line to the CSO.
Close cooperation between the CSO and the Chief Risk Officer (CRO), seems also to be very important.
It must be stressed that the role of such an CSO is not operational at all, but exclusively management and governance oriented.
This positioning of the CSO must not be seen as taking away all (information) security responsibilities from the IT Department (ITD). The ITD will always be responsible for the implementation and operational running and maintenance of all necessary security matters. This cannot change, and cannot be taken out of the ITD.
The role of the CSO mentioned above, is basically to ensure that implemented security countermeasures properly mediate the relevant business risks. This gives the CSO a type of responsibility equivalent to that of the internal auditor, and motivates the CSO’s independence from the ITD.
To do this, the CSO may even have a service level agreement with the ITD to provide specified management information on a frequent (daily, weekly etc) basis. From this information, the CSO should be able to determine the level to which the relevant business risks are mediated, and report that to the Audit Committee, CEO and/or Board.
4. Conclusion
From the latter half of the previous century, computers were used to capture, process, store and communicate business data. Even today, this data still forms the core of business information that is an absolute critical asset in most businesses. This business information is used in taking important business decisions. Furthermore, it is core in most business processes, and it is often required for legally required reports.
The business requires correct information. Also, it must be confident that sensitive information is kept confidential and that this information is available when required. The business is directly dependent on good quality, secure information, otherwise the business will suffer and even go under. Due to the importance of information nowadays, it is no wonder that the mandates of executive management and boards of directors also include the protection of information. Taking all of this into account, it is can be concluded that Information Security has grown into Business Security.
This will certainly ensure that the protection of business information will receive the required attention at executive management and board levels.
References
[1] Information Security Governance – A Call to Action, National Cyber Security Summit Task Force
[2] Information Security Governance : Guidance for Boards of Directors and Executive Management’, IT Governance Institute, USA, ISBN 1-893209-28-8,
[3] A Call to Action for Corporate Governance, March 2000, IIA, AICPA, ISACA, NACD,
[4] ‘COBIT Security Baseline’, IT Governance Institute, USA, 2004,
[5] Sarbanes-Oxley Act,
[6] ITWeb, South Africa, 16 May 2003
[7] IBM offers companies monthly security report,
1