Magazine article Security Management

Take It from the Top

Magazine article Security Management

Take It from the Top

Article excerpt

TAKE IT FROM THE TOP

MANAGEMENT'S ROLE IN computer security. This concept may come as a shock to many of today's managers. However, not only do managers have a role, but their role includes much more than mere asset accountability and control. Too many managers regard computer security as a technology problem rather than a management one and defer computer security to technicians.

Why this confusion? Management's erroneous perception that computer security is a technology problem stems in part from a misunderstanding. In addition to obviously technological components such as hardware and software, computer security includes both administrative issues (personnel and procedural matters) and environmental issues (physical security and hazard protection).

Another point of confusion is that to many managers computer security is neither computer nor security. This opinion is formed when managers hear computer technicians disparage security as detrimental to data processing and claim that security personnel want to lock up everything indiscriminately, and when managers hear businesspeople question the expenditure of funds and other precious resources on something so difficult to comprehend. Management tends to disregard any issue, like computer security, that lacks clear-cut organizational and staff support.

Another element of confusion stems from the belief that because nothing bad has happened, nothing needs to be done. This shortsighted view suggests that one ought to wait for a disaster before doing anything about it. If this line of thinking were applied to the rest of the business, no insurance or other risk management process would ever be used.

Security's fundamental objective is to reduce losses, while management generally focuses on expanding business opportunities. Because of these differences, management often assigns computer security responsibility to the data processing department, which may seem more sensitive to management's objectives than the security department is.

Finally, the fact that computer security crosses over organizational lines makes it difficult for management to identify a department that can obtain cooperation and compliance from the entire organization. This situation is another reason that management often assigns computer security responsibilities to data processing technicians--they already cross organizational lines. This management decision may be made even though there is a basic conflict of interest in allowing the unit responsible for operating the computer system also to have the final say on the type and amount of protection the system is provided.

A definition of computer security might help clear up these misunderstandings about management's role. Computer security is the detection, prevention, and investigation of actual or potential acts or omissions that threaten a computer system's resources, data, or processing capabilities. Computer security includes all the problems associated with safeguarding critical resources and sensitive information in general plus problems that are unique to automated information processing and communications systems.

The difficulty in providing adequate security for computer systems lies not in the general security principles but in the aggregation of diverse, complex elements whose security affects all aspects of the organization. As a result, management that defers computer security responsibilities to the data processing organization is likely to experience some type of computer security-related problems eventually.

ONCE management recognizes that computer security transcends both the data processing department and the security office, it must assume the leadership role by performing several key steps toward securing computer systems.

Policy. Management's role in computer security begins with the establishment of a definitive computer security policy. A policy statement about computer security might not be necessary except that employees' attitudes toward computer and information security vary widely. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.