INFORMATION SECURITY: SUPPORT BUSINESS STRATEGY
Today, global organizations consider enterprise security as a strategic priority. Both technology and information security are concepts that have assumed tremendous importance and visibility, since they are critical for any organization to:
- Ensure that it has the right data to make business decisions
- Have data in hand to measure business performance against targets
- Have control over the appropriate channels to deliver goods and/or services to its customers
- Be capable of assessing its vendors' capabilities with regards to essential logistics
- Have real-time information over its liabilities and receivables, and
- Continue business without (or with minimal) disruption.
Such an organization must have an efficient enterprise security architecture and information management system. At an enterprise level, a security management system should be designed to ensure that technology and information are architectured to support the business plan and operating standards. Information security, from being a support function, has indeed emerged as a key business enabler in recent times to support business strategy and performance.
FROM BEING COMPLIANCE DRIVEN TO BUSINESS DRIVEN
There are many views and concepts that range across the gamut of security, and focus on how security should be managed and administered. For security to truly perform as a business enabler, it should not be construed as a function independent of the reality of business needs, customer expectations and stakeholder requirements.
The security function, in most organizations, is “designed” as the “nay-sayer”, creating an impression of hindrance to business in all its activities. Most security professionals are “compliance driven” rather than “business driven”.
While compliance to policies and procedures, and technology principles and regulatory/contractual standards are no doubt a responsibility of the security function, orienting the entire process around compliance only makes the function restrictive, theoretical and ineffective. This results in the business and its stakeholders losing interest in the function and hence trying to sidestep security procedures, which clearly is “lose-lose” for everyone concerned.
Hence, to ensure effective and efficient working of the security function, it should be in tune with the business objectives. Let it be driven by business plans, customer expectations and operational requirements—so that the overall security architecture is integrated with the organizational vision.
It is only then that security practices can be effectively designed to maintain the core objectives of confidentiality, integrity and availability (as opposed to data, information, technology and infrastructure) in line with the business vision, at the same time embedding the culture and awareness of security standards among employees, vendors and collaborators. In such a state, compliance will be placed within the ambit of day-to-day business practices rather than being managed as a policing activity.
MANAGING COMPLIANCE STRATEGY IN AN OUTSOURCING ENVIRONMENT
If you have outsourced any part of your business, the sophistication required to is far more complex. Given the wide range of customers, processes, locations and their respective regulations that an outsourcing services provider has to cater to, its security function has to maintain a fine balance between protecting its own “internal” business interest and the compliance demanded by the client’s regulatory context and contractual requirements.
Therefore, security implementation program should be aligned to clients’ requirements and their business needs. While the need is to effectively plan, deploy and monitor the appropriate controls and procedures that will ensure compliance, it is even more critical to ensure that the compliance does not prevent due flexibility of operations.
For example: Our clients require Do Not Call (DNC) compliance for all outbound call programs. The security function is involved right from the pre-sales, solution and contracting stage in planning and designing any program to perform in strict compliance, till the operations go live. Ensuring customer satisfaction is the biggest goal for an outsourcing services provider, and the security function should be tuned to that goal while designing its practices and implementation guidelines for business operations.
What are your views with regards to managing compliance in an outsourcing environment? How can we move from being compliance driven to enabling business results? Do share your thoughts with us in our comments section.