Security 102: Information Security Planning

It quickly becomes obvious: Without planning, we're lost.

Protecting business information requires an information security plan. Without this forethought, safeguard afforded to information is likely to be insufficient and inconsistent--not a recipe for exceptional business practice.

A well-structured information security plan enables companies to spend the least amount of money and effort to provide sufficient protection for business-critical information. The business benefit of properly securing information is continued (hopefully profitable) operation and possibly expansion, greater market share and elimination of competition through better business practices.

Recognizing the Value of Information Assets
An effective information security plan begins with appreciation of the very entity you are working to protect: Information is the lifeblood of many, if not all, organizations. Businesses depend on it as a competitive edge to continue and expand.

Within business competition, the winner is the company with unique information, or the ability to use information in an innovative way. The longer this advantage can be maintained, the longer the organization continues to lead or win.

Various factors combine to make information increasingly valuable and the substance of a competitive edge. In today's "Information Age"--as compared to previous decades or centuries--information is more volatile, subject to a shorter useful lifetime, used by multiple organizations, transmitted, shared or stolen in extremely short time periods

Often companies do not protect information properly because they do not view electronic data as an asset. They are used to thinking of assets as things of a physical nature, such as buildings and computer equipment.

In reality, information is often many times more valuable than the cost of the computer(s) on which it resides, the applications that process it, or the administrative and other facilities necessary to support its use. Costs associated with collecting, developing or generating information is often underestimated. And, as many companies realize too late, the potential cost of a compromise to the information and the consequential impact of the business can be devastating.

Business Impact of Planning
Some information is highly sensitive for personal, financial or organizational reasons. Even so, relatively few companies protect information according to its value. Often, all electronic data is protected the same way--usually with too much or too little protection.

The business impact of improper protection could be loss (financial, market share, company secrets, etc), or even bankruptcy.

Companies often peg efforts to create a security system as too difficult. However, organizations that understand how they use and value information find the security planning process relatively easy.

When information is treated as a vital business component and defended properly through a set plan, companies are exhibiting not "best-practice," but "exceptional-practice." Those organizations are truly demonstrating due care to their stakeholders by properly protecting one of the organizations' key assets.

Conversely, businesses that don't properly protect information using a formal process are not demonstrating consideration and are potentially at risk of big losses if the data is compromised.

In summary, information is critical to the continued success, operation or survival of an organization. Therefore, businesses should take all necessary, reasonable and prudent steps to protect that information and their competitive edge.

As usual, planning is critical to success.

Watch for the second Security 102 class, "Information Security Plan Development."