"An effective governance framework is always helpful to develop and maintain a comprehensive information security program"
Maximizing cost efficiency for information security
Information and the knowledge based on it have increasingly become vital enablers of business operations. Hence it is important to provide adequate levels of protection. For banks, who deal with public money, accurate information is even more critical, making information security is a vital area of concern.
From a banking perspective, information security deals with information in various channels like spoken, written, electronic, etc. and also information handling, in terms of creation, viewing, transportation, storage and destruction.
An effective governance framework is always helpful to develop and maintain a comprehensive information security program. Information security governance consists of the leadership, organizational structures and processes that protect information and mitigation of growing information security threats. IS governance helps to increase the cost efficiency by aligning information security with business strategy to support organizational objectives, managing and mitigating risks, reducing potential impacts on information resources to an acceptable level. This also helps in optimizing information security investments in support of organizational objectives.
Globally accepted frameworks like COBIT 5 provide guidance to understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats. This helps to reduce complexities and increase cost effectiveness. It helps to improve integration of information security and reduce information security incidents.
Top management commitment is very essential in implementing a governance framework and thereby maintain information security. From a banking perspective, the top management is responsible for understanding risks to the bank and ensuring that they are adequately addressed from a governance perspective. Periodic meetings of high level committees like IT strategy committee and risk management committee help the top management to understand the issues. Top management will then demand to have effective strategic planning process in place, ensuring that IT investments represent a balance of risks and benefits and that budgets are acceptable.
Establishing and maintaining an enterprise architecture framework will help enable application development and decisionsupporting activities. The model should facilitate optimal creation, use and sharing of information, in a way that it maintains integrity, is flexible, functional, costeffective, timely, secure and resilient to failure.
Every security measure, technical or otherwise, has and will fail at some point in time. What is needed in risk management is to design and implement security programs that cost effectively mitigate risk. There will be losses, but the goal should be to control the losses in a reasonable manner.
Creating awareness among the users is very cost effective and helps to mitigate the risk to a great extent. Even a 50 percent reduction of loss will be a good return on security investment, especially when the cost of typical security awareness programs are minimal. Awareness mitigates nontechnical issues that technology can't. CISOs and other security managers are responsible for protecting information in all forms, and in many cases awareness programs are not optional. No security measure is perfect and hence standard of perfection should not be the measurement criteria. The real standard is return on investment.