In order to implement and manage information security appropriately, the entire organization must be considered with all of its elements required for value creation.

A pure focus on information technology (IT) would overly abstract this task and obscure the actual complexity of the issue. In addition, this overly narrow view exposes the organization to all non-IT-related vulnerabilities without further consideration.

However, understanding information security has become a necessity in today’s world, as the threats to information security are constantly changing. Their sophistication and frequency are increasing. Therefore, a holistic view of information security is required by organizations in order to establish effective information security management systems (ISMS). Information security cannot end at the boundaries of individual organizational units.

Three various factors

Looking at international and national norms, standards and frameworks for information security, three key components can be identified that serve as the basic framework for grasping information security:

• people,
• processes and
• technologies.

At an international level, the ISO 27000 family of standards should be mentioned. At national level, examples include the standards published in Germany by the “Bundesamt für Sicherheit in der Informationstechnik” (BSI) and the standards published in the USA by the National Institute of Standards and Technology (NIST).

People

It is sometimes easier to compromise a person than a technical system; at least if you assume that a technical system has been securely designed, configured and is subject to regular maintenance - here, too, people ultimately play the leading role.

Only when information security can be established as part of the organizational culture will it be possible to sustainably increase resistance to information security threats across all processes. An organizational culture is shaped and sustainably influenced in particular by managers and ultimately the top management level.

For example, every person in an organization can promptly submit an initial report in the event of an information security incident so that countermeasures can be initiated quickly.

Processes

The running business processes are the necessary link between people and technology to operate the organization’s value creation.

Analogous to the integration of information security into the organizational culture, information security must also be integrated into the process design when defining and possibly re-evaluating business processes. All organizational units are involved when it comes to information security. An HR department is responsible, among other things, for the information security of collected employee information, the procurement department is responsible, among other things, for information security in relation to the supply chains and the IT department is responsible, among other things, for information security in relation to the technology it uses.

For example: A referee who is also a member of a playing team will immediately spark discussion potential - at least among the opposing team. The process of selecting a referee for a match must be designed in such a way that the referee can or must be neutral in relation to the teams playing.

Technologies

The use of technology - especially information technology - is an important part of today’s fast-paced world. However, as our technologies have become increasingly complex, they need to be evaluated in terms of their information security aspects, especially before and during their use.

For example, certain information in an organization is stored in such a way that not just anyone in the world can access it. In the past, this might have meant keeping a file in locked rooms or lockable cabinets and only sharing it with people within the physical site of an organization. Today, very large amounts of information can be duplicated by click on a button and at times is sent via wireless networks.

Summary

People, processes and technologies must be considered “as a whole”. Responsibility for an organization “as a whole” does not normally lie within the IT department. This is why information security is not just an IT challenge. However, due to the permeation of business processes with information technology, an IT department will sometimes have to solve a larger proportion of issues in the context of information security than other organizational units.

Establishing and maintaining information security is a permanent task, as organizations (consisting of people + processes + technologies) are subject to constant change.

• People are changing their skills - hardly any business letters are still written by hand with ink on paper, nowadays people are more likely to enter characters and commands into applications.
• Processes are adapted to technologies and people - letters are hardly ever transported with the help of horses and carriages anymore, so horseshoes or stables with water and hay are hardly needed in this area.
• Technologies continue to develop - airplanes had to be invented for airmail and skills had to be acquired to operate them and navigate over longer distances.

The management of information security and, in particular, the organization of this management is therefore initially the task of the top management level. Only in the next step does information security become the responsibility of the individual organizational units, including the IT departments.