Information Security is a technical problem and a business problem. The IS department needs to properly asses vulnerabilities within the network, software, hardware, policy procedures, access control, and have a contingency plan in place. However the business needs to reinforce policy procedures and put them into practice, as much organizations receive external cyber attacks, breaches can also come from within an organization deliberately or accidentally due to mishandling information. Both IS department and every other department are responsible in playing their part to help prevent any breach from occurring not just IS.
I agree that Information Security is a technical problem and a business problem.
I also liked how you included that information security isn’t just up to one person or department – it’s really something that needs to be reinforced throughout all levels of an organization. There’s a saying that goes a long the lines of “You’re only as strong as your weakest link” – I think that definitely applies here when it comes to an organization protecting itself against vulnerabilities!
Information security is a business problem. While technology does matter, people and processes are equally important to achieving optimum security. This is because humans remain the primary vector for loss, as well as information security being an ideology that ideally would be practiced from the top level of a corporation and down. When individuals at every level of a company understand and support efforts in regards security, progress can be made towards optimal information security practices and risk management. Many of the issues towards information security are actually business problems as well, such as the inconvenience of security to employees, the desire to access work documents or other confidential information outside of the workplace, and the cost.
Well said. Technical problem arises because of a business problem. I would identify business problem as human beings because we are the one making decisions but at the same time making some errors. That’s why everybody with no exceptions within the organization should be properly trained to avoid all those threats. If one system is not correctly functioning, that means somebody misunderstood or misapplied what he learned and that causing virus or other attacks to the network and system.
I agree that Information security is a business problem, but I also think there is a point to be made that IS is both a business problem as well as technical. All of your points of why it is a business problem are valid, but from an IS perspective, knowing which technology the organization will benefit from the most whether that is infrastructure or software can really only be determined by the information security team.
Data has become as valuable as currency, and trade secrets are an organization’s crown jewels. Information security is directly responsible for preserving the livelihood of the business. Information security can also influence an organization’s decision for mergers and acquisitions or even vendor selection. Ultimately, those who approve budgeting for information security initiatives must understand how this impacts the bottom line. If you cannot present a viable use-case for security technology to management and the organization doesn’t implement adequate security measures, it could expose the organization to attacks such as ransomware, which could destabilize the company. To that end, information security is a shared responsibility of every organizational member that must be defined and communicated from the top down (Risk IT Framework, 2nd Edition, 2021). Information security decisions may even impact daily business operations, such as forcing multi-factor authentication or disabling basic authentication protocols.
Information Security is a business problem that the entire organization must solve. While technology provides many solutions to help secure organizations, security is fundamentally a human issue.
Exemplifying this point is the role of physical security in technology risk management. An organization can invest in the latest technologies, but these become moot if physical access controls aren’t sufficiently enforced. For example, an individual that avoids a proximity card swipe at a building’s entrance because the door was held open for them by someone exiting at the same time.
People like to be polite by holding doors and may not ask themselves if the person they’re letting in should be there. People will continue to hold doors unless they understand that there are risks when people don’t swipe into the building. This ultimately becomes a user awareness issue and requires the business to define policies that educate employees about the risks. Risk informed users strengthen technological solutions through their understanding of the business’ approach to risk management.
I like your point on physical security. In fact, recently at my organization I had to walk into a restricted area. Part of this restricted area resides a man trap that we walk through before entering the actual enclave. Often times people hold the door open – which is against policy. What people don’t seem to understand about this isn’t just for making sure your authorized to be in the restricted area – but for auditing purposes as well. The scanner records date/time for every entry. This reduces accountability especially if the organization has to investigate an issue.
I agree with your take Michael, as well as Matthew’s input on physical security controls in place and the inclination for others to innately help others tailgate. It is interesting though to consider the different types of expectations and sentiments across different organizations. Man traps at a bank, for example, do not seem to raise any alarms amongst bank customers, and it is accepted as protocol. Swipe cards at a university do not release the same effect. What is the essence of the disconnect here between the two different physical controls that serve the same purpose of accountability as mentioned? There is a sense of authority with man traps at a bank or the man trap scanner hybrid physical machines at an airport that doesn’t seem to ever get questioned. Can we improve policy and awareness over time to make swipe access cards release the same sort of sentiment?
Information security is no longer just a technical issue. In today’s world, every member of an organization must take part in the correct security practices. When it comes to information security, the technical division is going to be there to help mitigate any vulnerabilities by installing, configuring, and maintaining the infrastructure and software. Any technical device within the organization is vulnerable to being attacked, and if a breach occurs it’s the responsibility of the technical division to resolve it.
Now, from a business perspective, the business leaders of the organization, whether that’s the CEO or CIO, will ultimately determine how important information security is to the organization. If they conclude that revenue and profits take precedence over security, the organization will be left open to attackers. Vice versa if the business leaders see the value in information security, they have a responsibility to set up multiple checkpoints throughout the organization and encourage the rest of the members to practice the policies being put in place to help mitigate any threats.
We know not having a contingency plan is out of question, every organization must have a response team in the event that they are breached. This means the business unit and the technical divisions need to collaborate and find common ground between the budget and infrastructure/software needs.
Source: Vacca, J. R. (2017). Computer and information security handbook (3rd ed.).
Information security “refers to processes and tools intended to protect sensitive business information from modification, disruption, destruction, and inspection” (Cisco definition). With that said, I believe it is not just a technical problem, but a business issue as well. Businesses that are vulnerable to cyber attacks need an approach that integrates security protection into all aspects of the organization, including management in security policies and standards in order to protect business operations, and educate employees with proper training in case a vulnerability attack should happen unexpectedly.
It’s both a technical and business problem and like you said proper training needs to be given everybody even the third parties as this is the base of an organization. Not just employees but the staff must abide to the rules when it comes to security. For example, all visitors must put their information in the book for the company to keep track of who comes in and double their security if they need to.
InfoSec is both a technical problem and a business problem that the entire organization must solve. There is a level of technical expertise needed in order to set up and deploy VPNs, MFA, EDR, IRPs/Business continuity plans, network configuration, email filtering solutions, web filtering solutions, network segmentation, vulnerability scans, identifying and either air-gapping or removing EOL devices, etc.
However, it’s also a business problem. Infosec needs buy-in from every employee in the organization in order for it to be effective. Employee cybersecurity awareness, training, and phishing simulations are one piece of the puzzle. But you also need employees actively thinking about cybersecurity risks. You need to train them and provide resources so that if an employee suspects a data breach or cybersecurity risk, they can elevate the issue accordingly. You also need buy-in at the board level to make sure infosec objectives are penetrating throughout the organization. If the board doesn’t understand the importance of infosec, it could potentially become siloed and therefore less effective.
I too agree that information security is both a technical problem as well as a business problem. Laying out the technical expertise needed to help avoid technical problems is something that needs to be noticed. Being that any technical device serves the risk of being breached, it is important that we have experienced people in charge of solving or defending from these technical issues. I also am in agreement with you that employees must be “all hands on deck” for the information security to be as effective as possible. It’s important to make it known to employees that their own personal information is at risk every day. Having this concept stick with employees could show an increase in awareness as well as active training.
Information Security is a business problem that also manifests as a technical problem. Information is at the core of nearly every organization and securing that information is a business problem. Because we use technology so heavily in the operation of nearly every organization this securing the Information becomes a technical problem. However, the need to keep information secure extends beyond tech – we put Confidential labels on paper copies of documents that we distribute if the contents warrant it. How we mark it confidential can be a technical problem – adding a footer in a Doc or an ink stamp to the printed copy. However, the need to mark it confidential is a business problem!
Richard, I see where you’re coming from. Data classification is absolutely critical is modern business/information security practices–but it is the technical side of IT that spurs these issues to begin with. Same goes with human resources protocol upon hiring; it is the technical issues affiliated with insider information security threats that spurs such an emphasize on bettering business practices involving onboarding training, thorough background checks, etc. Great points!
Information security is a technical and a business problem because if one issue occurs from one side then the other side is affected as well. When creating an organization, the IT team need to make sure that they implement smart methods or comprehensive security controls not just applicable to employees but to the entire organization. Either it’s a big or small company, we shouldn’t neglect the fact that company assets and other private data information have to be well secured to make the business run and avoid any breaches. The top management/leadership team need to hire IT people that will not just install software or other security tools to detect bad incidents or fraud but instead making sure that those people follow and maintain a security check by having a meeting each two weeks or once a month to discuss any trends they encounter. As creating an organization involves a third party, the management staff has to set a policy on how some data are collected, protected and given out to them. Also, proper training on information security such as sharable data, advertisements, passwords, factor authentications need to be well-known and highly enforceable within the organization. Finally, in the budget establish to create a product, the organization must define policies and standards to secure the product from others to steal it and make profit out of it.
I agree with what you said that technical and business issues will affect each other. When information security is threatened and technical issues are questioned, these two issues are closely related communities of interest. Maintaining the operation of an enterprise needs to avoid information security leakage as much as possible in order to avoid violations. At this time, the presence of IT personnel is a must. They have a better understanding of professional maintenance of information security and protect enterprise information security.
It’s both a technical and business problem and like you said proper training needs to be given everybody even the third parties as this is the base of an organization. Not just employees but the staff must abide to the rules when it comes to security. For example, all visitors must put their information in the book for the company to keep track of who comes in and double their security if they need to.
Information Security is indeed one problem. However, this problem happens to be BOTH technical and business related.
Information Security is an integral part of majority of businesses in 2021. The reason for this is due to the fact that majority of these business’s assets have gone from tangible assets to intangible assets. That intangible asset just happens to be corporate data… which I’m sure the company would classify as sensitive data. For majority of businesses in the 21st century, corporate data has become 84% of a company’s assets. The more technological advances that are made, the more people and businesses become reliant upon them. In turn, this ample amount of new and old technology creates an astounding amount of vulnerabilities that people and businesses both become susceptible to.
For example, earlier this year we all saw the gas pipeline hack, which was an issue of Ransomware. The exploit of that vulnerability was critical to the business. It singlehandedly drove up the price of gas, as well as bringing certain aspects of workflow to an abrupt halt. Moreover, within the past week T-Mobile has been hacked, which obviously effects the business on a massive scale… but also their customers; whose credit information has now been compromised due to the hack!
Information security is both a technical and business problem. It is an important part of any business to be aware of the information risks that are created with every business plan and information or data collected on customers/patients. Administrative staff need to have a holistic approach to the information that is being collected and utilized in the day to day business plan and future projects. The IT staff need to be aware of what software capabilities they have and how to best provide support to the companies business and security needs. Administrators and staff need to work together to fully understand the uses of the software, hardware and its capabilities as well as the effect is has on business functionality and success.
Hi Emily – The IT staff certainly need to be aware of what software capabilities they have and how to best provide support to the companies business and security needs. I’d like to point out that on top of this, the IT support staff must not only understand how a piece of software functions but also the different ways in which those functions can be used and by who. For example, a company could use software which provides the ability to process payments. At a high level, this access should not be granted to all users – it should be applied to users who are actually responsible for processing payments. While this is a pretty simplistic example, the idea is that IT support staff should have knowledge, whether it’s self obtained or knowledge transfer from a business users, of the business risk (i.e. unauthorized payments) associated with granting payment processing access to all users.
Information Security is both a technical and business problem and they influence each other equally. Failure to comply to business or technical standards can destroy a company’s reputation, exfiltrating trade secrets, and lose company profits. Company’s often make the mistake of vastly underestimating security until it is too late; the result can often lead to distrust within stakeholders or different business partners. The consumer can also develop distrust with a company and ruin brand recognition.
It is important that both IT professionals and business associates understand each other in this prospect. Vacca states that these two should realistically understand one another in order to meet a common goal. More often than not; companies fail to disseminate roles and responsibilities in the world of cybersecurity which often leads to misconceptions on who does what. It should also be understood by the entire organization is accountable for cybersecurity; annual trainings are necessary to keep individuals aware of new practices and reminders. And that the cost of security far outweighs the relative unmitigated risk that could result in drastic losses for the company and range from cut bonuses to company lay-offs from impending financial destruction.
Company’s should understand that they are in the business of security whether they like it or not. A balanced company would identify what the company’s goal is in mind while subsequently deciding an appropriate risk appetite thereafter.
Information security is both a technical problem AND a business problem.
IS is a technical problem because the root of the problem typically is in technology, due to the fact that the information needing to be secured is somewhere in a network that not everybody knows how to use/navigate.
IS is a business problem because at the end of the day, it is the businesses information that needs to be secured, for whatever reason (sensitive customer data, trade secrets, etc).
Information security is a technical problem as well as a business problem. Personally, business problems are problems solved by technical problems. After the enterprise solves the problem of information security through technology, the business problem is solved. When information security is threatened and technical issues are questioned, business problems will accumulate. These two issues are closely related communities of interest. One of them will cause problems, and the other will also cause problems. Enterprises need to pay more attention to information security and improve technology in order to avoid the problem of information security leakage as much as possible to maintain the operation of the enterprise.
Completely agree with you. A business problem is automatically a technical problem if information security is involved. It affects the way the business functions, so both sides need to do their part and be aware of any technical issues on a regular basis so that the business can operate normally.
Is information security a technical problem or a business problem?
I believe it is safe to say it is both a technical problem and a business problem. I think each creates problems on there own but the business will only thrive if they are working hand and hand. The business needs technology to address/come up with a system that meets the business needs and mitigates potential risks. IT needs the business to know exactly what is needed and how it should run and be protected.
Information Security is both a technical and business problem. In a short period of time, there has been a fundamental shift in corporate assets where more than 80% of a company’s assets are intangible. Because data has moved from being primarily about the business to the business itself, information security has become not only a technical problem but a business one. Having so much important data that needs to be protected means that if there are any security breaches, a company can be affected from a daily operations perspective and from a reputation perspective. If companies are seen as untrustworthy with their user’s information, it could tarnish how they are viewed and affect the number of customers that ultimately use the business. This would directly affect the company’s bottom line. In addition, depending on the data lost, the company could open themselves up to legal repercussion as well, so they need to ensure that they’ve made reasonable effort to prevent the loss.
Information security poses both technical and business problems within an organization. I believe you can view each as almost intertwined. On the technical side, if IT personnel who are responsible for developing and implementing information security solutions in an area do not fully understand the business operations or even the sensitivity of the data involved in the process they are responsible for maintaining, it could lead to risks such as a data loss or even inaccuracies to key reports used in the business process. Inversely, if business personnel who are responsible for performing daily business activities within the process do not fully understand their department or organizations security requirements than this too could intentional and even unintentional data loss.
It’s very important to develop and organizational wide security policy that applies not only technical IT users but also the business users since they are increasingly becoming the focus to target for threat actors.
Hello Bryan,
That’s a great point that the IT personnel need to know the business operation sufficiently so they would know what type of information they will need to secure to avoid a data loss. It is also important for the IT personnel to know the requirements of the business so they can configure the technologies (server or any other devices used for the business purpose) properly. Which would allow those technologies be accessible when its needed and configured in a secure manner to not have any vulnerabilities within those devices.
Data enables business continuity. Information security is the implementation of technical, operational and management controls to achieve confidentiality, integrity and availability of data. The technical aspect of information security is to enable and facilitate business by avoiding disruptions) in form of breaches and compromises. Information security can not be implemented in isolation, the business side must work hand in hand with the technical side by implementing management and operational policies, procedures, practices and standards to enable information security. Information security is both a technical and a business problem.
Information security is both a technical problem and a business problem. Security data has to be implemented with technical controls in correspondence with an organization’s business angle as well as their budget. Customized applications will require customized security controls which are inherently more expensive for the business, so there is an unavoidable intersection of business and technical aspects of the problem. Often in practice, many employees exhibit vulnerabilities in information attempting to perform business activities. For example, it is not uncommon for some office employees to leave sensitive information laying around, such as a post-it note of credentials on a desk, creating a serious vulnerability for the business.
Thanks for your analysis, Antonio., I agree with you on your analysis. However, information security concern for leaders at the highest level of many organizations, governments, across national borders. In this regard, customers and employees are requesting for it as they appear to be worried about their privacy and protection of personally identifiable information and identity theft.
Information Security is indeed, a technical and business program. It is a huge problem in our society. A company’s top priority is protecting a company’s confidential information. It is now required for most, if not all banks to have a multi-factor authentication for their customers and staff. This makes it hard for hackers to hack into someone’s information. Most companies have phishing training for their employees. This will decrease the potential of a hacker sending a phishing attack because employees can identify a scam. However, a hacker can still get into someone’s device causing it to be a technical issue.
Good mention about the multi-factor authentication Victoria. All of the banks that I use requires me to use this verification before I go any further into my accounts. Didn’t start out that way before, but with hacking into private/sensitive information becoming the norm nowadays, I feel more safe that they made this a necessity.
As much as my non-technical background would like to say information security is a technical problem, I wholeheartedly believe it is a business issue. Like Vacca states in our class readings, information security is no longer belonging to a business (i.e. being the systems admin at JP Morgan); but information security is becoming big business. Stocks such as Amazon, Zoom and Tesla prove that data services, and security, are symbiotic with some of the most profitable companies on the planet. These companies, basing their foundations on information security, require strong knowledge, attentiveness and awareness to information security threats, vulnerabilities, etc. in order to maintain financial growth. APT’s will not only threaten a company’s technology functionality anymore, but can threaten company reputations, stock market prices as well as foundational availability, confidentiality and integrity of services.
Information security is both a technical and business problem. We can say it’s a technical problem because any type of digital device can be accessed by a hacker. It is also a business problem because companies have failed to manufacture a secure device to protect Information. For example, Android has become one of the most popular OS for various mobile hardware. Why? Because it has many reasons of likability such as ease of use, functionality etc., yet at the same time it is extremely easy to hack which in turn leads to huge financial losses to the organizations.
Information technology is both technical and business problem. To protect the network, it needs to be configured properly so it would not be vulnerable to any type of know vulnerability and could be accessible when it is need. There also could be some configuration that could not be configured probably so it is also important place proper safeguard to remediate that vulnerability. Every business has some types of data that they use to operate its business. It could be PII, PHI, or any other type of information of their customer or their employees within their network. Which also require to be kept secure or it could impact the reputation of their business.
Information security is also a business problem as all the businesses uses the technologies to operate its business. If they are unable to access the technology used to operate its business, then they would not be able to operate its business. The users that are part of the business could also introduce the risk to the information security in a different way as sharing the sensitive information with others, clicking on phishing email, or any there was the business information could be at risk.
Is information security a technical problem or a business problem?
I believe that information security is both a technical problem as well as a business problem. I see it as a technical issue because any device is vulnerable to being breached since there is no such thing as 100% perfect information security. I also see information security as a business issue because there is the possibility that a business’ customer and employee personal information can be accessed due to a data breach. Information confidentiality is the highest priority when it comes to any company. This makes information security a two-part issue because a breach of personal information is a business issue, and the fact that a hacker could still find a way to breach this data makes it a technical issue.
Security days as just a technical issue are long gone. It is becoming increasingly clear as being a business problem for leaders at the highest level of many businesses and Government across national borders. This is so because customers are demanding it as worries about privacy and protection of personally identifiable information. As a matter of fact, business partners, suppliers and vendors are requiring from one another especially when providing mutual network and information access. Security breaches and data disclosure largely emanated from criminal behavior induced by financial gain. As additional evidence to support this assertion was provided by Deloitte 2007 Global Security of Top Financial Services in 2007 which stated that information security is no longer technology-focused problem and it has become the basis of business survival as much as of any other issue.
Both. It is individual employees or departments responsible for the security of confidential information and the organization itself. Therefore, the top management accountable for protecting the organization’s best interests is responsible for ensuring that appropriate and adequate security policies are developed and implemented throughout the organization. Security policies refer to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization’s systems and their information. Reasonable procedures not only protect data and techniques but also protect individual employees and the entire organization. It can also be used as a prominent statement to explain the organization’s commitment to security to the outside world.
Information security is both a technical and business problem. With being a technical problem, the IT department’s responsibility is to keep the organization safe with regards to security. Making sure everything is updated and working properly. If a network goes down, it is fixed timely. If a phishing email is opened, how the problem is handled, is a technical problem. For business, if IS has a problem and the network is shut down or if there is a ransomware threat, the business can be in real trouble. If at any point, money or personal information of consumers is in danger or exposed, the business is in real trouble.
Information security is definitely business issue not just an IT issue. I think most of the organizations misunderstands the IS role and make IT department responsible for it. Information security should integrate with business continuity, recruitment, physical security, compliance and other business functions. It is important that executives (from top to bottom) and everyone else should understand where they align with IT and their responsibilities.
Wilmer Monsalve says
Information Security is a technical problem and a business problem. The IS department needs to properly asses vulnerabilities within the network, software, hardware, policy procedures, access control, and have a contingency plan in place. However the business needs to reinforce policy procedures and put them into practice, as much organizations receive external cyber attacks, breaches can also come from within an organization deliberately or accidentally due to mishandling information. Both IS department and every other department are responsible in playing their part to help prevent any breach from occurring not just IS.
Andrew Nguyen says
Hey Wilmer,
I agree that Information Security is a technical problem and a business problem.
I also liked how you included that information security isn’t just up to one person or department – it’s really something that needs to be reinforced throughout all levels of an organization. There’s a saying that goes a long the lines of “You’re only as strong as your weakest link” – I think that definitely applies here when it comes to an organization protecting itself against vulnerabilities!
Andrew Nguyen says
Information security is a business problem. While technology does matter, people and processes are equally important to achieving optimum security. This is because humans remain the primary vector for loss, as well as information security being an ideology that ideally would be practiced from the top level of a corporation and down. When individuals at every level of a company understand and support efforts in regards security, progress can be made towards optimal information security practices and risk management. Many of the issues towards information security are actually business problems as well, such as the inconvenience of security to employees, the desire to access work documents or other confidential information outside of the workplace, and the cost.
Ornella Rhyne says
Well said. Technical problem arises because of a business problem. I would identify business problem as human beings because we are the one making decisions but at the same time making some errors. That’s why everybody with no exceptions within the organization should be properly trained to avoid all those threats. If one system is not correctly functioning, that means somebody misunderstood or misapplied what he learned and that causing virus or other attacks to the network and system.
Dhaval Patel says
I agree that Information security is a business problem, but I also think there is a point to be made that IS is both a business problem as well as technical. All of your points of why it is a business problem are valid, but from an IS perspective, knowing which technology the organization will benefit from the most whether that is infrastructure or software can really only be determined by the information security team.
Kelly Sharadin says
Data has become as valuable as currency, and trade secrets are an organization’s crown jewels. Information security is directly responsible for preserving the livelihood of the business. Information security can also influence an organization’s decision for mergers and acquisitions or even vendor selection. Ultimately, those who approve budgeting for information security initiatives must understand how this impacts the bottom line. If you cannot present a viable use-case for security technology to management and the organization doesn’t implement adequate security measures, it could expose the organization to attacks such as ransomware, which could destabilize the company. To that end, information security is a shared responsibility of every organizational member that must be defined and communicated from the top down (Risk IT Framework, 2nd Edition, 2021). Information security decisions may even impact daily business operations, such as forcing multi-factor authentication or disabling basic authentication protocols.
ISACA. 2021. Risk IT Framework, 2nd Edition.
Matthew Bryan says
Information Security is a business problem that the entire organization must solve. While technology provides many solutions to help secure organizations, security is fundamentally a human issue.
Exemplifying this point is the role of physical security in technology risk management. An organization can invest in the latest technologies, but these become moot if physical access controls aren’t sufficiently enforced. For example, an individual that avoids a proximity card swipe at a building’s entrance because the door was held open for them by someone exiting at the same time.
People like to be polite by holding doors and may not ask themselves if the person they’re letting in should be there. People will continue to hold doors unless they understand that there are risks when people don’t swipe into the building. This ultimately becomes a user awareness issue and requires the business to define policies that educate employees about the risks. Risk informed users strengthen technological solutions through their understanding of the business’ approach to risk management.
Michael Duffy says
Hello Matthew,
I like your point on physical security. In fact, recently at my organization I had to walk into a restricted area. Part of this restricted area resides a man trap that we walk through before entering the actual enclave. Often times people hold the door open – which is against policy. What people don’t seem to understand about this isn’t just for making sure your authorized to be in the restricted area – but for auditing purposes as well. The scanner records date/time for every entry. This reduces accountability especially if the organization has to investigate an issue.
Antonio Cozza says
I agree with your take Michael, as well as Matthew’s input on physical security controls in place and the inclination for others to innately help others tailgate. It is interesting though to consider the different types of expectations and sentiments across different organizations. Man traps at a bank, for example, do not seem to raise any alarms amongst bank customers, and it is accepted as protocol. Swipe cards at a university do not release the same effect. What is the essence of the disconnect here between the two different physical controls that serve the same purpose of accountability as mentioned? There is a sense of authority with man traps at a bank or the man trap scanner hybrid physical machines at an airport that doesn’t seem to ever get questioned. Can we improve policy and awareness over time to make swipe access cards release the same sort of sentiment?
Dhaval Patel says
Information security is no longer just a technical issue. In today’s world, every member of an organization must take part in the correct security practices. When it comes to information security, the technical division is going to be there to help mitigate any vulnerabilities by installing, configuring, and maintaining the infrastructure and software. Any technical device within the organization is vulnerable to being attacked, and if a breach occurs it’s the responsibility of the technical division to resolve it.
Now, from a business perspective, the business leaders of the organization, whether that’s the CEO or CIO, will ultimately determine how important information security is to the organization. If they conclude that revenue and profits take precedence over security, the organization will be left open to attackers. Vice versa if the business leaders see the value in information security, they have a responsibility to set up multiple checkpoints throughout the organization and encourage the rest of the members to practice the policies being put in place to help mitigate any threats.
We know not having a contingency plan is out of question, every organization must have a response team in the event that they are breached. This means the business unit and the technical divisions need to collaborate and find common ground between the budget and infrastructure/software needs.
Source: Vacca, J. R. (2017). Computer and information security handbook (3rd ed.).
Christopher Clayton says
Information security “refers to processes and tools intended to protect sensitive business information from modification, disruption, destruction, and inspection” (Cisco definition). With that said, I believe it is not just a technical problem, but a business issue as well. Businesses that are vulnerable to cyber attacks need an approach that integrates security protection into all aspects of the organization, including management in security policies and standards in order to protect business operations, and educate employees with proper training in case a vulnerability attack should happen unexpectedly.
Ornella Rhyne says
It’s both a technical and business problem and like you said proper training needs to be given everybody even the third parties as this is the base of an organization. Not just employees but the staff must abide to the rules when it comes to security. For example, all visitors must put their information in the book for the company to keep track of who comes in and double their security if they need to.
Madalyn Stiverson says
InfoSec is both a technical problem and a business problem that the entire organization must solve. There is a level of technical expertise needed in order to set up and deploy VPNs, MFA, EDR, IRPs/Business continuity plans, network configuration, email filtering solutions, web filtering solutions, network segmentation, vulnerability scans, identifying and either air-gapping or removing EOL devices, etc.
However, it’s also a business problem. Infosec needs buy-in from every employee in the organization in order for it to be effective. Employee cybersecurity awareness, training, and phishing simulations are one piece of the puzzle. But you also need employees actively thinking about cybersecurity risks. You need to train them and provide resources so that if an employee suspects a data breach or cybersecurity risk, they can elevate the issue accordingly. You also need buy-in at the board level to make sure infosec objectives are penetrating throughout the organization. If the board doesn’t understand the importance of infosec, it could potentially become siloed and therefore less effective.
Michael Galdo says
Hello Madalyn,
I too agree that information security is both a technical problem as well as a business problem. Laying out the technical expertise needed to help avoid technical problems is something that needs to be noticed. Being that any technical device serves the risk of being breached, it is important that we have experienced people in charge of solving or defending from these technical issues. I also am in agreement with you that employees must be “all hands on deck” for the information security to be as effective as possible. It’s important to make it known to employees that their own personal information is at risk every day. Having this concept stick with employees could show an increase in awareness as well as active training.
Richard Hertz says
Information Security is a business problem that also manifests as a technical problem. Information is at the core of nearly every organization and securing that information is a business problem. Because we use technology so heavily in the operation of nearly every organization this securing the Information becomes a technical problem. However, the need to keep information secure extends beyond tech – we put Confidential labels on paper copies of documents that we distribute if the contents warrant it. How we mark it confidential can be a technical problem – adding a footer in a Doc or an ink stamp to the printed copy. However, the need to mark it confidential is a business problem!
Matthew Bryan says
Your example of confidential paper documents is great, and it clearly shows the intersection of business needs and technology solutions.
Jason Burwell says
I agree Richard, the need to keep information secure extends beyond tech, that was a true and great point
Lauren Deinhardt says
Richard, I see where you’re coming from. Data classification is absolutely critical is modern business/information security practices–but it is the technical side of IT that spurs these issues to begin with. Same goes with human resources protocol upon hiring; it is the technical issues affiliated with insider information security threats that spurs such an emphasize on bettering business practices involving onboarding training, thorough background checks, etc. Great points!
Ornella Rhyne says
Information security is a technical and a business problem because if one issue occurs from one side then the other side is affected as well. When creating an organization, the IT team need to make sure that they implement smart methods or comprehensive security controls not just applicable to employees but to the entire organization. Either it’s a big or small company, we shouldn’t neglect the fact that company assets and other private data information have to be well secured to make the business run and avoid any breaches. The top management/leadership team need to hire IT people that will not just install software or other security tools to detect bad incidents or fraud but instead making sure that those people follow and maintain a security check by having a meeting each two weeks or once a month to discuss any trends they encounter. As creating an organization involves a third party, the management staff has to set a policy on how some data are collected, protected and given out to them. Also, proper training on information security such as sharable data, advertisements, passwords, factor authentications need to be well-known and highly enforceable within the organization. Finally, in the budget establish to create a product, the organization must define policies and standards to secure the product from others to steal it and make profit out of it.
Dan Xu says
I agree with what you said that technical and business issues will affect each other. When information security is threatened and technical issues are questioned, these two issues are closely related communities of interest. Maintaining the operation of an enterprise needs to avoid information security leakage as much as possible in order to avoid violations. At this time, the presence of IT personnel is a must. They have a better understanding of professional maintenance of information security and protect enterprise information security.
Ornella Rhyne says
It’s both a technical and business problem and like you said proper training needs to be given everybody even the third parties as this is the base of an organization. Not just employees but the staff must abide to the rules when it comes to security. For example, all visitors must put their information in the book for the company to keep track of who comes in and double their security if they need to.
Joshua Moses says
Information Security is indeed one problem. However, this problem happens to be BOTH technical and business related.
Information Security is an integral part of majority of businesses in 2021. The reason for this is due to the fact that majority of these business’s assets have gone from tangible assets to intangible assets. That intangible asset just happens to be corporate data… which I’m sure the company would classify as sensitive data. For majority of businesses in the 21st century, corporate data has become 84% of a company’s assets. The more technological advances that are made, the more people and businesses become reliant upon them. In turn, this ample amount of new and old technology creates an astounding amount of vulnerabilities that people and businesses both become susceptible to.
For example, earlier this year we all saw the gas pipeline hack, which was an issue of Ransomware. The exploit of that vulnerability was critical to the business. It singlehandedly drove up the price of gas, as well as bringing certain aspects of workflow to an abrupt halt. Moreover, within the past week T-Mobile has been hacked, which obviously effects the business on a massive scale… but also their customers; whose credit information has now been compromised due to the hack!
Emily McLaughlin says
Information security is both a technical and business problem. It is an important part of any business to be aware of the information risks that are created with every business plan and information or data collected on customers/patients. Administrative staff need to have a holistic approach to the information that is being collected and utilized in the day to day business plan and future projects. The IT staff need to be aware of what software capabilities they have and how to best provide support to the companies business and security needs. Administrators and staff need to work together to fully understand the uses of the software, hardware and its capabilities as well as the effect is has on business functionality and success.
Bryan Garrahan says
Hi Emily – The IT staff certainly need to be aware of what software capabilities they have and how to best provide support to the companies business and security needs. I’d like to point out that on top of this, the IT support staff must not only understand how a piece of software functions but also the different ways in which those functions can be used and by who. For example, a company could use software which provides the ability to process payments. At a high level, this access should not be granted to all users – it should be applied to users who are actually responsible for processing payments. While this is a pretty simplistic example, the idea is that IT support staff should have knowledge, whether it’s self obtained or knowledge transfer from a business users, of the business risk (i.e. unauthorized payments) associated with granting payment processing access to all users.
Michael Duffy says
Information Security is both a technical and business problem and they influence each other equally. Failure to comply to business or technical standards can destroy a company’s reputation, exfiltrating trade secrets, and lose company profits. Company’s often make the mistake of vastly underestimating security until it is too late; the result can often lead to distrust within stakeholders or different business partners. The consumer can also develop distrust with a company and ruin brand recognition.
It is important that both IT professionals and business associates understand each other in this prospect. Vacca states that these two should realistically understand one another in order to meet a common goal. More often than not; companies fail to disseminate roles and responsibilities in the world of cybersecurity which often leads to misconceptions on who does what. It should also be understood by the entire organization is accountable for cybersecurity; annual trainings are necessary to keep individuals aware of new practices and reminders. And that the cost of security far outweighs the relative unmitigated risk that could result in drastic losses for the company and range from cut bonuses to company lay-offs from impending financial destruction.
Company’s should understand that they are in the business of security whether they like it or not. A balanced company would identify what the company’s goal is in mind while subsequently deciding an appropriate risk appetite thereafter.
Michael Jordan says
Information security is both a technical problem AND a business problem.
IS is a technical problem because the root of the problem typically is in technology, due to the fact that the information needing to be secured is somewhere in a network that not everybody knows how to use/navigate.
IS is a business problem because at the end of the day, it is the businesses information that needs to be secured, for whatever reason (sensitive customer data, trade secrets, etc).
Dan Xu says
Information security is a technical problem as well as a business problem. Personally, business problems are problems solved by technical problems. After the enterprise solves the problem of information security through technology, the business problem is solved. When information security is threatened and technical issues are questioned, business problems will accumulate. These two issues are closely related communities of interest. One of them will cause problems, and the other will also cause problems. Enterprises need to pay more attention to information security and improve technology in order to avoid the problem of information security leakage as much as possible to maintain the operation of the enterprise.
Christopher Clayton says
Hi Dan,
Completely agree with you. A business problem is automatically a technical problem if information security is involved. It affects the way the business functions, so both sides need to do their part and be aware of any technical issues on a regular basis so that the business can operate normally.
zijian ou says
I also think it is two-way and closely related. Therefore, both parties must do their work so that the company can operate smoothly.
Jason Burwell says
Is information security a technical problem or a business problem?
I believe it is safe to say it is both a technical problem and a business problem. I think each creates problems on there own but the business will only thrive if they are working hand and hand. The business needs technology to address/come up with a system that meets the business needs and mitigates potential risks. IT needs the business to know exactly what is needed and how it should run and be protected.
Ryan Trapp says
Information Security is both a technical and business problem. In a short period of time, there has been a fundamental shift in corporate assets where more than 80% of a company’s assets are intangible. Because data has moved from being primarily about the business to the business itself, information security has become not only a technical problem but a business one. Having so much important data that needs to be protected means that if there are any security breaches, a company can be affected from a daily operations perspective and from a reputation perspective. If companies are seen as untrustworthy with their user’s information, it could tarnish how they are viewed and affect the number of customers that ultimately use the business. This would directly affect the company’s bottom line. In addition, depending on the data lost, the company could open themselves up to legal repercussion as well, so they need to ensure that they’ve made reasonable effort to prevent the loss.
Bryan Garrahan says
Information security poses both technical and business problems within an organization. I believe you can view each as almost intertwined. On the technical side, if IT personnel who are responsible for developing and implementing information security solutions in an area do not fully understand the business operations or even the sensitivity of the data involved in the process they are responsible for maintaining, it could lead to risks such as a data loss or even inaccuracies to key reports used in the business process. Inversely, if business personnel who are responsible for performing daily business activities within the process do not fully understand their department or organizations security requirements than this too could intentional and even unintentional data loss.
It’s very important to develop and organizational wide security policy that applies not only technical IT users but also the business users since they are increasingly becoming the focus to target for threat actors.
Vraj Patel says
Hello Bryan,
That’s a great point that the IT personnel need to know the business operation sufficiently so they would know what type of information they will need to secure to avoid a data loss. It is also important for the IT personnel to know the requirements of the business so they can configure the technologies (server or any other devices used for the business purpose) properly. Which would allow those technologies be accessible when its needed and configured in a secure manner to not have any vulnerabilities within those devices.
Olayinka Lucas says
Data enables business continuity. Information security is the implementation of technical, operational and management controls to achieve confidentiality, integrity and availability of data. The technical aspect of information security is to enable and facilitate business by avoiding disruptions) in form of breaches and compromises. Information security can not be implemented in isolation, the business side must work hand in hand with the technical side by implementing management and operational policies, procedures, practices and standards to enable information security. Information security is both a technical and a business problem.
Antonio Cozza says
Information security is both a technical problem and a business problem. Security data has to be implemented with technical controls in correspondence with an organization’s business angle as well as their budget. Customized applications will require customized security controls which are inherently more expensive for the business, so there is an unavoidable intersection of business and technical aspects of the problem. Often in practice, many employees exhibit vulnerabilities in information attempting to perform business activities. For example, it is not uncommon for some office employees to leave sensitive information laying around, such as a post-it note of credentials on a desk, creating a serious vulnerability for the business.
kofi bonsu says
Thanks for your analysis, Antonio., I agree with you on your analysis. However, information security concern for leaders at the highest level of many organizations, governments, across national borders. In this regard, customers and employees are requesting for it as they appear to be worried about their privacy and protection of personally identifiable information and identity theft.
Victoria Zak says
Information Security is indeed, a technical and business program. It is a huge problem in our society. A company’s top priority is protecting a company’s confidential information. It is now required for most, if not all banks to have a multi-factor authentication for their customers and staff. This makes it hard for hackers to hack into someone’s information. Most companies have phishing training for their employees. This will decrease the potential of a hacker sending a phishing attack because employees can identify a scam. However, a hacker can still get into someone’s device causing it to be a technical issue.
Christopher Clayton says
Good mention about the multi-factor authentication Victoria. All of the banks that I use requires me to use this verification before I go any further into my accounts. Didn’t start out that way before, but with hacking into private/sensitive information becoming the norm nowadays, I feel more safe that they made this a necessity.
Lauren Deinhardt says
As much as my non-technical background would like to say information security is a technical problem, I wholeheartedly believe it is a business issue. Like Vacca states in our class readings, information security is no longer belonging to a business (i.e. being the systems admin at JP Morgan); but information security is becoming big business. Stocks such as Amazon, Zoom and Tesla prove that data services, and security, are symbiotic with some of the most profitable companies on the planet. These companies, basing their foundations on information security, require strong knowledge, attentiveness and awareness to information security threats, vulnerabilities, etc. in order to maintain financial growth. APT’s will not only threaten a company’s technology functionality anymore, but can threaten company reputations, stock market prices as well as foundational availability, confidentiality and integrity of services.
Mohammed Syed says
Information security is both a technical and business problem. We can say it’s a technical problem because any type of digital device can be accessed by a hacker. It is also a business problem because companies have failed to manufacture a secure device to protect Information. For example, Android has become one of the most popular OS for various mobile hardware. Why? Because it has many reasons of likability such as ease of use, functionality etc., yet at the same time it is extremely easy to hack which in turn leads to huge financial losses to the organizations.
Vraj Patel says
Information technology is both technical and business problem. To protect the network, it needs to be configured properly so it would not be vulnerable to any type of know vulnerability and could be accessible when it is need. There also could be some configuration that could not be configured probably so it is also important place proper safeguard to remediate that vulnerability. Every business has some types of data that they use to operate its business. It could be PII, PHI, or any other type of information of their customer or their employees within their network. Which also require to be kept secure or it could impact the reputation of their business.
Information security is also a business problem as all the businesses uses the technologies to operate its business. If they are unable to access the technology used to operate its business, then they would not be able to operate its business. The users that are part of the business could also introduce the risk to the information security in a different way as sharing the sensitive information with others, clicking on phishing email, or any there was the business information could be at risk.
Michael Galdo says
Is information security a technical problem or a business problem?
I believe that information security is both a technical problem as well as a business problem. I see it as a technical issue because any device is vulnerable to being breached since there is no such thing as 100% perfect information security. I also see information security as a business issue because there is the possibility that a business’ customer and employee personal information can be accessed due to a data breach. Information confidentiality is the highest priority when it comes to any company. This makes information security a two-part issue because a breach of personal information is a business issue, and the fact that a hacker could still find a way to breach this data makes it a technical issue.
kofi bonsu says
Security days as just a technical issue are long gone. It is becoming increasingly clear as being a business problem for leaders at the highest level of many businesses and Government across national borders. This is so because customers are demanding it as worries about privacy and protection of personally identifiable information. As a matter of fact, business partners, suppliers and vendors are requiring from one another especially when providing mutual network and information access. Security breaches and data disclosure largely emanated from criminal behavior induced by financial gain. As additional evidence to support this assertion was provided by Deloitte 2007 Global Security of Top Financial Services in 2007 which stated that information security is no longer technology-focused problem and it has become the basis of business survival as much as of any other issue.
zijian ou says
Both. It is individual employees or departments responsible for the security of confidential information and the organization itself. Therefore, the top management accountable for protecting the organization’s best interests is responsible for ensuring that appropriate and adequate security policies are developed and implemented throughout the organization. Security policies refer to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization’s systems and their information. Reasonable procedures not only protect data and techniques but also protect individual employees and the entire organization. It can also be used as a prominent statement to explain the organization’s commitment to security to the outside world.
Corey Arana says
Information security is both a technical and business problem. With being a technical problem, the IT department’s responsibility is to keep the organization safe with regards to security. Making sure everything is updated and working properly. If a network goes down, it is fixed timely. If a phishing email is opened, how the problem is handled, is a technical problem. For business, if IS has a problem and the network is shut down or if there is a ransomware threat, the business can be in real trouble. If at any point, money or personal information of consumers is in danger or exposed, the business is in real trouble.
Miray Bolukbasi says
Information security is definitely business issue not just an IT issue. I think most of the organizations misunderstands the IS role and make IT department responsible for it. Information security should integrate with business continuity, recruitment, physical security, compliance and other business functions. It is important that executives (from top to bottom) and everyone else should understand where they align with IT and their responsibilities.