Security awareness: switch to a better programme

Increasingly, organizations are realising that information security is like quality -it is integral to the organization and everyone contributes to its success or failure. According to Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, published by the IT Governance Institute (ITGI), the increased value of and dependence on information has increased exponentially. Looking forward, all signs indicate that this will only continue. A Gartner analyst report by Arabella Hallawell estimated that in less than a decade, organizations will typically deal with 30 times more information than they do today.

To help protect their information and systems, yet also to encourage electronic services and transactions, organizations must make all appropriate people focused on safe computing. Information security professionals should work to gain space on the board agenda by focusing on the business issues and providing related business benefits, risks and benchmarks. Financial metrics such as return on investment (ROI), net present value (NPV), payback period or internal rate of return (IRR) can be applied to improve communications. In addition, information security professionals should be aware of the National Association of Corporate Directors' (NACD) four essential practices for boards of directors: • Place information security on the board's agenda.

• Identify information security leaders, hold them accountable, and ensure support for them. • Ensure the effectiveness of the corporation's information security policy through review and approval. • Assign information security to a key committee and ensure adequate support for that committee.