Do Information Security Professionals and Business Managers View Information Security Issues Differently?

Organizations today know that information technology is essential not only for daily operations but also for gaining strategic advantage in the marketplace. The importance of information technology means that information security has also become important. Breaches in information security can result in litigation, financial losses, damage to brands, loss of customer confidence, loss of business partner confidence, and can even cause the organization to go out of business. A recent study (Knapp, Marshall, Rainer, & Morrow 2006) surveyed 874 certified information system security professionals (CISSPs) to determine and rank the top 25 information security issues. Of the 18 highest-ranked issues, 10 were more managerial in nature rather than technical. Table 1 shows these ten issues with their ranks in parentheses. As we consider these ten issues as a whole, we see how critically important it is for information security professionals to have strong business, management, and organizational skills. As we look at each issue individually, we see a list of specific areas where information security professionals should have competence in order to effectively operate in an organizational context. The list of issues in Table 1 represents the issues with which information security professionals often have the most difficulty addressing. For example, three of these issues emphasize the need for excellent communication between information security professionals and business managers. The issues of “top management support,” “low funding and inadequate budgets,” and “justifying security expenditures” are closely related. The support of organizational executives is clearly needed to obtain the necessary funding for the information security function. To obtain this funding, information security professionals must present a coherent business case for information security needs. Information security professionals must also communicate with the entire user community to raise their awareness of information security issues through training and education, thereby promoting an organizational culture attuned to information security. Information security professionals must also work with business managers and the user community during the risk Address correspondence to R. Kelly Rainer, Jr., Ph.D., George Phillips Privett Professor of Management Information Systems at Auburn University, Auburn, Alabama. E-mail: rainerk@auburn.edu Do Information Security Professionals and Business Managers View Information Security Issues Differently?