The 10 deadly sins of information security management
Introduction
This paper is based on years of experience in teaching information security to a wide audience, as well as on information security consultancy projects in many companies. The paper identifies the 10 most important aspects—called the ‘deadly sins of information security’—which result in companies experiencing severe problems in implementing a successful comprehensive information security plan within the company.
All 10 of these aspects are essential to take into account when implementing such an information security plan in a company, or to be evaluated when an existing information security plan seems to be having problems in being really effective.
From experience, if even one of these aspects is ignored, or not properly taken into account, serious problems in introducing and maintaining a proper information security plan in a company will surely arise.
The paper will briefly discuss each of these aspects or sins, providing some motivation on why their absence from any plan will cause information security related problems.
The paper ends with a ‘tick list’, which information security managers can use to evaluate the presence/absence of these aspects from their information security plan.
Section snippets
The 10 deadly sins of information security
These sins are introduced below, and discussed individually in the subsequent paragraphs.
- 1.
Not realizing that information security is a corporate governance responsibility (the buck stops right at the top)
- 2.
Not realizing that information security is a business issue and not a technical issue
- 3.
Not realizing the fact that information security governance is a multi-dimensional discipline (information security governance is a complex issue, and there is no silver bullet or single ‘off the shelf’ solution)
Conclusion
Creating and implementing a proper information security program is not necessarily rocket science—most of the important components that should be part of such a program are basically common sense. However, very often these common sense issues are ignored because there is a lack of understanding and realizing how essential they are.
This paper attempted to put all these essential components into place.
The following ‘tick list’ can be used to evaluate your company's information security plan in
Prof SH (Basie) von Solms holds a PhD in Computer Science, and has been Chairman of the Rand Afrikaans University-Standard Bank Academy for Information Technology at the Rand Afrikaans University in Johannesburg, South Africa, since 1978. Prof von Solms is the present Vice-President of IFIP, the International Federation for Information Processing, and the immediate past Chairman of Technical Committee 11 (Information Security), of the IFIP. He is also a member of the General Assembly of IFIP.
References (7)
Cited by (217)
Designing an incentive mechanism for information security policy compliance: An experiment
2023, Journal of Economic Behavior and OrganizationA domain-specific language for the specification of UCON policies
2022, Journal of Information Security and ApplicationsInformation security governance challenges and critical success factors: Systematic review
2020, Computers and SecurityPeering through the lens of high-reliability theory: A competencies driven security culture model of high-reliability organisations
2023, Information Systems JournalEnhancing the SETA program with Mindfulness and Self-Efficacy
2023, CEUR Workshop Proceedings
Prof SH (Basie) von Solms holds a PhD in Computer Science, and has been Chairman of the Rand Afrikaans University-Standard Bank Academy for Information Technology at the Rand Afrikaans University in Johannesburg, South Africa, since 1978. Prof von Solms is the present Vice-President of IFIP, the International Federation for Information Processing, and the immediate past Chairman of Technical Committee 11 (Information Security), of the IFIP. He is also a member of the General Assembly of IFIP. Prof von Solms has been a consultant to industry on the subject of Information Security for the last 10 years. He is a member of the British Computer Society, a Fellow of the Computer Society of South Africa, and a SAATCA Certified Auditor for ISO 17799, the international Code of Practice for Information Security Management.
Professor Rossouw von Solms is the Head of Department of Information Technology at Port Elizabeth Technikon, in South Africa. He holds a PhD from the Rand Afrikaans University. He has been a member of the International Federation for Information Processing (IFIP) TC 11 committee since 1995. He is a founder member of the Technikon Computer Lecturer's Association (TECLA) and is an executive member ever since. He is also a Vice-President of the South African Institute for Computer Science and Information Technology (SAICSIT). He has published many papers in international journals and presented numerous papers at national and international conferences in the field of Information Security Management.