Having worked for an information security company for the past nine years, it has become apparent over that time that most infosec professionals fall into one of two groups. There are the people and process guys, who are very good at sorting out the paperwork and implementing standards like ISO27001. Then there are the technologists, who feel that you can only really address information security by using technology, such as encryption and anti-malware software.
In their respective organisations, these professionals pursue strategies that are determined by which of the two groups they are part of.
In the last year or so I have noticed a new trend: recognition that no single approach – people and process or technology – can address all of the organisation’s information security concerns. More and more, I hear that good information security is about having the right balance of people, process and technology. In fact, it has become a mantra within IT Governance.
Is it time for a more holistic approach to information security?
Rather than focusing solely on either people and process or technology, do we need a new more holistic approach to that encompasses them all at the same time? The answer appears to be yes.
Without addressing the people, process and technology issues together how could an organisation be said to be addressing all of its information security issues? The simple answer is that it couldn’t. This leads me to believe that such an approach needs to be found.
Good information security is about more than a standard, it’s about more than technology:- it’s about the correct combination of people, process and technology – a new, holistic approach.