For the past 20 years I have been consulting on information security projects with companies like PwC, Siemens and KPMG, in New Zealand and Germany.
What I have found during this time, in both countries, is a lack of understanding of the crucial yet often overlooked difference between an information security strategy and an IT security strategy.
Below I've tried to explain as simply as possible the difference between the two.
Information, data and knowledge is the most valuable asset every business has; think of it like a diamond.
Businesses create sustainable value by taking information and using their skills to create something different from their competitors. Much like a jeweller takes a diamond and uses their knowledge to change it into something that people will pay more money for (a ring, bracelet or necklace).
A jeweller needs to ensure that the tools he uses to create value are precise, accurate and always available to be used, so the jeweller will make sure he has plans in place to keep the tools up and running, and ensure that no one can tamper with them.
This is similar to how businesses use IT security strategies to ensure that the tools they use are protected, available and running at their optimum. meaning that whenever the tools are used on the diamond, the diamond is protected.
Information security approaches the diamond in a different way.
It is primarily concerned with the safety of the diamond, meaning that no matter where the diamond may be - in the shop, in transit, on a customer's finger - the diamond is protected from those who may want to do it harm. These measures could be physical like ensuring the diamond is securely positioned in its setting, or virtual like ensuring the purchaser has insurance on the final product.
Information security ensures that no matter where business information (or the business' diamond) is stored or who is working with it, it is protected. This ensures the confidentiality, integrity, and availability of precious business data, no matter how or where it gets exchanged, preserved or gained.
Using this holistic approach, all modern business information technology challenges like cloud, data, decentralised workplaces, mobile devices, or BYOD are addressed and overcome.
Origin, New Zealand’s leading provider of mid-market IT support services, has created an information security program tailored for the New Zealand mid-market, based on ISO27K, PRISMA and other security standards.
The mid-market security services consist of four steps:
Review - A consulting exercise designed to take stock of your company's information security environment, from a process, policy and system point of view. The result is a score that will give you clarity on the security position of your company.
Test - Joerg and his team conduct an ethical hack of your company’s security practices, both virtually and physically.
Strategise – Origin’s CISO service provides security leadership designed for your business needs.
Operate/Manage – We ensure that your physical and virtual security environment is optimised to manage any unseen threats.