Developing corporate information security – Step 1: Commitment
This post is part of the Developing information security series. Please, start reading from the first post.
Commitment. In order to get anything done there has to be commitment. Someone has to be committed enough to push through the change.
Information security literature, standards and best practices always emphasize top management commitment for information security development. That is important in large companies, but here we are talking about small and medium sized enterprises (SMEs) and commitment at wider perspective.
SMEs do not usually have extra resources for internal development (like dedicated process development department). These kind of projects are carried out along with other daily tasks. I recommend that SMEs leverage first step from management commitment to commitment in general.
Before going any further, information security development team should be involved and get committed to the project in hand. Otherwise there is always a customer project or important meeting that postpones the final goal.
Let’s see how our case example company DeepWhite Software handles this. Please, see first post of the series for more information about DeepWhite.
Case DeepWhite Software – Commitment
Lately there has been a lot of hassle about all sorts of information security violences. Motives for these violences vary from governmental interests to industrial espionage and hacktivism. News about password leakages and targeted attacks are spreading.
DeepWhite has grown and is working with several big customers. In the conversations with customers there is more and more pressure for DeepWhite to develop their own information security practices. DeepWhite is planning to launch own product development – soon there are more own assets to protect.
Head of Development and CEO both agree that at this point something has to be done. They gather a team of key persons to discuss about security concerns. Team has members from all over the company. Team agrees that DeepWhite launches corporate information security development project.
The team is committed and is spreading the word.
Step 1: Get management and organization commitment for information security development
Do you think that DeepWhite is handling commitment in a right way?