Business Owner Oversight of Information Security

I’ve seen brokers make multi-million dollar payouts on information security breaches. No doubt these brokers wish they had taken more of an active interest in security before the incidents occurred. Information security is an effort that needs to start from the business owner – and includes not only computer-related security, but physical security and personnel practices. But since part of the effort is technical, how can the business owner achieve a proper level of oversight?

The first step is having an Information Security Assessment performed by a third party. The assessment should ensure that its customers have enough information to make good business decisions balancing cost, effort and risk to mitigate security issues. Once security issues are both visible and prioritized, business owners can schedule risk mitigations and provide project oversight. The company performing the assessment should work with staff to ensure that they have all the tools in place to continually assess information security practices – business owners should be regularly reviewing executive level reports from staff summarizing the current level of business risk.

Another part of information security is including information security standards in contracts – providing methods for protecting data and means for monitoring security practices, and for providing remedies when vendors don’t meet those requirements. Most industry contracts that Clareity reviews don’t address security or do so only in the most cursory manner.

Why aren’t business owners doing their part to assess, monitor, and address security issues? Sometimes they think their IT staff is taking care of it already. Sometimes that IT staff doesn’t know what they don’t know – they’re not specialists in security but believe it’s under control. Sometimes they know there are problems – at least they know about some of them – but always think that time to fix them will soon come (but it never does). Finally there are those that would love to convince their bosses to allocate resources to information security – but they know that will probably not happen until it’s too late and there has been an incident.

I urge you not to wait – have an assessment performed, have a project in place for risk mitigation and a process put in place for regular re-assessment. Taking reasonable steps to avoid the monetary and reputation costs of a security breach just makes good business sense.

About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops and leadership retreats around the country on security related topics, and is a well-regarded real estate industry expert on software design, product management, project management, data center reliability, scalability, and security. Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses.