Sir – Information security should be regarded as an integral part of the way in which a company conducts its business.

If companies are viewing compliance – and adherence to some theoretical, generic ‘Best Practice’ – as a goal in itself then they are missing the point.

Rather, compliance should be a natural by-product of good security practices, rather than the other way around. The ‘Tick The Box’ approach to compliance merely encourages everyone to relax once the inspection is over and then continue the cycle.

Good security demands firm leadership from the top, and involves a proper understanding and management of risk at all levels of the organisation. A well-managed security programme will monitor the risk profile of the company (and sometimes even key business partners) on an ongoing basis. Ultimately, the appetite for risk must always be set by the company’s senior management.

Jennifer Mack, Director (Compliance Product Management), Cybertrust

Source

SMT