Technology has long been integral to the success of any organization, but as the range of business applications and the pace of innovation have increased, so has the risk. As a result, it is vital that risk management and information technology professionals communicate with each other on a regular basis to ensure the risk associated with the use of technology is properly managed, the enterprise assets are protected, and the value of technological investments is maximized. But all too often, it seems like the two groups are speaking a different language—that is, if they
even speak at all.
ISACA® and RIMS have set out to bridge this gap by developing a joint report to help all parties collaborate and communicate more effectively so they can collectively bring more value to their organizations. This primer will help enhance the abilities of risk management and information technology professionals to speak the same language as they endeavor to incorporate the benefits and uncertainties associated with data and technology into the organization’s overall strategy in order to create value and counterbalance unwanted risks and outcomes.
Integrating IT and risk management professionals in an overall digital strategy team can add value through coordinated decision making that is:
- Transparent, nimble and timely
- Inclusive and representative of enterprise needs
- Clearly defined in roles, accountability and decision-making authority
- Forward-looking in its risk assessment and benefit analyses (and not primarily resource based)
- Aligned to broader mission and strategy objectives
- Based on a disciplined design approach
- Open to interdependent thinking over functional thinking
To aid in common understanding, in addition to definitions of respective terminology that can found in Appendix B, a few basic definitions may be helpful to start. The terms “information security,” “cybersecurity” and “IT security” are often used interchangeably, but they actually have different meanings.
In this report, we use the term “information security” to define the people, processes and technology involved in protecting data (information) in any form—whether digital or on paper—through its creation, storage, transmission, exchange and destruction. Information security is part of an organization’s overall risk management approach and includes every operational and functional area along the entire value chain. At times, organizations view information security as an IT problem, but in truth everyone throughout an enterprise has a role to play in defining and managing the people, processes, technology and data the organization wishes to use and protect.
Included within the information security area is “cybersecurity,” a term used to describe the technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Cybersecurity deals specifically with the digital information an organization must protect from threats or other disruptions.
“IT security” describes a function, as well as a method of implementing policies, procedures and systems to defend the confidentiality, integrity and availability of any digital information used, transmitted or stored throughout the organization’s environment. The term also applies to specific physical controls, hardware and software solutions used by IT departments to harden and manage the technology operations of the business.
Finally, we introduce the term “cyber value chain” to describe the digital and human processes and activities that cumulatively add discrete and new value for an organization and its customers.