Ed Halibozek

Make no mistake about it. Information security is critical to the success of a business. Whether the enterprise is for-profit or not-for-profit, protecting information is an essential part of managing information and information systems. Modern companies, corporations, and governments, for their success and survival, are dependent upon information. Information that is created, processed, stored and shared. Yet the act of creating, processing, storing, and sharing information makes that same information vulnerable to loss, manipulation, theft, or destruction.

Whether information concerns a new product or technology, a proprietary process, a business plan, a customer or donor list, or military operations, information has value to its owner. That same information may also have value to competitors, criminals, or enemies. Some will take bold measures to obtain information. Others will rely on the failure of organizations to adequately protect their own sensitive and proprietary information making it easy for unauthorized collection and use. A few will seek to obtain information any way that they can, using legitimate or illegitimate means.

The very information that contributes to the viability and success of an enterprise, if unprotected and found in the possession of competitors or enemies, may cause the loss of a competitive edge, the embarrassment of exposure, or, in the event of military operations, may place war-fighters in "harm's way." Thus, protecting the availability, confidentiality, and integrity of information is an essential task.

In this book, Dr. Kovacich addresses the question "Is the position of an Information Systems Security Officer (ISSO) necessary?" Bluntly, unless your goal is failure, the answer is clearly "Yes." Protecting information is not an easy task. So much information resides on sophisticated and complicated information systems linked in local and wide area networks. To effectively and efficiently protect information and information systems requires the skills and dedication of a security professional: an ISSO.

The ISSO must be skilled in the disciplines of management, security, and information systems; must be capable of convincing others of the need to protect information; and must understand that protecting information is more about risk management than it is about risk avoidance. The ISSO needs to understand how information is used in the context of the world and business environment in which we operate. This includes understanding threats and where they come from, such as competitors, detractors, enemies, opportunists, and "bad guys."

A skilled ISSO is essential to any enterprise. However, an ISSO is not the only answer or solution. Understand that the ISSO is not an uebermensch. The ISSO alone cannot do everything that needs to be done to protect information. The ISSO must be capable of bringing together diverse persons with divergent interests in an effort to develop a protection profile for the enterprise. In this book, Dr. Kovacich provides the architecture to do just that. He provides a framework for establishing an effective information protection program.

Regarding the debate as to where an ISSO should report in the organization hierarchy ... stop! Now is not the time for debate. Now is the time to act. Information security is serious business. The protection of information is just as serious as the management of information. In today's organizations most company information is processed, stored, displayed, and transmitted on and over information systems. Chief Information Officers (CIO) are skilled executives employed to ensure that information systems are effectively managed, meeting the needs of the enterprise and making information available to all users. Protecting this information and its availability, integrity, and confidentiality is just as important. A skilled executive is needed to accomplish this—a Chief Security Officer (CSO). The CSO is someone knowledgeable in matters of security, information protection, information systems, and business management. The CSO should be independent of the CIO and report directly to the CEO or COO. Separating the CIO function from the CSO function is important, as the need to protect information is often in conflict with the need to share and disseminate information. The ISSO should either report to the CSO or be the CSO.

Let's end the discussion on the need for information protection and the need for an ISSO. One would have to be a resident of Plato's Cave to not realize that information is critical to a business and requires protection. Let's shift our focus to understanding just what requires protection, how it should be protected, and from whom. Using this book by Dr. Kovacich is a very good beginning.