Top Management Support Essential For Effective Information Security Program, Says Auburn University Study

RSA CONFERENCE 2006, Booth 2009, Feb. 16, 2006 – Obtaining senior management support is one of the most critical issues influencing information security effectiveness in organizations today, according to an Auburn University study, Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness, sponsored by t he International Information Systems Security Certification Consortium [(ISC)²], the non-profit global leader in educating and certifying information security professionals throughout their careers.

(ISC)² and researchers at Auburn University, a U.S. National Security Agency National Center of Academic Excellence in Information Assurance Education, are cooperating in a multi-phase study of critical issues in information security to help management maximize protection and improve managerial aspects of security programs. The purpose of this phase was to assess the relationship between top management support and its effectiveness in addressing critical issues.

The survey found that implementing information security programs requires exceptionally high levels of “task interdependence,” with respondents reporting that 62 percent of their daily tasks require the exchange of information or cooperation with others. This is a key finding in determining the correlation between top management support and effective information security programs, as previous studies have shown that organizational work high in “task interdependence” requires greater levels of executive support to be successful.

“In sports, teamwork is necessary to win. In maintaining a secure enterprise, the same notion applies,” said Kenneth J. Knapp, Ph.D., professor of management at the U.S. Air Force Academy. “Senior management must act like a coach to promote teamwork in order to keep the business moving forward so it can achieve its security goals.”

The study results also suggest that information security effectiveness can best be achieved by focusing on four crucial areas: promoting strong user training programs, building a security-friendly culture, creating and updating security policies that are relevant to the mission, and adequately enforcing those policies.

“The Auburn University study reinforces the results of our latest Global Information Security Workforce Study, which showed that ultimate responsibility for information security continues to move up the management hierarchy, with boards of directors, CEOs, CISOs and CIOs being held increasingly accountable for their organization’s security,” said Rolf Moulton, CISSP-ISSMP, president and CEO (interim) of (ISC)². “Top management needs to be involved in information security because of the increasing business criticality of information security, and their support and influence continue to be essential to the ultimate success and effectiveness of any security program, regardless of the size of the organization.”

The first phase of the study began in mid-2003, when 220 (ISC)² Certified Information Systems Security Professionals (CISSPs) responded to an open-ended question from Auburn University asking for the top information security issues facing their organizations today. From the responses, a list of 25 critical issues emerged. In early 2004, 874 CISSPs ranked the 25 issues, with top management support and user awareness training and education at the top of the list.

Researchers developed a theory illustrating the relationships among the higher-ranked, managerial-oriented issues, showing the relationship between top management support and security effectiveness, which was strongly supported by the results of this phase of the survey, according to the 740 CISSPs who responded.

To download a copy of the report, please visit http://www.isc2.org/auburnstudy.

About (ISC)²
The International Information Systems Security Certification Consortium, Inc. [(ISC)²] is the internationally recognized Gold Standard for educating and certifying information security professionals throughout their careers. Founded in 1989, (ISC)² has certified over 40,000 information security professionals in more than 100 countries. Based in Palm Harbor, Florida, USA, with offices in Vienna, Virginia, USA, London, Hong Kong and Tokyo, (ISC) 2 issues the Certified Information Systems Security Professional (CISSP) and related concentrations for information security professionals and managers, Certification and Accreditation Professional (CAP CM) for information assurance workers, and Systems Security Certified Practitioner (SSCP) credentials to those meeting necessary competency requirements. The CISSP and SSCP are among the first information technology credentials to meet the stringent requirements of ANSI under ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)² also offers a portfolio of educational related products and services based upon (ISC)²’s CBK ®, a compendium of industry best practices for information security professionals, and is responsible for the annual (ISC)² Global Information Security Workforce Study. More information about (ISC)² is available at www.isc2.org .