How Does Information Security Contribute to Success?
Consideration of Abraham Maslow's famous hierarchy of needs could be helpful here. As you'll likely recall, Maslow defined five levels of needs, physiological, safety, love, esteem, and self-actualization. The first of these needs, physiological, includes such things as air, water, and food. These must be satisfied to sustain life. Once these needs have been met, the next level of needs arises, safety. When addressing our need for safety, we establish a sense of stability and consistency in the world around us, and we have the ability to manage and to overcome adversity. Maslow's higher-level needs then move on to love and acceptance, a sense of belonging to something larger than ourselves. The fourth level of need is esteem, where we feel good about what we are doing, and are recognized for our efforts. Finally, the highest-level need is self-actualization, where we realize our potential, and become all that we possibly can be, the best that we have to offer.
While Maslow's hierarchy of needs was constructed to explain how people progress toward unselfishness, the hierarchy also makes sense when being applied to organizations. First, organizations are simply made up of groups of people, aligned toward a goal. Second, organizations do function largely the same way. Without the “physiological” needs--those necessary to sustain “life”--being satisfied, the organization cannot continue. Instead of food and water, organizations need such things as capital and people. Safety needs include the ability to establish an operating environment that will allow the organization to deal with adversity. INFOSEC fits into this second level--achieving information security will allow an organization to deal with the kinds of dangers that could kill an organization whose basic day-to-day work is the management of information.
Moving then into acceptance, organizations have made a mark for themselves, where people understand what the organization is, and how it fits in with the landscape. Esteem of a company is really the esteem that the employees. Things like recognition for good work done fulfill this need. Finally, at the highest level, the organization becomes all that it can be, where its mission statement is achieved in some real sense, where it is offering all that it possibly can to the world around it.
To be able to achieve their missions--to reach self-actualization--organizations must satisfy the lower-level needs. Notice that issues such as safety and security fall into the second of Maslow's five levels. To an information-based organization, INFOSEC must be satisfied not after it has become all that it can be, not after it has been recognized for its work, and not even after establishing itself as a player in the marketplace. The need for information security must be satisfied at the second level, immediately after basic issues of survival.
INFOSEC thus provides the ability for the organization to establish a sense of order in the world around it. Only after this has been achieved will the organization be able to navigate successfully through the world toward some higher-level objective. This is, incidentally, the same level as an organization's physical security. You cannot stay in business if you do not take precautions to prevent thieves from breaking into your office and stealing your company's equipment.
Once INFOSEC has been achieved, the organization will be free to move on to establishing a place for itself in the marketplace, to be recognized for its good works, and to become all that it can.
When considered in this light, INFOSEC should seem less esoteric. At the same time, the requirements of an INFOSEC program in your organization should become more clear. Understanding the role of INFOSEC in an organization's quest to self-actualization and our understanding of how technology and policy work together to achieve information security, we can see several requirements for any successful information security program:
- It must be in harmony with the organization's highest-level objectives;
- It must be given clear direction so that conflicts that will arise (such as functionality vs. risk) can be resolved properly;
- It must correctly identify the information that is critical to the organization (what is it that we're trying to protect?);
- It must understand the operating environment of the organization, including not only objectives and policies, but culture and technology;
- It must result in the kind of stability that allows people in the organization to stop worrying about the information itself, and to focus on higher-order needs.
A good information security program should simply allow the organization to manage the risks that it will most likely face, thus providing the kind of stability needed for it to go about the business of achieving its ambitions. In this way, INFOSEC is just as critical a piece of the overall formula for success as a viable offering, a good marketing plan, and the ability to accept customer payments.