Picture this: you’ve been hacked. The development team is pointing fingers at the CTO who said they probably didn’t need security policies. The CTO is pointing his finger up at the CEO who said the budget wasn’t worth it. And the CEO passes the blame over to the employees that didn’t properly screen the new software vendor. Who is the real information security manager? And the cycle continues. 

Unfortunately, in this case, most organizations never figure out who was really responsible. The reason why? Everyone is an information security manager. Security is best practiced as a group effort. With a strong internal security culture and understanding of who is going to be responsible for what aspect of security, your organization is going to be in a much better position to react quickly and hold the right people accountable if another attack happens.

Below, we’ll discuss the six principles that everyone involved in your security processes should be aware of. We’ll also describe the people in your organization who are responsible for each piece of the security puzzle!

The Six Principles of Information Protection

Confidentiality

Simply put, confidentiality ensures that information is protected from unauthorized access. It differs from privacy or security terms as it is more specifically related to information access. 

Confidentiality is one of the most critical aspects of information security and needs to be practiced by everyone within and connected to the organization. Non-disclosure agreements are not enough here, as they’re only a legal tool for direct information sharing between parties. Confidentiality needs to be integrated right into the application(s) that your organization uses so that only authorized users have access to certain information on databases and systems.

Privacy

Privacy is a slightly more broad topic than confidentiality. While confidentiality is more about the ethical practice of securing the correct information, privacy is specifically about securing specific information related to a person, organization, or project. 

In information security, it’s important that personally identifiable information (PII) and other sensitive data is protected from public disclosure. Users accessing an application or system should be able to choose the level of privacy that they wish to receive. This may mean integrating controls for the amount of information that an organization can see or utilize from a user within the system. It also means that organizations need to have well-defined privacy policies that state the user’s choice for privacy. These should clearly outline what will and will not be protected if a user decides to enter the system.

Quality

Related to information security, quality is best measured by industry recognized standards (ie. SOC 2) that can attest to the ability for your organization’s networks, systems, applications, and processes to protect information. 

Quality can be built by improving on another element from these principles, such as confidentiality, privacy, availability, trustworthiness, and/or integrity. It is essential that information security is valued by top management to see the highest quality of information protection, as top-level management support can provide the budget, time, and efforts needed to properly secure information.

Availability

Availability in information security ensures that users are able to access requested information when they need it. Availability is measured on the ability of the user to access information easily and in a timely manner. In some cases, availability of information may also look at the usability of the information. 

In information security, this is important so that users can quickly identify changes when a hacker breaches into the system, network, or application. 

Trustworthiness

Trustworthiness, quality, and integrity are all very closely related. In information protection processes, measuring trustworthiness is important to know if the quality of the information is accurate to what is described. An organization’s reputation is a critical factor in determining trustworthiness for users. Previous breaches, no privacy policy, misuse of information, and/or limited availability of data will decrease a users’ trustworthiness. 

Integrity

Integrity of information is very closely related to trustworthiness. In fact, integrity of information is one of the ways to build trustworthiness of information as integrity is the consistent reliability and accuracy of the other principles that support information protection. In other words, the integrity of information is measured by how consistently information is delivered quickly, accurately, and according to confidentiality and privacy guidelines set out by the user.

Who plays a role in information security management?

With cybercrime up 600% since the start of the pandemic and only 16% of companies saying they’re well prepared to deal with cyber risks, you may want to consider how your organization is working to protect itself. Understanding the security roles of various people across your organization is a great first step.

CTO or CISO

At the near top of the corporate ladder, the CTO or CISO is usually held responsible for organizational informational security measures. From a strategic standpoint, this person must decide the tactics that everyone else in the organization must commit to in order to develop a more secure organization.

Security Champions

Security champions are often not hired only to be security champions. Ideally, everyone in the organization will be one to some degree. This means they will think of security impacts in every decision that they make, and will know how to make the best decision to maintain a secure environment. 

However, in most cases, security champions are most prevalent in development teams. It’s ideal to have at least a few people designated to critically think about security impacts as the software is being built. These people may also have additional responsibilities such as leading compliance or security testing initiatives. 

Developers

While usually only a few members of a development team are designated as security champions, all members of the team should have an understanding of security principles. Being familiar with secure coding principles based on the OWASP Top 10 and how to integrate security testing into the SDLC are good places to start. 

There are three main types of security training that can help developers improve their awareness and understanding of information security in application development:

1. General security awareness training
2. Secure coding best practices 
3. Security operations best practices

Other Employees

Even your employees outside of your technical teams should hold a solid awareness of security. In fact, 95% of cybersecurity breaches are from human error (and many which are from outside the technical team). 

Many companies already engage in active phishing campaign testing. Taking it one step further, top-level management can reinforce the importance of security by requiring MFA on all platforms, considering security for any tools they use (such as marketing tools), and practicing healthy password hygiene. By adopting a strong internal security culture, it establishes all of your employees to become security champions in their work.

Contractors & Vendors

Third-parties are a huge area where companies can introduce new risks. Properly vetting your contractors and vendors through security questionnaires will help ensure that your current system won’t be at a higher risk of attack through a new tool or service that you choose to adopt.