Anyone who has ever had a password stolen or a website hacked knows the importance of information security. Unfortunately, some businesses do not recognize how grave this risk is until a breach occurs. Jessica Santana offers three takes on why such a gap exists between IT security and business.
Santana suggests that the lack of priority placed on security policies is a reoccurring issue:
The purpose of security policies is to state how an organization plans to protect its information/information technology assets. Security policies need to ensure that new projects being introduced align with policies that support it. These policies need to be detailed, current and flexible so that changes can occur when necessary. One example of how security policies stop organizational performance is the Department of Defense (DoD) and how their outdated policies sometimes stopped them from taking advantage of new technologies.
The second reason she gives for this gap exists is that security professionals are not always able to address key personnel to determine strategic objectives. There is simply a lack of understanding as to how IT professionals should support business objectives. Metrics are the final issue she highlights. Basically, sometimes it is difficult for an IT person to explain something in their terms to a business person and vice versa. Even though tools exist to facilitate these communications, those tools tend to be too expensive. Without options to bridge the gap between IT security and business, that gap can only widen.