Having an information security program is the first step in securing an organization’s assets . Thus , ensuring confidentiality , integrity and availability is maintained . However, having an information security program doesn’t imply we are secure and the bad guys wouldn’t cause disclosure, alteration or destruction of our assets . Panseh Tsewole notes we have to ensure our information security program is successful . Yes , we have exercised due care is setting one up . It is critical we move beyond doing the right thing and make it successful , there by reducing our attack surface .
Panseh Tsewole believes the breaches we see today can be linked to a failure in the information security program . The information security program must be aligned with the goals, objectives of the organization . This alignment allows us , the infosec pros, to understand the organization . What risks , threats and vulnerabilities are being faced by the organization . Furthermore , the alignment allows us to understand the business aspect of the enterprise . An aligned information security program provides us with knowledge about the appropriate levels of risk , management is willing to accept . Our goal is to ensure that the level of risk is never exceeded .Our risk management strategies will now focus on mitigating the right risks discovered during the alignment process. An aligned information security program also receives strong support from management . A management supported information security program would have access to funding to carry our initiatives to reduce risk . Panseh Tsewole ‘s concludes information security is all about risk management .