Last year I stumbled upon a concerning reality for many IS professionals.

For many of the people I spoke to, the responsibility for Information Security had been unceremoniously dumped on them and they had no idea where to start or what ‘good’ looked like.

I believe there are three reasons for this:

  1. Information Security issues are indiscriminate.

We are constantly bombarded by the media, co-workers, family, and friends about the effects of Information Security issues. Whether we are at work, home or play, we all have a degree of exposure to these issues.

Everyone is concerned and everyone has an opinion, so it’s easy to see how the IS problem can become overwhelming.

  1. Standards do not act as a ‘how-to’ guide.

Current Information Security standards, at best, offer high-level checklists and motherhood statements, but do not deliver specific ‘how to’ guidance. Without experience, it can be incredibly difficult and time consuming to drive effective Information Security processes based on Standards alone.

  1. Archaic Information Security methods are being passed down to budding Information Security professionals.

Many IS practitioners are still using outdated methods based on asset and threat analysis which, quite simply, do not work effectively. Typically, the end result is an oversized spreadsheet with very vague results – what I refer to as ‘pinning jelly to the wall’.

It might seem daunting, but there is a way to ‘eat the elephant’ with minimal pain. Start with dividing your IS problem into two key parts – Data and Controls.


Information Security is data-centric, not asset-centric.

If you begin by cataloguing your data and assessing its sensitivity, you are halfway there. You only need to bite off small chunks, starting with critical business areas, and it won’t be long before you have the key areas completed. This is a business process that will essentially build a heat map of your organisation, identifying sensitive data, where it is stored and who has access to it.


Once you know the sensitivity of your data, you can then focus on the specific controls needed to secure that data to the required level.

By establishing control effectiveness ratings and applying controls holistically to data within an application context, you can then assess any residual exposures.

Do you have the resources to effectively analyse your data sensitivity and determine the level of controls required to secure your data?

It’s imperative that every IS professional, regardless of their level of experience, has confidence that their organisation’s data is secure. Yes, it can be overwhelming, but there is no need to over-complicate the necessary processes.

For further advice on how you can guarantee that your organisation has full control over its data and that it is fully protected at minimal cost, contact me today.