Information Security & IT Governance Framework | Assignment Help
Introduction
With explosion of the internet based applications, the ways of conducting businesses has been changed dramatically. In today’s digital world, organizations are diverging into digitalization by moving from manual to electronic media as means of communication, storage and dissemination of data to stakeholders (Schinagl & Shahim, 2020). High dependency on IT has exposed the organizations towards threat of information security. IT has long been seen as the cornerstone for gaining competitive advantage in today’s competitive world. Although the new technologies are making things swift and easier for organizations, yet these are also making companies vulnerable to unexpected cyber-attacks and information security breach (Fazlida & Said, 2015).
Information security landscape has been reshaped as it has taken place as a key agenda in the boardrooms of big companies. Organizations have to compete in forever expanding dynamic environments while dealing with disruptive world through embracing the digital technology. As the organizations are adopting digital business strategies including internet of things, block-chain, artificial intelligence and cloud computing, the face of information security has changed from being an isolated issue to the key strategic business challenge. Information security management is a key aspect of IT governance as it forms the basis of privacy, risk management and IT governance (see figure below).
Source: (Deane, Goldberg, Rakes, & Rees, 2019)
Information security, IT security and IT governance all make a common part of Information Security Governance. Information security encompasses the collaborative efforts put in forth by the firms to protect the data and the information systems from the inappropriate access, modification, destruction and manipulation in order to ensure integrity and confidentiality of the data and systems (AlGhamidi, Win, & Vlahu-Gjorgievska, 2020). information security manual governance includes the set of responsibilities and the practices that are exercised by the upper and lower management alike with a common goal of providing the strategic direction. It includes the ways through which organizations proceed towards achieving objectives while minimizing the risks of information breach.
Information security governance includes all the tools and processes that ensure that the organization has carried security for meeting the organizational needs. It requires the organization to set roles & responsibilities, defined tasks and performance measurements (Deane, Goldberg, Rakes, & Rees, 2019). There are several challenges that the companies are facing today in name of organizational information security. Information security holds a prime importance in organizations because the IS incidents and the breaches of security can directly impact the businesses and can halt the operations. The grave challenges facing the organization include security breaches and cyber-attacks. In order to analyze the problems, challenges and solutions related to cyber-attacks and information security in organizations, the role of information governance will be discussed critically using previous studies.
Critical Literature Review
The threats of information breach and cyber-attacks are increasing as the organizations are diverging towards digital business strategies that require high level of technological deployment (Karanja, 2017). By diverting the business operations towards digitalization, the organizations have to fully embed and embrace the IT into business operations (Wu & Saunder, 2016). The major leading organizations including Airbnb and Uber are the dominant examples of how the distance between the physical world and IT digitalized world has been minimized (Schinagl & Shahim, 2020). Due to these advancements, the gap between security and the business operations have somewhat narrowed down. According to Wu & Saunders (2016), due to the shift towards digital technology, the firms are now required to embed information security into the whole IT governance structure so that the business challenges can be met with successfully.
Fazilda & Said (2015) reviewed the growing emergence of the information security threats that are required to be integrated by the organizational corporate governance and IT governance structure. According to the authors, the proper management of Information Security Policy can aid IT governance by providing assistance and assurance in terms of integrity, confidentiality and availability of information. The firms who fail to formulate the IT security systems are prone to cyber-attacks that can lead to financial, reputational, client and partner losses and might result in litigation and government sanctions (Berkman et al., 2018). According to Hasbini et al. (2018), the cyber-attacks can also limit the firm’s innovation capability and might make it lose its competitive edge. For instance, the information security breaches might lead to negative market reaction and can cause the value, goodwill and materiality of the firm to fall (Higgs et al., 2016).
According to Georg (2017), many firms have been seen to experience deteriorating market value by 1 to 2.1% following the announcement of information security breach. Scholars have been finding evidences regarding strong negative correlation between firm’s overall value and the number of information security incidents (Berkman et al., 2018; Higgs et al, 2016). Deane et al. (2019) calculated the impact of the announcement about information security breach on the market value of the small and large firms. The study concluded that the IT investments in governance structure to oversee the security breaches can have a positive impact on the market value of the smaller firms. It was identified that the market tends to react positively to the information security certification and IT governance strategy (Deane, Goldberg, Rakes, & Rees, 2019).
Damenu & Beaumont (2017) argued that the recent outbreaks of cyber-attacks and security concerns have pushed the corporate boards to form sound IT governance strategies that include information security protocols and guidelines. The authors also stated that the senior executives play an important role in implementing sound and strong IT governance structure for limiting the cyber-attacks. Kemp (2018) also performed the study for analyzing the customers’ expectations regarding cyber security and information leakages. It was concluded by the authors that with ongoing information security breaches, the expectations of customers have increased towards corporations to take steps for protecting their security and privacy. As a result of the rising needs, several laws and regulations including General Data Protection Regulation have been emerged for strengthening the rights of the customers towards data protection (Romansky, 2017).
Tan et al. (2017) conducted a study for analyzing the information security as a part of IT governance structure in organizations. The study revealed information security strategy to be the cornerstone of the overall IT governance strategy in which the information security could be seen as a way for mitigating IT risks. Tan et al. (2017) also argued that the information security has a fluid and dynamic meaning because of the ever change socio-technical environment. Schinagl & Shahim (2020) viewed information security governance as a subset of the IT governance in the organizations today. According to the authors, information security controls, when implemented in the organizations, play a pivotal and vital role in ensuring that the controls are being implemented while the potential risks of breaches and threats are being minimized.
Rebollo et al. (2015) viewed information security governance as a leading path through which the companies can gain control of the security processes. By forming the information security governance strategy, the firms can ensure that the security processes are in alignment with the overall business strategy. Schinagl & Shahim (2020) also argued that although the information security is a subset of IT governance structure, little attention has been paid to it.
Damenu & Beaumont (2017) discussed the role of supportive security culture in combination with corporate governance structures for resolving the issues concerning information security threats. According to Fazilda & Said (2015), the firms must seek for developing sound IT governance system with subsets of information security protocols in order to achieve competitive edge, client satisfaction and trust creation. Ghamidi et al. (2020) carried on with the systematic literature review for establishing a sound information security governance framework in order to align the IT governance strategies, Corporate Governance strategies and information security policies. The review by Ghamidi et al. (2020) pointed towards developing a holistic framework of IT governance that connects the organizational objectives, communication strategies and information protection while ensuring compliance with procedures and guidelines.
Kauspadiene et al. (2017) reviewed the possibility of forming cyber-oriented IT governance models in which the concerns must be made towards increasing threats that are created due to digital communication and data dissemination. The model by the authors was based on the establishment of security systems that must consider the collaborative systems, multiple partners, third party applications and outsourcing. The authors proposed the businesses to form an integrated holistic framework that should be self-sustaining so that it could prevent cyber-attacks and information thefts. Moghadam & Colomo-Palacios (2018) also pointed towards formation of information security governance systems that entails risk management, security management and process management in order to uphold the business value of the firm.