Businesses on all scales from SMB to international corporate have traditionally viewed information security as a technological issue rather than as an aspect of business risk. Its management is most frequently vested in the IT Department, from which it draws both its budget and its emphasis.

Typically, control is fragmented and technocentric, with several narrowly specialist groups independently responsible for the security of different categories of technologies. These groups tend not to communicate well, and nobody puts a price on information as business assets - it’s just viewed generically as ‘data’.

Business risks are rarely translated into terms that are understandable and controllable by those who manage the technologies, so the implementation of both security and regulatory compliance gets reduced to a cluster of uncoordinated reactive technical fixes.

With security operations managed in this piecemeal technocentric manner, you don’t need hackers to precipitate a costly incident. The norm is constant fire fighting. It’s hard, time-consuming and resource-hungry, and its results are both unpredictable and difficult to quantify, so the business can have little confidence in either its level of protection or the return on its investment.

Classic symptoms of technocentric reactive security management include

compliance viewed as a goal, rather than an outcome of sound governance
security policies that mesh poorly with business needs
lack of effective security and compliance performance metrics
inconsistent and inaccurate risk assessments
numerous, and even undetected, security breaches

The most critical threat to corporate information is not hackers or technology vulnerabilities, but failure to manage information risk at strategic level.

If you don't know what information you’ve got, where it is, what it’s worth, how you use it and how it could be jeopardised, how can you possibly protect it?