Security that works starts with the right business decisions Posted on September 6, 2011 by Tim Burke Effective information security is gravity-fed: It starts at the top and works its way down, always beginning with a strategy explicitly designed to protect business value. That strategy then gets implemented via an over-arching security policy or plan. Developing information security strategy and policy centers on making the right business decisions. Once you do that, what seems the most daunting part of information security — choosing the appropriate technologies — becomes much more transparent. So way before you choose or change security technologies, products, or services, you need to ask some basic strategy and policy questions — and keep asking until the answers you can formulate make business sense. Answers responding to every concern you have about security can and should be translated from techno-speak into comprehensible, business-centric terms and concepts. Your goal, after all, is to justify all of your spending on information security based on its ability to protect business value. In your search for answers, begin with Question #1: Who’s in charge of our information security? In my next blog post, I’ll lay out 6 key questions you need to ask about your data and who will get access to it. These questions are not technical. And the answers to them should likewise be non-technical and jargon-free.