It’s easy to tumble backwards into information security, to let yourself get sidetracked into arcane, hard-to-follow discussions about the innards of technologies and products when in fact you need to be thinking through higher-level strategy and policy.

If, for instance, you don’t actually know yet whether your business would benefit from using encryption, listening to the sales pitches of competing encryption product vendors is a waste of time.

So start with straightforward non-technical questions that your IT people should answer in a straightforward, non-technical way. When they backslide into techno-babble make them translate (they can use the practice).

1. What data is business critical? What data is sensitive? Who ‘owns’ or has access to our business-critical data? Our sensitive data?
2. What sort of assurances of confidentiality and integrity do we need to provide for each type of data?
3. How long do we want to retain data?
4. How do we want to control data access and permissions?
5. How do we want to authenticate users?
6. What kind of security training should we provide employees?

You’ll also want to pose questions about the security of your information infrastructure as well as how to cope with cloud computing and social networks. Check my next post for those 9 questions.