Ideally constructing a building (e.g. house), you start from 0 to 100, i.e. build a foundation, erect the structure then fit the windows, roof and finish off with the cosmetic tasks like painting, plumbing etc. While this kind of building up is ideally and feasible for physical construction of things like e.g. a house, aeroplane etc, might not be so ideally for building business information security programmes, given that information security for years, have been an afterthought practise e.g. systems were developed and then security folks been asked to add-on security controls or a layer of the security on top of insecure system, and this was not security by design or security by default.
While for the most organisations I have had an honour to visit or assess, they may have a formalised security programme or information security management system (ISMS) where they coordinate the information security activities coherently, or some of them may have not have a formalised security programme at all. The question(s) I have been asking myself, can someone start from the middle or put together whatever you have to have a completed business information security architecture?
YES – I think is the answer to this question according to me and what I have seen so far. In the next post, I will expand more on how the organisation can start in the middle and complete their business security architecture.