Congratulations to everyone at Brisbane City Council for winning the AusCERT 2013 Award for Organisational Excellence in Information Security!
The competition was intense this year: there were 11 nominations and only 3 finalists. I was impressed, and even a bit surprised, that the AusCERT Selection Committee would recognise the achievements of a humble local government organisation. It would have been easy, and less controversial, for AusCERT to have selected a national CERT or an intelligence agency. Instead, AusCERT recognised the achievements of security professionals who are employed in a much less glamourous context but who work diligently, and in some cases largely unnoticed, to address security risk and make vital contributions to improve their organisation.
Brisbane City Council’s ICT Risk, Security, and Compliance Unit leads information security governance and improvement initiatives across the enterprise. However it is very important to note that an enterprise requires much more than a highly-skilled, effective, and professional, team of security professionals to achieve it’s information security objectives. The enterprise also needs:
- Senior management who understand the value of information security to business success and ensure that adequate resources are available for security governance and initiatives.
- Staff that develop IT strategy and architecture to directly address security risk in their work.
- The enterprise’s project management methodology to ensure that project managers will seek information security risk, and act on excessive risks, during solution development.
- The IT service delivery staff must faithfully follow security procedures – even when inconvenient to do so.
- Account managers that directly engage internal customers that can explain security risk to business stakeholders to help them make informed decisions.
- Staff at all levels, who do not work in the IT area but who have received security awareness training, to remain diligent at some level to contribute to reduced information security risk.
- And more…
It’s fantastic when it all comes together!
That said, the job is never really complete. The environment is very dynamic and no organisation can afford to take their eye off of the ball. There is constant change in terms of the threats, vulnerabilities, technologies, products, use cases, business requirements, and even the enterprise’s own organisation structure and economic environment, which can all adversely affect the control environment. Enterprise advocates for information security must demonstrate an unwavering commitment to the mission to ensure that security risks are effectively mitigated in the future.
