2. INFORMATION ASSURANCE ALIGNMENT
2.1. Information Assurance as a Strategic Necessity The UK Information Assurance Advisory Council (IAAC)
define IA as “a holistic approach to protect information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation” (Anhal, Daman, O’Brien, & Rathmell, 2002, p. 7). In other words, infor- mation assurance attempts to avoid security problems rather than fix them (Austin & Darby, 2003). Furthermore, a compre- hensive conceptualisation of information assurance ensures that the information systems that are supporting an organization’s transactional and transformational needs are kept operational and secure. This requires a complete view of the organization’s vision as well as its current information needs and systems. Additionally, IA specialists need to understand how value is cre- ated from information and how it can be used to enhance the organization’s success. As a result, Ezingeard, McFadzean, and Birchall (2005, p. 23) suggest that IA is a method for “deter- mining how the reliability, accuracy, security and availability of a company’s information assets should be managed to pro- vide maximum benefit to the organization, in alignment with corporate objectives and strategy.”
McFarlan (1984) and Ward (1988) propose that an issue is strategic if it has the potential to impact on the business as a whole. Thus, in this sense, information assurance can be defined as a strategic issue—and, therefore, should support corporate strategy—because the consequences of IA policy decisions can affect the entire business. For example, an ill-considered or poor IA strategy could result in
• Damage to a firm’s reputation (Chellappa & Pavlou, 2002; Logan & Logan, 2003).
• Financial loss due to poor controls (Dhillon, 2001; Ward & Smith, 2002).
• The inability to operate, loss of business and a reduc- tion in share price on the stock markets (Campbell, Gordon, Loeb, & Zhou, 2003; Ettredge & Richardson, 2002, 2003).
• A restriction of information flow causing poor cus- tomer service and loss of business over time (Cerullo & Cerullo, 2004; Sanderson & Forcht, 1996).
• Prohibitively high costs and the possibility that the organization may not survive the disruption (Garg, Curtis, & Halper, 2003; Logan & Logan, 2003).
• The migration of customers to competitors because of the inconvenience or risk of inadequate security, failing computer systems, lack of stability and poor reliability (Cockcroft, 2002; Hazari, 2005).
Information assurance is not just a technical problem. In fact, Dutta and McCrohan (2002) suggest that it is supported by three key areas, namely critical infrastructure, organization and technology—and it is the responsibility of managers to ensure that these three areas are aligned. Consequently, Dutta and McCrohan state that if information assurance is left to the IS function, only one of these issues—technology—will be strengthened. Furthermore, recent attacks on buildings—the World Trade Center being a prime example—show that criti- cal infrastructure and organizational issues are just as important as the technical side. Thus, information security is not just a problem for a series of single organizations. Rather, it is a national—indeed, global—challenge.
Organizational issues—including culture, structure, poli- tics and the business environment—can also have an impact on information assurance. For example, certain organizations won’t see the necessity to promote strict information security; while others—such as companies which primarily focus on e- commerce—are likely to perceive information security as a key factor and will be aware of the potentially significant implica- tions of a breach. On the other hand, small organizations or those that do not significantly rely on inter-organization infor- mation exchange will be less concerned with stringent security procedures (McFadzean, Ezingeard, & Birchall, 2007). In fact, a survey undertaken in the UK by BERR (2008), found that 10% of companies that accept payment on their websites do not encrypt the information. Furthermore, 52% do not carry out any informal risk assessment, 67% do not prevent confidential data being downloaded onto memory sticks and 78% of companies that had computers stolen did not encrypt hard discs.
In addition, the advent in the USA of the Sarbanes-Oxley Act, which holds executives personally liable for the accuracy of financial results—together with equivalent government guide- lines in other countries—could potentially prepare the way to similar liabilities for all types of compliance issues. This is a growing problem particularly due to the increasing anxiety amongst consumers regarding information privacy (Stewart &
104 E. MCFADZEAN ET AL.
Segars, 2002; Swartz, 2003; Viton, 2003). The latest survey undertaken by Ernst & Young (2007) suggests that regulation and compliance are now the leading drivers of information security investment. Indeed, 82% of managers now believe that information security positively contributes to the value of orga- nizations rather than just being seen as an IT overhead. In fact, under section 302 of the Sarbanes-Oxley Act, the chief executive and chief financial officers of public companies must personally certify the existence and effective operation of dis- closure controls and procedures. Additionally, they must declare that they have disclosed any substantial control deficiencies or any significant changes to control systems to their audit committees and independent auditors (Damianides, 2005).
Sixty percent of the respondents in the Ernst & Young (2007) survey also indicated that information security is instrumental in facilitating strategic initiatives. Likewise, the academic liter- ature emphasizes the need to ensure that information assurance is seen as a corporate governance issue (Von Solms, 2001b; Von Solms & Von Solms, 2004). This will provide the orga- nization with a more holistic view of security and include the development and implementation of risk planning models, security awareness programmes, counter measure matrix anal- ysis and the construction of a security architecture that closely relates to the requirements of the business (Sherwood, 1996; Straub & Welke, 1998). Furthermore, this will help to inte- grate IA policy with multiple functional levels within the firm and will aid both communication and control and provide a framework for feedback. It will also link key IA and business issues such as corporate goals, legal and regulatory processes, best practices and the IT infrastructure (Cresson Wood, 1991; Higgins, 1999; Lindup, 1996; Posthumus & Von Solms, 2004). Moreover, information assurance needs to be aligned to both corporate and information strategy so that appropriate organiza- tional assets and processes can be protected effectively without the need to invest in security procedures in unnecessary areas. Organizations should also seek to balance IA regulations with corporate objectives. Too much restriction can reduce business effectiveness and too little can leave the organization vulnerable to data loss or malicious attacks. Finally, information assurance can only work if stakeholders are aware of the risks and com- ply with the stated regulations. There is an increasing level of engagement between IA professionals and other stakeholders such as external auditors, lawyers, human resource managers and government agencies. Therefore, it is essential that infor- mation assurance is seen as a holistic discipline with senior management support and is championed together with the orga- nization’s objectives. Stakeholders are more likely to comply to the regulations if they are aware of the potential consequences to the business’s objectives—and their own roles—if they are not followed effectively. Hence, information assurance must become a concern from a corporate governance and strategic alignment perspective and should rise to the highest levels of the organization (Dutta & McCrohan, 2002; Ezingeard & Birchall, 2004; NACD, 2001; Von Solms, 2001a).
2.2. The Importance of Alignment The alignment of separate functional strategies—such as
information technology and human resources—to corporate strategy have consistently been found to be one of the con- cerns of top management for the past fifteen years (Brancheau, Janz, & Wetherbe, 1996; Niederman, Brancheau, & Wetherbe, 1991; Youndt, Snell, Dean, & Lepak, 1996). As a result, a great deal of research has been undertaken in this field especially on the relationship between IS and business functions and the antecedents that influence this relationship (Brown & Magill, 1994; Kearns & Lederer, 2003; Luftman & Brier, 1999).
Segars and Grover (1998, p. 143) define alignment as the “close linkage of IS strategy and business strategy.” This pro- cess encourages both areas to work together as partners and not, as Smaczny (2001) suggests, as a leader and a follower; the IS strategy being developed after the business strategy. Rather, both strategies are developed together, at the same time.
Reich and Benbasat (2000) argue that alignment is neces- sary for organizations so that they can take advantage of their IT opportunities and capabilities. Kearns and Lederer (2003) also found that sharing knowledge between the two functions, in order to devise an IT strategy that reflects the business plans, can create competitive advantage.
Unfortunately, there has been little research undertaken on the alignment of information assurance to either infor- mation strategy and/or corporate strategy. There have been calls for better governance in this field (Dutta & McCrohan, 2002; Entrust, 2004; IAAC, 2003; Von Solms, 2001a) but lit- tle mention is made about the links between the three areas. However theorists do recognize that IA is a holistic pro- cess and involves complex links between technology, exec- utive governance, human behavior and environmental factors (Backhouse & Dhillon, 1996; Baskerville & Siponen, 2002; Ettredge & Richardson, 2003).
Many organizations develop their information security poli- cies in conjunction with their information systems strategy (Knapp & Boulton, 2006; Tsohou, Karyda, Kokolakis, & Kiountouzis, 2006). However, the volume of security-related incidents, and their associated costs, continues to rise (Chang & Yeh, 2006), showing that crucial information assurance issues are being buried in the IS strategy and are not being com- municated to the board, when necessary. Indeed, van Opstal (2007, p. 6) found that, “A preponderance of board members report that boards are under-informed about operational risk”, which, in turn, can cause catastrophic problems as organiza- tions such as Barings Bank, TJX, and Société Générale have found to their cost (see Section 1.3.1). Security is both a human resource and organizational concern, and includes other—non- IS factors—such as staff motivation, awareness and training; ethics; compliance and legal issues; integration; stakeholder analysis; and information sharing and collaborative mechanisms (Hinde, 2003). Thus, companies cannot afford to hide security and compliance issues within IT strategy. Information assurance must be seen as a separate holistic and transparent component,
INFORMATION ASSURANCE AND CORPORATE STRATEGY 105
which is communicated in its own right to the appropriate stakeholders.
2.3. Improving IA Alignment Aligning information assurance strategy with IS strategy
and business strategy is not simply a case of developing all three strategies together. Rather, it involves gathering relevant information, developing relationships between functions and constructing appropriate processes and practices. The litera- ture presents a variety of methods for improving the links between specialist functions such as IA and IS and the gen- eral business functions (Chan, 2002; Luftman & Brier, 1999; Sabherwal & Chan, 2001). These can be divided into four cate- gories, which are similar to the strategy process of development, planning and implementation, control, and feedback (Cohen & Cyert, 1973; Frolick & Ariyachandra, 2006; Hansotia, 2002; Kolokotronis, Margaritis, Papadopoulou, Kanellis, & Martakos, 2002; Montealegre, 2002). These are
• Developing goals and critical success factors—the initial stage of strategy formulation includes the deter- mination of the future direction and performance of the organization (Bryson, Ackermann, & Eden, 2007; Preble, 1992), as well as the functions—such as IA— required to fulfil them.
• Constructing or improving strategy alignment— the next stage of strategy formulation involves the identification of the processes, management and skills required for fulfilling the goals and critical success factors (Barney, 1991; Henderson & Venkatraman, 1993).
• Measuring and reporting practices—after the strate- gies have been developed and implemented, a review of performance is generally undertaken and corrective actions carried out, if necessary (Daft & Macintosh, 1984; Govindarajan, 1988).
• Evaluating and communicating strategic informa- tion to the board—appropriate feedback pertaining to strategy implementation and performance is com- municated to the board (Raghupathi, 2007; Siebens, 2002).
In order to ensure alignment, strong links between business, IT and IA goals, critical success factors and strategies are essential. Furthermore, control and feedback will have an impact on strat- egy and, as a result, will also influence alignment. Finally, the organization’s environment—such as its competition, markets and resources—will help to shape strategy, too.
Improving information assurance alignment is discussed in more detail below using these four categories (see Figure 1).
2.3.1. Developing IA Goals and Critical Success Factors (CSFs)
Three predominant IA goals and CSFs are mentioned in the literature. These are
FIG. 1. IA Strategy alignment model.
• Anticipating threats to the organization and its goals—a breach in information security can have a severe impact on the organization (Logan & Logan, 2003; McHugh, 2001). For example, TJX—the owner of retail discount stores TJ Maxx and Marshalls— failed to comply with the Payment Card Industry Security Standard, which was established by the major credit card companies and sets minimum security expectations. TJX initially failed nine of the twelve compliance requirements and over a two year period avoided responsibility for improving its security. Due to this lack of diligence, TJX’s credit card data had been breached by hackers. Over 94 million credit card records had been compromised and TJX had to provide a $41 million settlement fund in order to com- pensate the affected customers and banks (Burnes, 2008; Chickowski, 2008). This example shows that TJX did not have suitable security controls in place in order to fulfil their business objectives effec- tively.
Likewise, Société Générale lost approximately C4.9 billion ($7.2 billion) due to unauthorised derivatives
106 E. MCFADZEAN ET AL.
trading—the result of insufficient risk management information. PriceWaterhouseCoopers reported that the Bank had “a heavy reliance on manual processing and the workload of operating staff meant that certain of the existing controls in place were not operating effectively” (Sandman, 2008, p. 4). As a result, the Bank failed to anticipate the potential threats to the business from its own staff (Vijayan, 2008). Moreover, Société Générale is not the only bank to suffer from the risky behavior exhibited by employees. Barings Bank, Bear Stearns and Credit Suisse have all suffered from financial losses attributed to employee miscon- duct, mismanagement or negligence, which were not caught in time by appropriate controls (Wailgum & Sayer, 2008).
Anticipating and preventing informational threats is, therefore, vital for ensuring continuing working practices. Thus, an information assurance policy that is linked to business goals and communicated to the employees is an important weapon for preventing potential threats. Whitman (2003, p. 92) states that, “The security policy is the first and potentially the most important layer of security available to the orga- nization.” This policy contains the organization’s basic security philosophy which dictates subsequent deci- sions, procedures and guidelines including prevention measures.
• Communicating IA procedures to the organiza- tion—Employees expect to gain strategic direction from their senior executives. They need to under- stand what changes to expect, the reasons behind these changes and how they will influence their own work (Edwards, 2000). As a result senior managers need to be the champions of employee communica- tion (Powers, 1996). In its guidelines, the Turnbull Report (Turnbull, 1999, p. 13), suggests that Boards of Directors may wish to consider whether the company “communicates to its employees what is expected of them and the scope of their freedom to act.” In addition, line managers must develop strong, on-going relation- ships with other functional managers. For example, managers responsible for the IA, IS and business func- tions must communicate with one another so that IA, IS and business capabilities are integrated effectively at all levels of the organization (Rockart, Earl, & Ross, 1996). IA procedures can also be communicated to staff through awareness and training programmes, which can cement the organization’s basic security philosophy into its culture (Dutta & McCrohan, 2002).
• Responding to the changing environment and orga- nizational needs—Today’s rapidly transforming busi- ness environment tends to encourage greater flexibil- ity and change within organizations. Reengineering
programmes, altering management information flows, re-designing business processes and developing new innovative product and services all require substantial input from information assurance experts (Dhillon & Backhouse, 2000; Rockart et al., 1996). In addition, it is important that information assurance issues do not constrain these changes by increasing bureau- cracy, rigidity and centralisation of security poli- cies. Baskerville and Siponen (2002) therefore sug- gest that organizations should develop a more flex- ible meta-policy which should provide guidelines on how security policies are created, implemented and enforced. This will enable security countermea- sures to keep pace with the organization’s business requirements.
2.3.2. Constructing or Improving IA Strategy Alignment Many studies on alignment have been based upon the sem-
inal work undertaken by Henderson and Venkatraman (1993) in which they present a model illustrating the link between IT and business strategy. This was constructed using two concepts, namely strategic fit and functional integration. The former con- cept acknowledges the need to address both the internal and external business domains in order to develop alignment. The external domain includes the organization’s market place and is concerned with aspects such as the company’s products, market- ing and customer information as well as other external factors such as competitors. The internal domain, on the other hand, is concerned with factors such as the company’s structure, culture and processes.
Henderson and Venkatraman suggest that the fit between the internal and external domains is critical for maximising orga- nizational and economic performance. They argue that failure to derive success from IT is frequently due to this lack of alignment. For instance, IT strategies are often unsuccessful because of the poor supporting infrastructure and/or poorly skilled human resources. Thus, strategic fit is a key driver for success.
This article is based on the premise that information assur- ance should also be part of the strategic fit (see Figure 1). Like Henderson and Venkatraman, we suggest that the position of the company in the IA’s external domain will involve choices in three areas:
• The extent of the organization’s willingness to ensure prevention of threats and the security of data—in other words, what are the specific technologies, processes and systems required by a company in order to defend against potential threats so that its business objectives can be fulfilled?
• Systemic competencies—what attributes of IA strategy could positively contribute to the development of a new business strategy or could more effectively support