Within an organization, it is critical that all employees possess a security awareness and thus play a part in the protection of said organization's information assets. Some employees will have key roles and responsibilities and require specific skills to support them. However, organizations can face challenges in regard to recognizing the required specialized skills as well as where to obtain them. For this reason, whether an organization chooses to hire new staff, developing existing staff, or outsource the activities altogether, it is necessary to know the type and level of expertise required. To this end, this chapter discusses the need for organizations to understand and identify the essential skills related to cybersecurity in order for their employees to develop core competencies in these areas.
TopIntroduction
Due to globalization, increased competition, accelerated technological advancements, and lightning quick communications, today’s businesses are redesigning their organizational structures (Dhillon and Backhouse 1996; 2001; Dhillon and Kolkowska 2011). There has been a dramatic shift in the model of rigid organizational structures toward more loosely coupled networks. In this environment, Information Systems (IS) security gains new prominence and becomes one of the most important issues businesses face. In this new environment, a simple technical expertise alone is not enough. For IS security to be truly effective organizations need to hire skilled and knowledgeable people, develop effective information security processes, and synthesize the two into a seamless system (Dhillon and Backhouse 1996; 2001; Dhillon and Kolkowska 2011). Therefore, technical expertise needs to be coupled with a thorough understanding of organizational processes and human behavior in order to meet today’s challenges of an increased focus on an information society (Dhillon and Kolkowska 2011).
The face of the business is constantly changing. This is due to both the globalization of today’s commerce, and technological innovations in communication and information exchange fields, the standard business model has moved away from closed, bureaucratic structures towards loosely coupled networks (Dhillon and Backhouse 1996; 2001). These networks exchange information through a complex system of formal and informal channels. This is much different from the hierarchical exchange of information between internal business units, as was typical in the past. The opportunities provided by the opening of the countries’ borders, together with rapid advances in information systems have changed the way in which businesses collect, store, use and exchange critical and valuable information. As technology developed and allowed companies to analyze data in a much more effective and extensive manner, the value of this data increased drastically (Dhillon and Kolkowska 2011). Simultaneously, the same technological advances have made information available to a wider audience. This new reality greatly expanded and changed the context in which IS security is considered.
There has been extensive research done in order to determine what the principles of managing information systems’ security are. Dhillon and Backhouse (2000) quote two sets of security principles as the ones that, when combined, create a comprehensive framework for IS security management. The first set of principals refers directly to IS systems and their physical security. The first set delineates confidentiality, integrity and availability (CIA) as the three major principles ensuring secure IS. Confidentiality refers to the prevention of unauthorized disclosure of information, integrity deals with the prevention of unauthorized modification to data, and availability refers to the prevention of unauthorized withholding of data or resources. However, these principles are highly limited and perceive IS solely as data stored on a computer or in a database therefore, the second set of principles (RITE) complements the first one by focusing on the organizational aspects of information flow and exchange within and among organizations.
RITE includes the principles of responsibility, integrity, trust and ethicality. Responsibility requires that all members of an organization understand their roles and responsibilities. The principle of integrity requires individuals to acknowledge and accept their membership in the organization. Trust is seen as a counterweight, to external supervision and control, and thus requires self-control from individual members of the information exchange network. In addition, the principal of trust requires that individuals accept and acknowledge responsibility related to the information they access and process. The last principle of RITE refers to ethicality, as opposed to rules, and expects both individuals and the organization as a whole, to act in accordance with commonly accepted ethical practices.