Security is essentially about managing certain categories of operational risk, typically referred to as ‘CIA’ — Confidentiality, Integrity and Availability.
Standards, such as ISO27001, provide best-practice guidance in designing, setting up, operating, and improving institutions and procedures, based on risk management principles. These are known as Information Security Management Systems.
However, it is just as vital to take security into account when designing normal business processes. Security tends to be the ‘Cinderella’ requirement, considered belatedly as an add-on, or retrospectively, as a result of a breach or a nearmiss. As a result, conflicts between security and, for example, productivity, are not...