2. Information, It and Competitiveness – The Case for ISO 27001

Chapter 2. Information, It and Competitiveness

Executive summary

Information security is essential if your organization’s productivity and competitive position is to be protected.

Academic research

Academic research[3] largely confirms the view that the growth in western economies in since 1995 can largely be linked to the deployment and use of information technology. Studies, and experience, suggest that this growth is sustainable.

Other studies[4], focusing on specific industries (eg finance), concluded that there are circumstances where further IT investment will not provide competitive advantage over other firms in the sector, but that investment is nevertheless essential just to stay in the race.

Productivity improvements and competitive edge are the two overwhelming reasons for pursuing IT investment. No board invests in IT because it’s fun: the investment has to pay off – even if it only pays off in terms of keeping up with the competition.

It is also clearly the case that there are many new, innovative businesses identifying new ways of deploying information technology, creating new business models that conceivably will destroy many existing businesses. Of course, not all of the new business models will survive but some, like Amazon for instance, force a whole sector to redefine how it does business.

Competitive environment

Survival and success in today’s business environment requires inventiveness and adaptation; Bill Gates says: ‘Microsoft is never more than two years away from failure.’ You’ve got to innovate, find new markets and products, new ways of adding value. You’ve also got to execute current strategies flawlessly just to make sure you’re still in with a chance at the new ones.

And flawless execution, in the information economy, depends on the productivity and effectiveness of your human capital, your staff. You have to simplify their working environment, remove problems and barriers, and give them the information and information technology tools they need. In the same way that you want any new computer systems to be capable on interacting with the old, so that information doesn’t have to be transferred laboriously from one to the other, so you should want new computer systems to work smoothly and efficiently: no data losses, no corruption, no downtime.

And that means that information security ought to be built into your information systems infrastructure from the outset. In order for your people to work productively and effectively with information, they need to be able to get at it, it needs to be there, and it needs to be safe. This means that your default information system security setting ought to be: information availability is preserved (no viruses, no attacker-created system or computer downtime, no data destruction, whether deliberate or accidental), as is its confidentiality (no exposure of information to people who shouldn’t see it) and its integrity (no data corruption, whether deliberate or accidental).

Software is imperfect (but industrial machinery also broke down), it has vulnerabilities that can be exploited or which can cause problems, The speed with which hardware and software evolves means that we are unlikely to stand still long enough for anyone hardware and software platform to become completely secure and stable – because, by the time it was, everyone would have moved on to using a more up to date (although less secure) alternative.

It simply makes sense, for any competitive business, to take appropriate steps to ensure that its valuable knowledge workers can use its information technology infrastructure without fear or hindrance. Technology should be ubiquitous and safe. ISO 27001 enables you to achieve that.

ISO 27001

In the unsafe information economy, ISO 27001 goes one step further. It tells your potential customers, employees and partners that your information systems are – to a recognizable, externally audited, international standard - safe and secure, that yours is an environment in which they will be able to work productively and efficiently and, because you have proved that you can be trusted with information, that your organization is good to do business with. Information security and reputation go hand in hand.

[3] See (for instance): ‘Information technology and productivity: where are we now and where are we going?’ (http://ideas.repec.org/p/fip/fedgfe/2002-29.html), published by the Board of Governors of the Federal Reserve System (US) in 2002

[4] See (for instance): ‘Examining the contribution of information technology toward productivity and profitability in US retail banking,’, (http://fic.wharton.upenn.edu/fic/papers/97/9709.pdf), published by the Financial Institutions Center of Wharton University, 1997