INTRODUCTION Due to constantly increasing threats to the security

1. INTRODUCTION Due to constantly increasing threats to the security, integrity

and availability of organizational information, theorists have presented a number of studies on information assurance (IA), or different aspects of IA, in the literature (Baskerville, 1991; Kankanhalli, Teo, Tan, & Wei, 2003; Miller & Engemann, 1996; Zviran & Haga, 1999). Indeed, there has been a call from both government officials and in the academic literature to place security issues—often the most discussed element of IA—at a more senior level (Dutta & McCrohan, 2002). The legal envi- ronment is also changing and continuing concerns regarding individual privacy, security of sensitive information, account- ability for financial information and corporate governance are driving the development of new laws and regulations to ensure that organizations address potential security problems (Gilbert, 2008; Smedinghoff, 2008). These often include two key legal obligations:

• A duty to provide sufficient security for corporate data and information systems; and

Address correspondence to Elspeth McFadzean, Henley Business School, University of Reading, Greenlands, Henley-on-Thames, Oxfordshire RG9 3AU, United Kingdom. E-mail: elspeth.mcfadzean@ henley.reading.ac.uk

• A duty to reveal security breaches to those individuals or businesses who may be adversely impacted by these breaches (Smedinghoff, 2005).

Some theorists have suggested that information assurance should be undertaken as part of the corporate governance pro- cedures and, as such, should be the responsibility of the board of directors (Birchall, Ezingeard, & McFadzean, 2003; Von Solms, 2001a). In fact, organizational compliance regulations that cover IA are increasingly expanding. In the United States, the Sarbanes-Oxley Act is seen as a key driver of IA efforts at senior levels for publically traded companies (Linkous, 2008). Thus, according to the National Cyber Security Partnership Governance Task Force (2004, p. 12).

The board of directors should provide strategic oversight regard- ing information security, including:

1. Understanding the criticality of information and information security to the organization.

2. Reviewing investment in information security for alignment with the organization strategy and risk profile.

3. Endorsing the development and implementation of a comprehen- sive information security program.

4. Requiring regular reports from management on the program’s adequacy and effectiveness.

IA efforts can, however, be criticized for hampering business strategy and introducing restrictions to creativity, entrepreneur- ship and responsiveness. Organizations therefore need strong alignment between IS, IA and corporate strategies so that they can more effectively address the above legal and regulatory challenges (Ezingeard, McFadzean, & Birchall, 2005). In other words, organizations cannot view information assurance as an autonomous entity but as part of a holistic enterprise-wide framework that includes corporate and information strategies. A key advantage of developing IS, IA and corporate strate- gies at such a high level is the ability to build alignment between them. Senior executives are in a better position to gain a complete overview of the company, its goals and its pro- cesses (Lohmeyer, McCrory, & Pogreb, 2002). In addition, they

102

 

 

INFORMATION ASSURANCE AND CORPORATE STRATEGY 103

have the authority to ensure that these plans are implemented effectively (Kankanhalli et al., 2003; McFadzean, Ezingeard, & Birchall, 2006).

Unfortunately, there has been little research undertaken in the area of IA alignment. The aim of this article, then, is to ascertain what specific methods and processes can be utilized by management in order to strengthen the alignment of IA, IS, and corporate strategy. To this end, we have used the Delphi Technique to determine these actions. We have also asked the expert panel to rank both the desirability and the feasibility of these variables.

This article is structured as follows. The next section dis- cusses the importance of information assurance and its align- ment to IS and business goals. Moreover, a brief review of the alignment literature is presented. The methodology and research design are then described. This section discusses the use of the Delphi Methodology as well as the design of our study. Subsequent sections present the results of the project and dis- cuss the methods for strengthening IA and business alignment. Finally, some implications for managers are considered.



You Need a Professional Writer To Work On Your Paper?